Return home icon Return to research icon

Syrax Operations · Research Dossiers

Research 03 — Session Trust & Logout Consistency in Federated Identity Platforms

A design-level study on how federated identity systems manage session continuity, logout behaviour, and user awareness across linked services, highlighting where user expectations and system-enforced guarantees may diverge.

Date

16 Dec 2025

Status

Completed

Focus

Observational Research & Conceptual Threat Modelling

Disclaimer

This document is based on independent research, user-observable behaviour, and conceptual threat modelling only. No unauthorised access, probing, scanning, testing, or interaction with live systems was performed.

All observations described herein are derived from standard navigation flows and normal login/logout behaviour visible to an end user. No actions were taken to exploit, extend, or abuse any observed behaviour.

This research does not include validation of backend authentication state, token lifecycle, session persistence duration, or access control enforcement. All technical interpretations are limited to surface-level behaviour and publicly observable system responses.

Research Focus

This research examines session management and authentication behaviour across the myGov portal and its associated linked services, including the Australian Taxation Office (ATO), Centrelink, and Medicare. The analysis focuses on how session trust is inherited, maintained, and terminated across federated services, and how convenience-driven design decisions may introduce unintended security and trust risks.

Context & Design Background

The myGov platform functions as a central identity and access gateway to multiple government services. Once authenticated, users can transition between linked services without repeated login prompts. This design prioritises usability and reduces friction for users interacting with multiple agencies.

From a user perspective, a single login and logout action is reasonably assumed to control access across all linked services within the same browsing session.

Observed Behaviour

The following behaviours were observed during normal use of the platform:

  • Access to multiple linked services is granted following a single authentication event at the myGov portal.
  • No additional authentication prompts are presented when switching between linked services during an active session.
  • Logging out of the primary myGov interface does not always result in immediate termination of all linked service interfaces that were already open in the same browser session.
  • In at least one instance, a linked service interface remained accessible in an existing browser tab after a standard logout action was performed.
  • It was observed that the same myGov account can be authenticated concurrently across multiple browser environments (for example, Chrome, Safari, and Firefox). Each browser session appears to operate independently, allowing multiple active sessions to exist simultaneously for a single user account.

No further interaction was conducted within any linked service following logout, and no attempts were made to assess session duration, privilege persistence, session prioritisation, invalidation behaviour, or backend authentication and session linkage between browser environments.

User-Facing Session Notices

During standard logout flows, a user-facing notice is presented indicating that a specific linked service may remain active and advising the user to close the browser to fully terminate access.

While this notice provides transparency at a system level, its effectiveness depends on user attention, comprehension, and follow-through. The prominence and interpretation of such notices may vary across users, particularly in fast-paced, habitual, or mobile usage scenarios.

No assessment was conducted regarding user interaction rates, notice visibility, or behavioural response to this message.

Risk Considerations

The behaviours described above may create a mismatch between user expectations and actual session state. Users may reasonably assume that a global logout action terminates access across all associated services, particularly on shared or unattended devices.

Additional risk considerations include:

  • Broad trust inheritance across multiple high-sensitivity services from a single authentication event.
  • Reduced user visibility into which service sessions remain active at any given time.
  • Reliance on user attention and interpretation of subtle notices as a compensating control for session termination awareness.
  • Variability in security outcomes based on individual user behaviour rather than consistent, system-enforced controls.
  • Expanded session exposure resulting from multiple concurrent browser sessions associated with a single account.

Allowing parallel browser sessions increases the number of active access points tied to one user account. In scenarios where one browser session becomes unattended or compromised, other sessions may remain active without clear user visibility or automatic invalidation. Activity in one browser environment may not affect session state in another, further complicating user expectations around logout actions.

As a result, session continuity and access persistence may differ across services and environments despite identical platform behaviour. The associated risk arises from predictable and repeatable system behaviour combined with human-factor variability and parallel session support, rather than from technical exploitation or control bypass.

Design-Level Mitigation Concepts

The following concepts are presented at a high level to support discussion around secure identity and session architecture:

  • Service-Level Reauthentication: Introduce reauthentication prompts when transitioning between high-sensitivity linked services to reinforce trust boundaries without unnecessarily disrupting user workflows.
  • Centralised Session Termination: Ensure logout actions propagate consistently across all dependent service sessions, reducing reliance on individual service behaviour to enforce session closure.
  • Improved User Session Visibility: Provide clearer indicators showing which services and environments are actively authenticated at any given time, helping users maintain awareness of session scope.
  • Concurrent Session Awareness: Offer clearer controls or notifications when multiple active sessions exist across different browser environments, or prompt users to confirm continued access when a new session is initiated from a separate environment.
  • Reduced Reliance on User Action: Minimise dependency on manual browser closure or user interpretation of notices as the primary mechanism for session termination.

These concepts aim to strengthen session trust boundaries and consistency while preserving the usability benefits and legitimate multi-device use cases inherent to federated access models.

Security & Trust Impact

Improving session isolation, reducing reliance on user attention, and reinforcing consistent logout behaviour may reduce unintended access risks while maintaining platform usability. Clearer system-enforced session boundaries help align platform behaviour with reasonable user expectations and reduce variability in security outcomes.

Closing Reflection

Federated digital identity platforms must balance accessibility, usability, and security at scale. This research highlights how session-level design decisions and human-factor assumptions can collectively influence overall risk exposure.

By strengthening session enforcement mechanisms and reducing reliance on user interpretation of subtle notices, federated services can better align convenience with consistent security guarantees across diverse user contexts.

Return to Research Overview