The evolution of the Internet as a network of distributed computers and computerized devices has revolutionized the practice of a seemingly limitless number of services and applications. Principal among these is the capacity to share and store large amounts of data online with remote accessibility. Stored online data has grown to encompass personal as well as private data. Naturally, providing security for this data has become a growing concern.
The unauthorized trafficking of personal and private data has become a potentially lucrative (albeit illegitimate) endeavor, resulting in the rampant and widespread occurrence of identity theft and internet fraud. Accordingly, many popular online services now include enhanced security measures to thwart the increasing sophistication of malicious Internet users. Unfortunately, as security measures have grown more elaborate to meet the demands for more effective protection, the procedures for validating legitimate users have become increasingly complex, tiresome, and user-intensive as a result.
The problem is exacerbated when legitimate users who wish to utilize the functionality of a third party website or online application that requires access to the user's data stored (“hosted”) on another website. The functionality of the third party website cannot be enabled without bypassing the existing privacy and security protection provided by the host website where the data is stored. Often, express user consent is required to allow access to the website to fetch the user's data. However, repeated attempts to utilize the functionality of the third party website would require a separate authorization for each attempt, a process that can be inefficient and frustrating to the user. One solution to this problem is known as delegated authentication.
Delegated authentication is the ability to establish authorization between users and third party applications. Typically with services providing delegated authentication, the third party website the user is attempting to utilize acts as a delegate of the user to access the data on the user's behalf. The user provides information to the delegate application that allows the application to bypass the authentication procedures on the host website. Generally, the delegate third website accesses the date either through an application or gadget on their website, or through direct server to server communication.
This information commonly includes the user's unique identification (such as the user's unique account name and password) established with the host website. Often, this information is stored with the third party application, so that the user's subsequent utilizations would not require separate and additional authorization with the host website. In the subsequent utilizations, the delegate third party retrieves the user's stored identification information and automatically accesses the host website and obtains the requisite data.
However, this method of delegated authentication presents its own security concerns, since a typical delegate application would possess virtually limitless access to the user's account on the host website, and may not necessarily be limited to accessing only the user-requested data. Unscrupulous third party applications may be able to use the data for unauthorized purposes. Furthermore, even legitimate third party applications may have their own security compromised, subsequently resulting in increased security risks for their users.
Moreover, websites and applications offering delegated authentication services may not offer user-supplied controls and limits to the access. Users may intend to only allow delegated authentication for specific purposes and/or during specific times, such as when the user is actively attempting to utilize (e.g., is “logged in to”) the third party application. However, the account information may be stored and exploitable by the third party application even while the user is “offline,” or for months or even years after the period of time the user intended to allow access.
With current delegated authentication schemes, the procedure of entering in the user's account identification information must be repeated with each additional intended delegate application. In addition to the inherent inefficiency of repeating substantially similar (or even identical) procedures, the risks involved would also increase with each additional delegate.