Paper 2025/511

VeriSSO: A Privacy-Preserving Legacy-Compatible Single Sign-On Protocol Using Verifiable Credentials

Ifteher Alom, University of Kentucky
Sudip Bhujel, University of Kentucky
Yang Xiao, University of Kentucky
Abstract

Single Sign-On (SSO) is a popular authentication mechanism enabling users to access multiple web services with a single set of credentials. Despite its convenience, SSO faces outstanding privacy challenges. The Identity Provider (IdP) represents a single point of failure and can track users across different Relying Parties (RPs). Multiple colluding RPs may track users through common identity attributes. In response, anonymous credential-based SSO solutions have emerged to offer privacy-preserving authentication without revealing unnecessary user information. However, these solutions face two key challenges: supporting RP authentication without compromising user unlinkability and maintaining compatibility with the predominant Authorization Code Flow (ACF). This paper introduces VeriSSO, a novel SSO protocol based on verifiable credentials (VC) that supports RP authentication while preserving privacy and avoiding single points of failure. VeriSSO employs an independent authentication server committee to manage RP and user authentication, binding RP authentication with credential-based anonymous user authentication. This approach ensures user unlinkability while supporting RP authentication and allows RPs to continue using their existing verification routines with identity tokens as in the ACF workflow. VeriSSO's design also supports lawful de-anonymization, ensuring user accountability for misbehavior during anonymity. Experimental evaluations of VeriSSO demonstrate its efficiency and practicality, with authentication processes completed within 100 milliseconds.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
User AuthenticationPrivacy-Preserving SSOAnonymizationDecentralization
Contact author(s)
ifteheralom @ uky edu
sudipbhujel @ uky edu
xiaoy @ uky edu
History
2025-03-28: last of 3 revisions
2025-03-19: received
See all versions
Short URL
https://ia.cr/2025/511
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/511,
      author = {Ifteher Alom and Sudip Bhujel and Yang Xiao},
      title = {{VeriSSO}: A Privacy-Preserving Legacy-Compatible Single Sign-On Protocol Using Verifiable Credentials},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/511},
      year = {2025},
      url = {https://eprint.iacr.org/2025/511}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.