Risk-Adaptive Single Sign-On Authentication for Multi-Platform Higher Education Portals: A Synthetic Evaluation Using OAuth 2.0 and OpenID Connect

1. Introduction

The rapid digital transformation taking place in higher education has led to the proliferation of web-based platforms that support various academic and administrative functions. At Universitas Negeri Medan (UNIMED), users, including students, lecturers, and administrative staff, are required to authenticate separately on each available platform, such as SIAKAD, SIPDA/LMS, digital libraries, academic portals, and institutional email. This situation creates a significant cognitive burden and introduces security gaps that cannot be overlooked.

The phenomenon of password fatigue, which refers to fatigue caused by managing multiple passwords, has long been identified as a major source of security vulnerability in information systems [1,2]. Users who must manage many credential combinations tend to choose weak passwords, reuse the same passwords across multiple platforms, or store passwords in insecure ways. In higher education contexts, the impact of these practices may extend from reduced productivity to the exposure of sensitive academic data.

Single Sign-On (SSO) offers a solution that enables users to authenticate once and gain access to multiple integrated services. It is important to distinguish between two complementary protocols. OAuth 2.0 (RFC 6749) is a delegated authorization framework that allows applications to access resources on behalf of users, while OpenID Connect (OIDC), which is built on OAuth 2.0, adds the identity authentication layer that is essential for SSO implementation [3,4]. The combination of OAuth 2.0 and OIDC has become an industry standard for secure and scalable SSO. However, its implementation in academic environments often continues to overlook the user experience dimension [5].

The literature has highlighted an ongoing debate regarding the balance between security and usability in authentication systems. Stronger mechanisms, such as multi-factor authentication (MFA), have been shown to reduce the risk of unauthorized access, but they often compromise user convenience and lower adoption rates [6,7,8]. This assumption is examined through a risk-based adaptive authentication approach that dynamically adjusts the level of verification according to the access context.

Therefore, this study employs a simulation approach to design and evaluate an OAuth 2.0/OIDC-based SSO framework with three objectives: (1) to design an SSO architecture tailored to UNIMED’s multi-platform ecosystem; (2) to evaluate its simulated impact on authentication performance and user experience; and (3) to analyze the simulated security-related improvement of the system compared with conventional authentication methods.

2. Materials and Methods

2.1. Study Design, Dataset, and Measurement

This study employed a Design Science Research (DSR) approach with quantitative evaluation [9]. This approach combines the design of a system artifact with empirical validation using systematically constructed. Four phases were carried out: (1) requirements analysis through a literature review and an examination of the UNIMED portal ecosystem; (2) design and prototyping of the SSO framework; (3) construction of a synthetic constructed dataset reflecting real user conditions; and (4) quantitative evaluation using inferential statistical tests on performance and user experience metrics.

The use of generative artificial intelligence (GenAI) in this study included assistance in drafting the manuscript, editing grammar, and creating data visualizations. GenAI was not used in constructing the simulation dataset, conducting statistical analysis, or interpreting the findings.

Due to limited direct access to the production authentication system and ethical considerations related to real user data, the dataset was constructed from: (a) publicly available institutional user profiles of UNIMED; (b) reference values from the SSO evaluation literature; and (c) portal usage distributions obtained from the institution’s annual information technology reports.

The use of aggregate institutional information technology reports was conducted with institutional authorization and was limited to non-identifiable summary information.

The dataset consisted of 180 user scenarios representing students (n = 128), lecturers (n = 31), and administrative staff (n = 21) from nine academic units, with the simulated observation period spanning February to March 2026.

The proportion of students, lecturers, and administrative staff was not intended to reproduce the exact institutional population. Instead, it was constructed to reflect the dominant user groups that routinely access academic portals. This choice allowed the simulation to emphasize authentication load across roles rather than institutional demography.

Each scenario contained two sets of values, namely pre-SSO and post-SSO conditions, for eight measurement variables: login time, authentication success rate, login failures per month, password resets per three months, UX score, security score, satisfaction score, and SUS score. The pre-SSO values were calibrated using ranges reported in studies of conventional authentication in higher education settings [9,10] while the post-SSO values were modeled based on expected improvements from the implementation of an industry-standard SSO framework.

Table 1. Demographic and Usage Characteristics of Simulated User Scenarios

Category	Group	n	%
Role	Students	128	71.1%
	Lecturers	31	17.2%
	Administrative Staff	21	11.7%
Academic Unit	Graduate School (PPS)	31	17.2%
	Faculty of Mathematics and Natural Sciences (FMIPA)	27	15.0%
	Faculty of Social Sciences (FIS)	22	12.2%
	Faculty of Languages and Arts (FBS)	22	12.2%
	Faculty of Economics (FE/FEB)	19	10.6%
	Faculty of Engineering (FT)	18	10.0%
	Faculty of Education (FIP)	17	9.4%
	Faculty of Medicine (FK)	12	6.7%
	Faculty of Sport Science (FIK)	12	6.7%
Portals Used	3 Portals	80	44.4%
	4 Portals	100	55.6%
Primary Device	Personal Laptop	75	41.7%
	Personal Smartphone	74	41.1%
	Office / Lab Computer	22	12.2%
	Shared Device	9	5.0%
Access Location	UNIMED Campus	74	41.1%
	Home / Boarding House	73	40.6%
	School / Workplace	25	13.9%
	Outside the City	8	4.4%

Table 1. Demographic and Usage Characteristics of Simulated User Scenarios

Category	Group	n	%
Role	Students	128	71.1%
	Lecturers	31	17.2%
	Administrative Staff	21	11.7%
Academic Unit	Graduate School (PPS)	31	17.2%
	Faculty of Mathematics and Natural Sciences (FMIPA)	27	15.0%
	Faculty of Social Sciences (FIS)	22	12.2%
	Faculty of Languages and Arts (FBS)	22	12.2%
	Faculty of Economics (FE/FEB)	19	10.6%
	Faculty of Engineering (FT)	18	10.0%
	Faculty of Education (FIP)	17	9.4%
	Faculty of Medicine (FK)	12	6.7%
	Faculty of Sport Science (FIK)	12	6.7%
Portals Used	3 Portals	80	44.4%
	4 Portals	100	55.6%
Primary Device	Personal Laptop	75	41.7%
	Personal Smartphone	74	41.1%
	Office / Lab Computer	22	12.2%
	Shared Device	9	5.0%
Access Location	UNIMED Campus	74	41.1%
	Home / Boarding House	73	40.6%
	School / Workplace	25	13.9%
	Outside the City	8	4.4%

2.2. Proposed SSO Framework and Evaluation Metrics

The proposed SSO framework uses a combination of OAuth 2.0 as the authorization layer and OpenID Connect (OIDC) as the identity authentication layer, in accordance with modern SSO architecture [11]. OIDC adds an ID Token based on JSON Web Token (JWT), which enables clients to cryptographically verify user identity, a capability that OAuth 2.0 does not provide on its own. This framework consists of five components: (1) a Keycloak-based Identity Provider (IdP); (2) an academic RBAC module; (3) a Smart Token Manager; (4) a Risk Assessment Engine that classifies sessions into Low, Medium, or High risk levels; and (5) a responsive single login interface.

The authentication flow implements the Authorization Code Flow with PKCE in accordance with the OAuth 2.0 Security Best Current Practice [12]. Based on the risk classification, the adaptive engine determines the appropriate action: direct access for low risk, lightweight OTP for medium risk, device verification for high risk, or administrator review for very high risk.

Eight variables were measured in the simulation for each user scenario: (1) login time in seconds; (2) authentication success rate (%); (3) login failures per month; (4) password resets per three months; (5) perceived UX score using a 1 to 5 Likert scale; (6) perceived security score using a 1 to 5 Likert scale; (7) overall satisfaction score using a 1 to 5 Likert scale; and (8) SUS score on a scale of 0 to 100. The reference values for the SUS scale followed [12,13]: Excellent ≥ 85.1, Good 72.6 to 85.0, Marginal 51.7 to 72.5, and Poor < 51.7.

A paired-samples t-test was used to compare all pre-SSO and post-SSO metrics. Cohen’s d effect size was reported using the following classification: small ($d=0.20$), medium ($d=0.50$), and large ($d\ge 0.80$) [14]. Statistical significance was set at $\alpha =.05$. The analysis was conducted using Python 3.11 with the SciPy and pandas libraries. The simulation dataset is available upon request from the corresponding author.

3. Results

3.1. Authentication Performance

The simulated assessment of the proposed SSO framework indicated a consistent reduction in login time across all user groups. Login time decreased by 72.3%, from $M=48.95$ seconds ($SD=6.76$) to $M=13.54$ seconds ($SD=3.06$), $t\left(179\right)=64.44$, $p<.001$, $d=4.80$. The authentication success rate increased from 83.75% ($SD=4.22$) to 94.14% ($SD=2.72$), representing an improvement of 10.39 percentage points, $t\left(179\right)=-55.19$, $p<.001$, $d=4.11$.

Figure 1 presents the improvement trends by user role. Administrative staff experienced the largest reduction in login time, from 52.9 seconds to 13.4 seconds, a decrease of 74.6%. This was followed by students, whose login time decreased from 49.9 seconds to 13.5 seconds, a reduction of 72.9%, and lecturers, whose login time decreased from 42.5 seconds to 13.7 seconds, a reduction of 67.7%. Lecturers recorded the highest post-SSO authentication success rate at 95.5%, indicating a more consistent access pattern that allowed the risk engine to classify their sessions more frequently as low risk.

Table 2. Paired-Samples t-Test Results: Pre-SSO vs. Post-SSO Performance Metrics ($n=180$)

Metric	Pre-SSO	Post-SSO	Change	t(179)	p	Cohen’s
	M (SD)	M (SD)				d
Login Time (seconds)	48.95 (6.76)	13.54 (3.06)	−72.3%	64.44	< .001	4.80
Authentication Success Rate (%)	83.75 (4.22)	94.14 (2.72)	+10.39 pp	−55.19	< .001	4.11
Failed Logins / Month	3.38 (1.13)	0.85 (0.56)	−74.9%	32.58	< .001	2.43
Password Resets / 3 Months	2.23 (0.81)	0.52 (0.50)	−76.7%	25.57	< .001	1.91

Table 2. Paired-Samples t-Test Results: Pre-SSO vs. Post-SSO Performance Metrics ($n=180$)

Metric	Pre-SSO	Post-SSO	Change	t(179)	p	Cohen’s
	M (SD)	M (SD)				d
Login Time (seconds)	48.95 (6.76)	13.54 (3.06)	−72.3%	64.44	< .001	4.80
Authentication Success Rate (%)	83.75 (4.22)	94.14 (2.72)	+10.39 pp	−55.19	< .001	4.11
Failed Logins / Month	3.38 (1.13)	0.85 (0.56)	−74.9%	32.58	< .001	2.43
Password Resets / 3 Months	2.23 (0.81)	0.52 (0.50)	−76.7%	25.57	< .001	1.91

Login failures per month decreased by 74.9%, from $M=3.38$ to $M=0.85$, $t\left(179\right)=32.58$, $p<.001$, $d=2.43$. The frequency of password resets decreased by 76.7%, from 2.23 to 0.52 per three months, $t\left(179\right)=25.57$, $p<.001$, $d=1.91$. Figure 2 presents the distribution of both metrics by user group.

3.2. User Experience and System Usability Scale

All dimensions of subjective perception improved significantly. The UX score increased from $M=3.08$ ($SD=0.36$) to $M=4.35$ ($SD=0.37$), $t\left(179\right)=-78.27$, $p<.001$, $d=5.83$. The satisfaction score showed the largest improvement, increasing from $M=3.04$ ($SD=0.35$) to $M=4.42$ ($SD=0.39$), $t\left(179\right)=-86.14$, $p<.001$, $d=6.42$. The perceived security score increased from $M=3.27$ ($SD=0.32$) to $M=4.25$ ($SD=0.37$), $t\left(179\right)=-59.56$, $p<.001$, $d=4.44$.

Table 3. UX Perception, Security, and Satisfaction Scores Before and After SSO Simulation (Scale 1–5)

Dimension	Pre-SSO	Post-SSO	$\mathit{\Delta }$	$\mathit{t}\left(179\right)$	p	d
	M (SD)	M (SD)
User Experience (UX)	3.08 (0.36)	4.35 (0.37)	+1.27	-78.27	$<.001$	5.83
Security Perception	3.27 (0.32)	4.25 (0.37)	+0.98	-59.56	$<.001$	4.44
Overall Satisfaction	3.04 (0.35)	4.42 (0.39)	+1.38	-86.14	$<.001$	6.42

Note. M = mean; SD = standard deviation; $\Delta$ = mean difference; d = Cohen’s effect size. ^*** $p<.001$.

Table 3. UX Perception, Security, and Satisfaction Scores Before and After SSO Simulation (Scale 1–5)

Dimension	Pre-SSO	Post-SSO	$\mathit{\Delta }$	$\mathit{t}\left(179\right)$	p	d
	M (SD)	M (SD)
User Experience (UX)	3.08 (0.36)	4.35 (0.37)	+1.27	-78.27	$<.001$	5.83
Security Perception	3.27 (0.32)	4.25 (0.37)	+0.98	-59.56	$<.001$	4.44
Overall Satisfaction	3.04 (0.35)	4.42 (0.39)	+1.38	-86.14	$<.001$	6.42

Note. M = mean; SD = standard deviation; $\Delta$ = mean difference; d = Cohen’s effect size. ^*** $p<.001$.

The overall SUS score increased from $M=66.21$ ($SD=4.58$), categorized as marginal, to $M=85.99$ ($SD=4.12$), categorized as Excellent, $t\left(179\right)=-44.17$, $p<.001$, $d=3.29$. Table 4 provides a detailed breakdown of SUS scores by user role.

The distribution of SUS categories after simulation as showed in Figure 3, a substantial shift. Before simulation, 91.7% of scenarios ($n=165$) were in the marginal category (SUS 51.7–72.5), and 8.3% ($n=15$) were in the Good category (SUS 72.6–85.0). None reached the Excellent category. After simulation, 61.7% ($n=111$) reached the Excellent category (SUS $\ge 85.1$), and 38.3% ($n=69$) reached the Good category. No scenarios remained below the Good category.

3.3. Adaptive Authentication: Risk Distribution and Actions

The adaptive authentication system produced two related but conceptually distinct distributions: the distribution of session risk levels and the distribution of triggered authentication actions. These two distributions were not always one-to-one because the adaptive engine considered historical session factors in addition to the main risk classification. The cross-tabulation in Table 5 presents the relationship between these two distributions (Post-SSO, $N=180$).

4. Discussion

4.1. Interpretation of Findings in Relation to the Working Hypotheses

This simulation study was guided by two working hypotheses: (1) the implementation of an OAuth 2.0/OIDC-based SSO framework can significantly reduce the authentication burden; and (2) a risk-based adaptive authentication mechanism can address the tension between security and convenience without compromising either aspect. The simulation findings consistently support both hypotheses. The 72.3% reduction in exceeded the 20% threshold commonly regarded as meaningful in UX research [15], and the increase in SUS score from the marginal category to the Excellent category represents a practically meaningful categorical shift.

Regarding the second hypothesis, the risk and action cross-tabulation in Table 5 shows that 91.4% of low-risk sessions received direct access, while medium-risk and high-risk sessions received proportional verification. This suggests that adaptive authentication has the potential to be technically effective and acceptable to users in the simulated context, as reflected in the highest satisfaction score ($M=4.42$). This finding is consistent with [16], that found that users are more likely to accept additional verification when the risk context is perceived as reasonable.

4.2. Comparison with Previous Studies

The increase in SUS score to 85.99 exceeded the result of a CAS-based SSO study at an Indonesian university, which reported an average post-simulation score of 74.3 in the Good category [17]. This difference was likely due to the integration of OIDC, which simplified the authentication flow, and the responsive single login interface designed for various devices. This is particularly relevant given the nearly balanced proportion of laptop and smartphone users in the simulation, at 41.7% and 41.1%, respectively.

The reductions in login failures ($-74.9\%$) and password resets ($-76.7\%$) are consistent with the meta-analysis by [18], which showed that SSO can reduce password-related technical support requests by up to 70%. This study provides more specific simulation-based evidence for the Indonesian higher education context, which is characterized by high heterogeneity in devices and access locations.

4.3. Theoretical and Practical Implications

This study strengthens two theoretical contributions. First, from a technical perspective, the explicit differentiation between OAuth 2.0 as an authorization layer and OIDC as an authentication layer in an academic SSO framework provides conceptual precision that is often overlooked in the educational SSO literature, where the two terms are frequently used interchangeably. Second, the findings support two constructs of the Technology Acceptance Model: perceived ease of use, represented by the UX improvement of +1.27, and perceived usefulness, represented by the satisfaction improvement of +1.38. These results indicate that user-centered authentication system design is an important determinant of system adoption [19,20].

The proposed Keycloak-based framework is an open-source solution with no licensing cost, making it suitable for the budgetary constraints of Indonesian public higher education institutions. The academic RBAC architecture developed in this study offers an adaptable template for other institutions. The 76.7% reduction in password reset frequency has direct implications for improving the efficiency of institutional information technology teams. The fact that all post-simulation user scenarios were categorized as Good or Excellent provides strong justification for policymakers to invest resources in authentication system modernization.

4.4. Limitations

This study has several limitations that should be considered. First, as a synthetic simulation study, the direct generalization of the results to real-world implementation requires further empirical validation through pilot deployment and the collection of actual user data. The simulation values were constructed based on reference ranges from the literature, but real-world conditions may differ because of network infrastructure, server configuration, and actual user behavior that may not be fully captured in the model. Second, the evaluation did not include penetration testing or a formal security audit, meaning that claims regarding improved security are inferential and based on the reduction in login failure metrics. Third, this study did not measure long-term post-adoption effects. Fourth, the relatively small proportion of administrative staff scenarios ($n=21$) limits the statistical power of subgroup analysis for this category.

4.5. Future Research Directions

Several future research directions can be proposed. First, the framework should be validated through a real pilot deployment at UNIMED by measuring actual authentication data over a period of 6 to 12 months. Second, mobile biometric integration, such as facial recognition or fingerprint authentication, could be explored to further reduce friction for smartphone users. Third, AI-based real-time detection of anomalous login behavior could be implemented to improve the precision of risk classification. Fourth, the framework could be extended to support inter-institutional federation in the context of the MBKM program, which requires cross-university identity portability.

5. Conclusions

This study proposed an Intelligent OAuth 2.0/OpenID Connect-Based SSO Framework for multi-platform higher education portals and assessed its expected performance through a controlled simulation. By distinguishing OAuth 2.0 as the authorization layer and OIDC as the identity layer, the proposed architecture offers a clearer foundation for academic authentication systems than models that treat both protocols interchangeably.

The analysis produced three main findings. First, the proposed framework was associated with shorter login time, higher authentication success, fewer failed logins, and fewer password reset requests across the constructed scenarios. Second, usability indicators improved substantially, with SUS scores moving from the marginal range to the excellent range. Third, the risk-by-action mapping indicated that low-risk sessions could be handled with minimal friction, while higher-risk sessions could receive stronger verification.

These findings should be interpreted as an initial analytical basis rather than evidence from operational deployment. Further work should include pilot testing at UNIMED, collection of actual authentication logs, security testing, and longitudinal evaluation of user adoption.