Contents
1. history
One of the most visible aspects of this is Single Sign-On (SSO) in which the user creates an account with an Identity Provider (IdP), and can then use this to create accounts with any relying party (RP) service that supports SSO and trusts the user’s IdP.
However, one aspect that has not received much attention is the process of account creation, along with its corresponding security assumptions and requirements. This process is further complicated by the move towards SSO because many services now support two different mechanisms through which users can create an account: the classic approach in which the user sets a password directly with the service, and the federated approach where the user already has an account with an IdP and uses this to create an account with the service. Once an account has been created, some services also offer the possibility to link an IdP account, so that the user can either sign in directly to the service or authenticate via the IdP.
Ghasemisharif et al. [17] presented the first example of a preemptive account hijacking attack, in which an attacker gains control of a victim’s federated identity (e.g., the victim’s IdP account) and uses this to create accounts at services for which the victim has not yet signed up. The attacker then waits for the victim to join that service and start using their “new” account. At a later time, the attacker can sign into the service using the compromised IdP account and view or manipulate any information stored by the victim in that account.