Browser changes FAQ

What is the problem with browsers?

Every user's browser has a unique fingerprint; formed of data like the device the user is on, the IP address it comes from, the size of the screen, what is installed on the system. Advertisers use browser fingerprinting to track users as they move between different websites.
Browser companies like Google, Mozilla, and Apple are increasingly concerned about user privacy issues and the looming threat of substantial lawsuits. With public authorities, such as the European Union implementing regulations like GDPR to safeguard user privacy, browsers are feeling the pressure to take action against tracking. As a result, they are actively exploring measures to enhance privacy protections.

Why are changes being made to browsers?

Fundamentally, the issue is that the Internet and browsers were not originally designed with privacy in mind. The changes that have been proposed aim to address precisely that, specifically to reduce the number of users being tracked across the web.

How is tracking accomplished?

There are different ways to track users, but the most common methods are:

• Third-party cookies: These are cookies that can be read by any site, not just the one that sets them
• Link decoration: It consists of additional characters that are added to a URL. For example, using query parameters: ?entityID=<your entity ID>
• Location tracking: In most cases, this will be your IP, but could contain more precise information if it was available from a phone for example
• Bounce tracking: This is where users are quickly redirected to another site they do not interact with, where a cookie will be set without their knowledge before they are redirected back to the original site they were interacting with. This functionality is commonly used in OIDC and SAML interactions
• Browser fingerprint: The browser releases a significant amount of stored information about you, as well as information about your operating system and device, which combined is often enough to identify you

When are the browser changes happening? Is there a timeline?

Browser changes are already happening. Most of the major browsers have already amended their cookie policies and now block third-party cookies by default. However, other changes are still being discussed and, at the moment, it is difficult to get a definitive answer to this, although they are not expected to happen in the immediate future.
There has also been some work publicized around reducing the size of browser fingerprints, while Google has published a timeline that is updated monthly, and is publicly available.

What is the FedCM and how could it help?

FedCM is a new API that allows you to sign-in to websites, where the browser takes a role during the sign-in process. On sites that have adopted FedCM, instead of the website itself, the browser will prompt you to sign in using one of your accounts, for example your Google account. This allows the distinction between a non-genuine sign-on and a genuine one that can be allowed. It is not tracking because it knows that you are trying to sign into a website, and you are not trying to be tracked as part of that.
FedCM also helps provide a consistent user experience between websites, where you do not have to go to a website, create an account and sort any issue related to managing accounts across different sites.
It has however been designed as an end user single sign-on solution, which is what Google understands and the space that they are in. FedCM is now being proposed as the standard to allow you to do single sign-on to prevent tracking.

Could you recommend a browser that will be less impacted by these changes?

There is no current recommended browser. The decision on which browser to use should always be down to the user or organization’s choice. However, the assumption is that any changes will eventually affect all major browsers.

Should we ask users to use something other than Chrome to access MyAthens+ page in the short term?

There is no reason to recommend against the use of Chrome, or any other browser.

Should librarians recommend users to keep up to date their browsers updates while browser vendors continue to work to fix these issues?

Yes, they should be always kept up to date.

Is there any way to find out if a particular user is in the 1% of Google users with the third-party cookies blocked?

No, and you shouldn’t need to know either. Disabling third-party cookies shouldn’t have a negative impact on user experience and certainly will not impact access. It is also worth noting that this is not just a 'Google’ issue and will affect all browsers that disable third-party cookies.

Should we be moving away from IP address authorization for privacy reasons as well?

We advocate for federated authentication and single sign-on, and it has always been our recommendation to move away from traditional IP recognition. The potential browser changes around hiding the browser’s IP address mean that it might not even be possible for traditional IP recognition to exist in the future.

Will browser changes affect SAML 1:1 connections?

Potentially, yes. 1:1 connections, which are often referred to as 1-2-1, peer-to-peer or bilateral SAML connections between a single identity provider (IdP) and service provider (SP), might be affected.
The changes will potentially affect any product or service on the world wide web i.e., anything you use in your browser.

Are browser changes going to affect OpenAthens?

Changes to the third-party cookies will not affect OpenAthens, so if they are disabled within your browser, it will have no effect on the OpenAthens single sign-on experience.
On the other hand, OpenAthens uses information in the URL, which looks similar to link decoration, and it is used to implement SAML, OpenID Connect and Federated Identity, so browser changes could prevent it from working in the same way it works now. However, we are working to prevent and mitigate any potential changes and impact.

Is the OpenAthens managed proxy affected?

Not at the moment, and we are not expecting an impact from it. It is hard to say how a proxy will be affected by all these changes, so we are monitoring the situation closely and working to accommodate any potential changes.

Why would IP recognition via a managed proxy not break but traditional IP recognition via a browser would?

Currently, it is assumed that browsers will only obfuscate the browser's public IP address. A web rewriting proxy is an existing method of masking the browser's public IP address, so it might not be hidden further by the browser.

Many libraries use combination of federated single sign-on and IP proxying, which is typically, authenticated by the federated single signs-on, will IP proxying be affected by FedCM and browser changes?

OpenAthens is the complete solution. We recognize that not everyone uses the same methods of authentication, by utilizing these different technologies, we can not only connect you to thousands of publishers but also aim to future-proof your authentication needs and eliminate concerns.
FedCM will not affect OpenAthens or any other federated single sign-on method. It is just another single sign-on solution aimed at the consumer market.

How will using IP obfuscating features impact Access Accounts?

If IP obfuscation is enabled, access accounts in their current form will cease to allow users to sign-in. The reason is they currently rely on IP recognition as a second factor alongside their usernames and passwords.
Our product team is exploring alternative methods to provide login routes for guests and walk-in users.

How will using IP obfuscating features impact OpenAthens redirector bypass?

Some organizations prefer service providers to automatically authorize access to their content using an organization’s IP range when users are on-site. To avoid having to provide users with two links, the OpenAthens Redirector currently supports the ability to add IP addresses and ranges and if a user is within that range, it will send them directly to the service provider website instead of via federated access.
If IP obfuscation is enabled, the Redirector will no longer be able to see the users’ IP address, therefore it will not be able to bypass authentication and will initiate a federated authentication request asking the users to sign-in. This should not be seen as a problem, service providers will not be able to see their IP, so they will not be able to provide access using their IP address. This will actually have the advantage of making the user experience consistent regardless of the location where they are trying to access content.

How will using IP obfuscating features impact OpenAthens self-registration schemes?

If IP obfuscation is enabled, the users IP address will no longer be visible. This would mean that, if users were on-site or on-premise, they would no longer be able to automatically verify they belong to a particular institution.
Self-registration schemes allow users to create their own OpenAthens personal account, so we do have two validation methods to confirm that the user is a member of the organization. However, if IP obfuscation was enabled, we would no longer be able to use an organization's IP range as a validation technique. Instead, they would have to rely solely on the organization’s email domain.
This would mean that even if a user is on-site or on-premise, they would no longer be able to use their personal email address and would have to use their organizational email address.

How will SAML single sign-on experiences be impacted if IP obfuscation is enabled?

If IP obfuscation is enabled, it will not have an impact on SAML single sign-on.

How will SAML single sign-on experiences be impacted if browser fingerprinting is disabled?

There will be no impact on SAML single sign-on if at some point browser fingerprinting is disabled.

How will SAML single sign-on experiences be impacted if third-party cookies are disabled?

Third-party cookies are already disabled in Safari and Firefox, and Google have already started disabling them by default. Disabling third-party cookies means that:

• The ability to sign-in to resources with SAML will not be affected
• It will not affect the primary function of the organization discovery services, known as “Where Are you From” or WAYF, because you will still be able to search for your organization and sign-in
• Some organization discovery services utilize third-party cookies to remember a user’s last used organization to display on other web applications. This will no longer function if third-party cookies are disabled, which would mean that users would need to search for their organization on each website. This would have limited user impact as not many services utilize this type of functionality at the time being
• Organization discovery services that utilize first-party cookies to show a user’s previously used organization will still be able to show it

How will SAML single sign-on experiences be impacted if link decoration is disabled?

If link decoration is completely disabled, this will break the world wide web, and therefore, it is very unlikely to happen.
It is not clear what browsers have in mind at this point, but we are involved in conversations, and it is our hope that there would be a repository of either trusted sites (a allow list), or bad actors (a blacklist) to mitigate the impact on library, academic and research products and services in this space.
OpenAthens is part of Jisc, which along with many other parties, is actively engaged with the W3C community group to ensure that our community’s requirements are considered. Our active engagement is also aimed at gathering more specific information to help adapt to the new web and continue to help our customers and achieve our mission to remove barriers to knowledge.

How will SAML single sign-on experiences be impacted if bounce tracking is disabled?

If bounce tracking is disabled, it would likely disable the seamless single sign-on experience (where a user does not interact with the identity provider service directly). This means users may be required to consent to be transferred from each service provider to each identity provider.

In our communities, who is best placed to respond to browser changes issues?

Software vendors. They are the ones that usually provide the solutions that libraries need, and the ones that should ideally have the capacity to do in-depth research and development to test this out.
However, the best advice we can give currently to librarians is to stay aware of what is going on. We will always keep you up to date of any upcoming changes, so keep checking our website and subscribe to our communications.

Should OpenAthens customers be concerned about the browser changes?

No, browser changes mean a fundamental change that is not likely to happen quickly and OpenAthens is actively involved, talking, and engaging through Jisc and REFEDS in the discussions with Google, Mozilla and Apple about the changes and their potential impact.
We are making our use case heard, we are part of that conversation, and we are working to ensure that we are prepared for any potential changes to come.

Does OpenAthens feel confident that you have enough resources to keep pace with these changes?

Yes, we know what is in scope to change and what can potentially break, but at the moment no one in the industry knows the extent, apart from the browsers themselves. However, we are in conversations through Jisc and REFEDS and monitoring the situation to ensure that we are ready for any changes that might come our way. The truth is that some potential changes that are being discussed could change, not only how federated authentication works, but how the entire world wide web works, and we don’t believe that is what browsers are after.