A Longitudinal Characterization of the Third-Party Authentication Landscape

Oscar Jarpehult, Fredrik Josefsson Agren, Madeleine Backstrom, Linn Hallonqvist, and Niklas Carlsson

Paper: Oscar Jarpehult, Fredrik Josefsson Agren, Madeleine Backstrom, Linn Hallonqvist, and Niklas Carlsson, "A Longitudinal Characterization of the Third-Party Authentication Landscape", Proc. IFIP Networking, Catania, Italy, June 2022. (pdf, extended)

Abstract: Many websites offer users to authenticate using third-party identity providers (IDPs) such as Facebook or Google. As part of the signup process, these websites often ask the user to give them additional permissions with the IDP (e.g., some data sharing or authorize some actions) that can have significant privacy implications. Motivated by the increased scrutiny of Facebook and other popular IDPs (e.g., due to the 2018 Cambridge Analytica scandal), we present a longitudinal analysis of the IDP usage and permissions changes over the past nine years (2012-2021) as well as a large-scale characterization of the current state. Our longitudinal analysis identifies trends and characterizes changes in both the IDP usage and permission agreements of different subsets of websites. For our large-scale analysis, we develop and share a Selenium-based measurement framework that we use to collect datasets. Using this data, we study the IDP usage across popularity ranges, the permissions used in the wild, and highlight differences between websites using different IDPs and those that do not. Our analysis shows increased IDP usage, especially among the most popular websites, and that the permission requests on average are becoming more modest but also brings forward significant exceptions that may need further scrutiny.

Data collection tool and datasets

To help build upon our work, below, we make available datasets and collection tools.

The dataset can be downloaded here and the collection tool here [github].

Citation format

When using the tool or dataset, please cite the conference version of the paper:

Oscar Jarpehult, Fredrik Josefsson Agren, Madeleine Backstrom, Linn Hallonqvist, and Niklas Carlsson, "A Longitudinal Characterization of the Third-Party Authentication Landscape", Proc. IFIP Networking, Catania, Italy, June 2022. (pdf) extended)