Google Researchers Outline Pseudonym Sign-On - InformationWeek
Software // Operating Systems
01:35 PM
Connect Directly

Google Researchers Outline Pseudonym Sign-On

Privacy worries about single sign-on identity providers could fade if Google's PseudoID system gets implemented.

Google researchers have proposed a way to prevent online identity providers from amassing information about Internet users that could harm user privacy if exposed.

In a paper presented last month at the 10th Privacy Enhancing Technologies Symposium in Berlin, Germany, Google associate product manager intern Arkajit Dey and software engineer Stephen Weis describe a system called PseudoID that uses blind cryptographic signatures to generate a pseudonym to log into Web sites through a federated identity system without revealing the user’s identity.

Single sign-on (SSO) identity systems for the Internet rely either on a centralized identity provider (Windows ID or Facebook Connect) or on a federation of identity providers (OpenID).

Web sites that participate in these systems become what’s know as relaying parties, because they relay logins to the identity provider for authentication.

The problem with both centralized and federated SSO systems, observe Dey and Weis, is that all user logins to relaying parties’ Web sites pass through an identity provider. This presents a potential privacy risk.

"A user's identity provider can easily link together the various Web sites that the user visits," the researchers state in their paper.

Were the identity provider to be breached or compelled through legal process to reveal this information, the entirety of users’ Web histories could be disclosed.

PseudoID, which is backwards compatible with OpenID, addresses this risk by preventing SSO credentials from being linked to user accounts on relaying party’s Web sites.

Through a cryptographic mechanism known as a blind signature, a user is able to present pseudonymous login credentials -- a token -- to an identity provider so that the user can be authenticated but not identified.

"The identity provider relies on the blindly signed tokens to be able to authenticate users without forcing them to reveal their identity," the paper explains. "When a user is redirected to her identity provider by a relying party, the provider checks whether the user has an access token that has been signed by the blind signer."

The PseudoID source code has been made available on Google Code and the researchers have set up a prototype identity provider that uses blind signatures at

A Google spokesperson didn’t immediately respond to a request to comment on whether the company had any plans to implement the PseudoID system.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll