Google Researchers Outline Pseudonym Sign-On

Privacy worries about single sign-on identity providers could fade if Google's PseudoID system gets implemented.
Google researchers have proposed a way to prevent online identity providers from amassing information about Internet users that could harm user privacy if exposed.

In a paper presented last month at the 10th Privacy Enhancing Technologies Symposium in Berlin, Germany, Google associate product manager intern Arkajit Dey and software engineer Stephen Weis describe a system called PseudoID that uses blind cryptographic signatures to generate a pseudonym to log into Web sites through a federated identity system without revealing the user’s identity.

Single sign-on (SSO) identity systems for the Internet rely either on a centralized identity provider (Windows ID or Facebook Connect) or on a federation of identity providers (OpenID).

Web sites that participate in these systems become what’s know as relaying parties, because they relay logins to the identity provider for authentication.

The problem with both centralized and federated SSO systems, observe Dey and Weis, is that all user logins to relaying parties’ Web sites pass through an identity provider. This presents a potential privacy risk.

"A user's identity provider can easily link together the various Web sites that the user visits," the researchers state in their paper.

Were the identity provider to be breached or compelled through legal process to reveal this information, the entirety of users’ Web histories could be disclosed.

PseudoID, which is backwards compatible with OpenID, addresses this risk by preventing SSO credentials from being linked to user accounts on relaying party’s Web sites.

Through a cryptographic mechanism known as a blind signature, a user is able to present pseudonymous login credentials -- a token -- to an identity provider so that the user can be authenticated but not identified.

"The identity provider relies on the blindly signed tokens to be able to authenticate users without forcing them to reveal their identity," the paper explains. "When a user is redirected to her identity provider by a relying party, the provider checks whether the user has an access token that has been signed by the blind signer."

The PseudoID source code has been made available on Google Code and the researchers have set up a prototype identity provider that uses blind signatures at

A Google spokesperson didn’t immediately respond to a request to comment on whether the company had any plans to implement the PseudoID system.