Top Five Single Sign-Ons
By Tanunnut Suebsang
August 6, 2021
In this day and age, people have become increasingly wary of online privacy. Something seen in the U.S. where at least 75% of Americans say they want increased government regulation regarding data use by companies. This may not come as a surprise for most people given alleged reports on data mining from large multinational corporations (MNCs), like Target, Amazon, Facebook, and Google. Companies like these have begun developing new ways to advance their business at the expense of people’s online data privacy. Often, user data is accessible and attainable, including entire databases containing confidential information. Single sign-ons (SSOs), like humanID, serve as a solution to this problem because they offer a single authentication method for users to access their applications.
However, some groups do not get the chance to be concerned about online privacy because of the complex online experience. SSOs serve as a solution for these accessibility concerns. According to the United Nations 2017 report, globally, the number of elderly people is expected to increase where by 2030, older people will outnumber children under the age of 10. Because of this, the elderly are expected to become a prominent demographic for businesses. However, the technology in which we use today can overlook this demographic due to a plethora of reasons. These range from personal fears to disregard of cognitive accessibility. SSOs would be able to help in terms of the elderly population’s cognitive accessibility because it would mean they would only need to remember a single username and password. In addition, another concern the complex online experience brings is misinformation that not only affects the older generations but also younger generations. According to the Organisation for Economic Co-operation and Development (OECD), children are a demographic that regularly use the internet. This regular use makes them especially vulnerable to the internet’s rampant misinformation and fake accounts that can pave the way for cyberbullying. SSOs would be able to remove trolls and ensure that everyone online is real to help alleviate the issue of online misinformation and cyberbullying.
First and foremost, arguably one of the more well known SSOs, OpenID Connect (OIDC). OIDC is a URL-based SSO which promotes a user-centric digital identity management system, allowing users to control their identity data and increases security. In nature, OIDC supports decentralized architectures, meaning it is able to function using different nodes even if one out of the many fails. This gives it a robust foundation and makes it an adaptable and flexible framework. Through these mechanisms, OIDC is able to tackle the issue of having an individual login and password for each website. Sites that support OIDC are referred to as relying parties (RP) that have a large role to play in the OIDC authentication process. The RP uses the user’s input URL to discover the user’s information and determine whether or not to provide services to the user. Furthermore, OIDC may ask for additional information, in the form of security questions, when users sign up to combat phishing attacks and to ensure online safety. One thing to note though is that OIDC is a common SSO used by companies, such as Google, Yahoo, AOL, that store the user’s data making it less private than others mentioned on this list.
SPRESSO stands for a “Secure Privacy REspecting Single Sign-On,” which, like humanID, aims to combat user privacy issues that big tech companies carry a history of having. To use SPRESSO, users must enter their email address into the RP site, wait for a tag the RP generates by encrypting its domain name, then the email and tag are forwarded to the identity provider (IdP). Aside from being a simple way of using the SSO, by using SPRESSO, when users login to an RP using their email address, the IdP cannot trace the RP which the user requests to login to. Based on standard HTML5 and web features, SPRESSO uses no browser extensions, plug-ins or browser-independent executables. SPRESSO features a strong authentication method and enhanced privacy for a secure SSO system by making sure IdPs cannot distinguish between distinct RPs. Like OpenID, SPRESSO also uses a decentralized system; the decentralized system allows their users to log in at any RP with supported email addresses giving them flexibility and adaptability as well.
WSO2 Identity Server
Popular amongst corporations, WSO2 Identity Server (WSO2 IS) provides users with the ability to manage their identity for applications, as expected from an SSO. However, the distinguishing factor WSO2 IS has from others is that it meets the standards of an open source software which is, as defined by The Open Source Initiative, “software that can be freely accessed, used, changed, and shared (in modified or unmodified form) by anyone.” In addition to being open sourced, WSO2 IS is also compatible with the cloud, API-driven, and is a product built for customer identity and access management (CIAM), earning itself many titles. One of which was being one of the top innovation leaders in the KuppingerCole Analysts’ CIAM Platforms Leadership Compass 2020 report. WSO2 IS features multi-functional software and has an easy-to-follow user interface (UI) which the user can customize. In a study conducted by Nick Heijmink, Heijmink compares two SSOs, WSO2 IS and ForgeRock, where he states that WSO2 IS is easier to install without any prior knowledge of the server. However, it is important to note that Heijmink only compares two SSOs. Regardless, WSO2 IS is also always finding ways to improve itself, such as in December 2020 when they did the following:
- Application of a symmetric key encryption to protect users data.
- Enhancement of role management for administrators to assign roles easily and quickly
- Featuring new software development kits in order to simplify the process of application integration.
A common name people attending an academic institution are probably aware of is Shibboleth. Shibboleth is another open source SSO based on SAML (Security Assertion Markup Language) which provides basic authentication for user-centric identity management. Ensuring user privacy by pseudonymization. In this case, the user has a different persistent name for each service provider (SP) when sharing their identity information amongst SPs and IdPs. The SPs then cannot track the various places the user is providing their data to. Aside from Shibboleth’s privacy functions, the Shibboleth authentication module is placed on the client’s side which simplifies access procedures, making Shibboleth both efficient and safe for use.
Last, but certainly not least, humanID serves as a one click anonymous login SSO, where users use their unique phone number to login once, a secure and accountable online experience. After users enter their phone number, they recieve an irreversible hash function that creates a random identifier. The user’s information is never stored, allowing them to roam the internet without privacy concerns. Moreover, data leaks would only produce random lists that are not traceable back to the user, providing a true anonymous user experience. Additionally, humanID’s technology prevents trolls and bots by requiring one specific, legitimate phone number. Aside from the technical benefits, humanID also has a goal of democratizing the internet. As an open source nonprofit organization, we strive to allow free flow of information and opinions without repercussions. With the vision to maneuver away from big tech, support human rights, journalism, and privacy, as well as combat disinformation. humanID is the perfect choice for anyone who not only wants the technical benefits of a SSO, but also seeks to support humanID for its causes.