A comparison of users' perceptions of and willingness to use Google, Facebook, and Google+ single-sign-on functionality.

ABSTRACTIdentity providers such as Google and Facebook are increasingly used to sign in to third-party services like Flickr and USA Today. For users, this can increase convenience (e.g., fewer passwords to remember) and security (e.g., service providers need not keep passwords). At the same time, relying on identity providers that have rich information about users (e.g., all information in a Facebook profile) creates the risk that users will lose oversight or control over the access that service providers are given to this information. To address such concerns, identity providers show users consent interfaces at sign on and provide audit tools for post hoc review. In this paper we report on a 424-participant on-line study through which we seek to understand the effectiveness of these interfaces: We induced participants to log in with one of three identity providers, and measured their awareness of the information that was being sent by identity providers to service providers, their awareness of identity providers' audit tools, and their sentiment about various aspects of single sign-on. Participants logged in under one of two treatments: a basic treatment, which requested a minimum of personal data; and an invasive treatment, which requested data that most people would find invasive to their privacy. We found that participants' understanding of the information identity providers shared with service providers was based on preconception rather than the content of informational dialogs displayed by the identity providers; and that they were almost uniformly unaware of audit tools offered by identity providers. At the same time, many participants exhibited strong preferences and concerns about data sharing, several of which did not match current data-sharing practices.