Software // Operating Systems
01:35 PM
Connect Directly
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

Google Researchers Outline Pseudonym Sign-On

Privacy worries about single sign-on identity providers could fade if Google's PseudoID system gets implemented.

Google researchers have proposed a way to prevent online identity providers from amassing information about Internet users that could harm user privacy if exposed.

In a paper presented last month at the 10th Privacy Enhancing Technologies Symposium in Berlin, Germany, Google associate product manager intern Arkajit Dey and software engineer Stephen Weis describe a system called PseudoID that uses blind cryptographic signatures to generate a pseudonym to log into Web sites through a federated identity system without revealing the user’s identity.

Single sign-on (SSO) identity systems for the Internet rely either on a centralized identity provider (Windows ID or Facebook Connect) or on a federation of identity providers (OpenID).

Web sites that participate in these systems become what’s know as relaying parties, because they relay logins to the identity provider for authentication.

The problem with both centralized and federated SSO systems, observe Dey and Weis, is that all user logins to relaying parties’ Web sites pass through an identity provider. This presents a potential privacy risk.

"A user's identity provider can easily link together the various Web sites that the user visits," the researchers state in their paper.

Were the identity provider to be breached or compelled through legal process to reveal this information, the entirety of users’ Web histories could be disclosed.

PseudoID, which is backwards compatible with OpenID, addresses this risk by preventing SSO credentials from being linked to user accounts on relaying party’s Web sites.

Through a cryptographic mechanism known as a blind signature, a user is able to present pseudonymous login credentials -- a token -- to an identity provider so that the user can be authenticated but not identified.

"The identity provider relies on the blindly signed tokens to be able to authenticate users without forcing them to reveal their identity," the paper explains. "When a user is redirected to her identity provider by a relying party, the provider checks whether the user has an access token that has been signed by the blind signer."

The PseudoID source code has been made available on Google Code and the researchers have set up a prototype identity provider that uses blind signatures at

A Google spokesperson didn’t immediately respond to a request to comment on whether the company had any plans to implement the PseudoID system.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.