Skip to content
Pomcor

Pomcor

Research on web and mobile technology

  • Home
  • Blog
  • Developers
    • PJCL Library
    • Demonstrations
  • Research
    • Cryptographic Authentication
    • TLS Traffic Visibility
    • Cardholder Authentication
    • Remote Identity Proofing
    • Cryptographic Modules
    • Derived Credentials
    • Archived Research Pages
  • Patents
  • About Us
    • Company
    • People
    • Contact
  • Archive
Pomcor

Social Login without Application Registration

Tonight I'm in Washington DC with Karen Lewison for the NIST IDTrust workshop, which takes place tomorrow and the day after (April 6-7). We'll be showing a poster on PKAuth, our proposed social login protocol. By social login I mean the buttons that allow you to log in to Web applications with your identity at a social network such as Facebook, LinkedIn or Twitter, giving the application access to your social context at the site. I believe the term social login was coined by Janrain.

Today social login uses the OAuth protocol, which requires prior registration of the application with the social site. The registration process establishes a shared secret that the site later uses to authenticate the application, and provides the site with information that it later uses to identify the application to the user at it asks permission to grant the application access to the user's social context.

The problem with that is that the social site gains the power to disable the application by revoking its registration. Why is that a problem? Because social login is becoming so popular that the day may come when all applications have to register with the dominant social site (currently Facebook) just to be able to authenticate their users. The dominant social site will then have the power to disable any Web application by revoking its registration. That would be bad for users, for applications, and for the dominant social site itself, which would no doubt face registration by multiple governments.

That's why we are proposing PKAuth. In PKAuth registration is optional. A site will be able to require registration for special applications that need, say, administrative access to the user's account, while not requiring it for others. Applications that only want to delegate user authentication should not have to register.

Instead of registration, PKAuth relies on the Web's public key infrastructure, using the application's ordinary SSL certificate to authenticate the application and identify it to the user.

We have just published a revised version of the PKAuth white paper and I will be talking about other benefits of PKAuth in future posts.

Author Francisco CorellaPosted on April 5, 2011March 21, 2025Categories Authentication, Network Security Protocols, PrivacyTags Authentication, Facebook, Identity, Network Security Protocols, OAuth, PKAuth, Privacy, Social Login

Post navigation

Previous Previous post: Welcome to the Pomcor Blog
Next Next post: Thoughts about NSTIC after NIST IDtrust Workshop

Papers

  • Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space, preprint of paper to be presented at HCI International 2023. Updated on 3/18/2023 to add a patent disclosure.
  • A Possible-Worlds Semantics for Kolmogorov’s Axiomatization of Probability Theory
  • Traveler Authentication at Airports
  • Fundamental Security Flaws in the 3-D Secure 2 Cardholder Authentication Specification
  • An Omission-Tolerant Cryptographic Checksum
  • Frictionless Web Payments with Cryptographic Cardholder Authentication, authors’ version of a paper presented at HCI International 2019. Publisher’s version available in the Late Breaking Papers volume of the proceedings
  • Using Near-Field Communication for Remote Identity Proofing
  • Backing Rich Credentials with a Blockchain PKI
  • Rich Credentials for Remote Identity Proofing
  • Identity-Based Protocol Design Patterns for Machine-to-Machine Secure Channels (Paper presented at M2MSec 2014)
  • Interpreting the EMV Tokenisation Specification
  • An Example of a Derived Credentials Architecture
  • It Is Time To Redesign Transport Layer Security
  • Privacy Postures of Authentication Technologies
  • A Comprehensive Approach to Cryptographic and Biometric Authentication from a Mobile Perspective

Presentations

  • Multifactor Fusion in a Verifiable Credential, revised after presentation at IIW 38, April 2024
  • Multifactor Fusion in a Verifiable Credential, original version of presentation at IIW 38, April 2024
  • Overview of the mDL standard, to be presented at IIW XXXVII, October 2023
  • 2F-crypto-authn.pptx, step-by-step description of the code in the GitHub repository 2F-crypto-authn-demo, which demonstrates two-factor cryptographic authentication with a fusion credential.
  • Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space, presented at HCI International on July 24, 2023
  • UX of Diia, presented at IIW XXXVI on April 18, 2023
  • FIDO for “everything”—How to use FIDO as an alternative to SAML, as an alternative to OpenID Connect, as an alternative to US Government Derived Credentials, for privacy-enhanced identification, and for user-centric identity
  • Cardholder Authentication and Payment Confirmation without Interaction with the Issuing Bank, to be presented at IIW XXXV, November 15-17, 2022
  • Frictionless Web Payments with Cryptographic Cardholder Authentication, with speaker notes; presented at HCI International 2019; updated August 1, 2019
  • The Rise of Cryptographic Authentication, presentation at SJSU, April 5, 2018, updated April 9
  • Storing Cryptographic Keys in Persistent Browser Storage, presentation at ICMC2017, revised after the conference
  • New Techniques for Remote Identity Proofing, presentation at CSUS on February 22, 2017
  • Presentation on Remote Identity Proofing at IIW 23
  • Five Techniques for Remote Identity Proofing, presentation to Government agencies at the conclusion of this project
  • Revocable Biometrics, slides for discussion at IIW XXII
  • Slides of presentation at ICMC 2015, revised after the conference
  • Faster Implementation of Modular Exponentiation in JavaScript: PDF; PowerPoint
  • Video interview of F. Corella (GlobalPlatform TEE Conf. 2014)
  • Virtual Tamper Resistance for a TEE (GlobalPlatform TEE Conf. 2014)
  • ID-Based Design Patterns for M2M Secure Channels (M2MSec 2014)
  • It’s Time to Replace SSL/TLS (U. of Utah 2014)
  • Privacy Postures of Authentication Technologies (ID360 2013)
  • Key Management Challenges of Derived Credentials and Techniques for Addressing Them (NIST Key Management W. 2012)

Drafts of chapters of an unfinished book on Foundations of Cryptographic Authentication

  • Table of contents
  • 1. Introduction
  • 2. Cryptographic primitives
  • 3. Traditional credentials
  • 4. Phishing resistant authentication with
    cryptographic credentials
  • 5. Web technology
  • 10. FIDO and passkeys
  • 12. Credential wallets
  • 13. ISO/IEC wallet credentials
  • 14. Decentralized identifiers
  • 15. Verifiable credentials and self-sovereign identity

Archive

  • Archive page
  • Categories of papers, presentations and blog posts within the archive page:
    • Identity Proofing
    • Authentication
    • Privacy
    • Data Protection
    • Payments
    • Mobile
    • Cryptography
    • Biometrics
    • Network Security Protocols
    • Web Application Security
    • Password Security
    • Search
    • Public Comments to Government by Pomcor
    • All Categories

About Us

  • Blog
  • Company
  • Contact Us
  • CONNECT Springboard Mentoring
  • Recent Funding
  • Earlier Funding

Terms and Privacy

  • Terms of Use, updated May 27, 2018
  • Privacy Policy, updated May 18, 2022

RSS Feeds

RSS logo Subscribe to blog posts

RSS logo Subscribe to comments

Recent Blog Posts

  • Unlocking passkey adoption with a more secure and more convenient way of using passkeys
  • Using a browser as a credential wallet
  • A Definition of Special Soundness Better Suited for Anonymous Credentials
  • Overview of ISO/IEC 18013-5: Innovations and Vulnerabilities in the mDL Standard
  • A Streamlined Process for Licensing a Cryptographic Authentication Patent

Blog Post Categories

Blog Post Tags

  • 3DS2
  • Authentication
  • Biometrics
  • CAC
  • Cryptography
  • Cybersecurity
  • Data Protection
  • Derived Credentials
  • Facebook
  • Formal Methods
  • HCI
  • Identity
  • Identity Proofing
  • IIW
  • Integrity Protection
  • JavaScript
  • Karatsuba
  • Mobile
  • MongoDB
  • Multifactor
  • Network Security Protocols
  • NIST
  • NodeJS
  • NSTIC
  • Omission-Tolerant Checksum
  • OpenID
  • OpenID Connect
  • Patents
  • Payments
  • PIV
  • PJCL
  • PKAuth
  • Privacy
  • Provable Security
  • Real Time
  • Search
  • Selective Disclosure
  • Smart Cards
  • Social Login
  • Surveillance
  • TEE
  • TLS
  • Typed Hash Trees
  • Usability
  • User Experience
  • Home
  • Blog
  • Developers
    • PJCL Library
    • Demonstrations
  • Research
    • Cryptographic Authentication
    • TLS Traffic Visibility
    • Cardholder Authentication
    • Remote Identity Proofing
    • Cryptographic Modules
    • Derived Credentials
    • Archived Research Pages
  • Patents
  • About Us
    • Company
    • People
    • Contact
  • Archive
Pomcor Proudly powered by WordPress