The impact of cookie privacy changes on identity services

The panel discussion is always a highlight at our annual Access Lab event. This year’s expert discussion featured Heather Flanagan, principal at Spherical Cow Consulting and Adam Snook, technical consultant at OpenAthens. They discussed the impact of cookie privacy changes on identity services.

Drawing on experience and insight, they outlined recent changes in legislation, the impact of browser updates and future plans to prevent loss of seamless access to resources.

What are the changes?

Heather kickstarted the session by outlining updates to cookies, the changes to the privacy landscape online and implications for federated identity.

She highlighted the goal we all share; to preserve the privacy of our library users without compromising on quality services, easy access, and premium user experience.

Impact on authentication

The problem appears when it comes to federated identity: many applications and services need to work through the browser to support single sign-on (SSO)/federated login. Tracking tools use the same features and are indistinguishable for browsers.

Tracking can happen through third-party cookies, IP addresses, browser fingerprinting, link decoration and bounce tracking.

Heather noted: “These are all mechanisms we have to consider when thinking about our users as they are systems we currently use, which are under threat as browsers consider ways to prevent tracking.“

What does this mean for OpenAthens

Adam picked up the discussion with insight on OpenAthens services as tracking prevention tactics come into play in the next couple of years. He said: “Everything that is remotely linked to tracking is in scope.”

The change in legislation does not have a significant direct impact on OpenAthens. However, these are some predictions to be aware of:

• Authentication that uses SAML will continue to work for at least two to three years
• Where Are You From (WAYF) services (eg. SeamlessAccess/ Wayfinder) will continue to work. Previous choices may not be remembered so users might need to search for their organization each time
• Services that share information between third parties in frames (eg. Teams, integrated library systems/ library management systems) will have mixed results
• Other features that enable tracking (IP addresses, browser fingerprinting) are already breaking, depending on the browser
• WAYFless linking (link decoration) may be affected depending on implementation

Things to consider

Adam also highlighted that Safari, Firefox and Chrome have already started making changes to their third-party cookie policies. This will have a wide-ranging impact on services such as SAML single log out, OpenID Connect/OAuth2 features and Identity Provider (IdP) persistence.

As a tip, Adam explained: “If you want to emulate the worst-case scenario of how the lack of cookies will impact software in use, test with Safari.”

It is also possible to turn off third-party cookies when using Chrome.

For immediate info for campus IT and library staff, SeamlessAccess offers a FAQ on Browser Privacy Changes and Library Resources Access (Or Why Your IP Authentication is About to Break).

Heather and Adam finished the session with an insightful Q&A. It raised several questions from the audience, such as the impact on internal tools and if federated access still will exist in the future.