A proposal of a method for evaluating third-party authentication services

Abstract

The security field is a highly studied area of knowledge, since the consequences of failing can be catastrophic; if an external user accesses information or function she should not be able to access. Third-party authentication is a growing concept that tries to remedy the problem of users having to register at most websites they want to access. With an account at a third-party authentication service a user can access all websites that support the third-party service without having to register there. While this seems like a good architecture are the capabilities and limitations of third-party services not well understood and there are no common protocols for authenticating users. This master thesis aims at increasing the knowledge about these services by reviews current literature in the field in order to define a method for evaluating third-party authentication services. Furthermore, in the scope of the thesis is to explore the possibility of circumventing the problem that there is no common protocol for authenticating users by creating a plug-in based authentication solution that utilizes third-party authentication services for user authentication. An evaluation method that tries to to capture the essential aspects of third-party user authentication is proposed. In addition a proof-of-concept implementation of the previously mentioned plug-in based authentication solution is implemented to show that it is possible to circumvent the described problem.