Although identity management systems (notably OAuth 2.0 and OpenID Connect) have been widely adopted by a range of Relying Parties and Identity Providers, it is not yet clear whether practical implementations of these systems are actually secure. In this thesis we investigate this question. In doing so we describe two large-scale empirical studies of the security of real-world identity management systems; the purposes of these studies include identifying areas for improvement in the design and implementation of the systems, as well as addressing issues acting as barriers to adoption. As part of the underlying goal of improving operational security, a new scheme is also proposed to enhance user security for OpenID Connect. In the first of the two studies we examined 60 Relying Parties (RPs) and ten Identity Providers (IdPs) supporting OAuth 2.0 based identity management services in China. In the second study we considered 103 RPs supporting OpenID Connect-based identity management using Google as the IdP. In both cases we recorded and carefully analysed the browser-relayed messages sent between the RP and IdP, identifying a number of major security vulnerabilities, some with very serious potential consequences for end user security. We further designed and implemented proof-of-concept attacks to demonstrate the seriousness of the vulnerabilities we identified. We also reported the vulnerabilities to the most seriously affected parties, helped them to fix the problem, as well as providing detailed recommendations for both IdPs and RPs, designed to reduce the risk of such vulnerabilities occurring in the future. To improve user security when using OpenID Connect, a novel client-based scheme is proposed, designed to mitigate phishing attacks and to provide a consistent user interface. A prototype of the scheme is described, which allows for greater user control during the authentication process.