Online IdentityGetting to know your users
Cristiano Betta, Developer Evangelist
Developer Evangelist
Why am I here?
Do we always want to use the same identity?
Should we always want to use the same identity?
Authentication vs Authorisation
A little history lesson
Username + password
Security considerations
Security nightmare
4.7% of users have the password password 8.5% have the passwords password or 123456
9.8% have the passwords password, 123456 or 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords Source: xato.net/passwords/more-top-worst-passwords/
wiki.skullsecurity.org/Passwords
45% admit to leaving a website instead of re-setting their password or answering security questionsSource: bit.ly/bluestats
OpenID
OAuth 1.0
Request'Request'Token'
Grant'Request'Token'
Direct'User'to'Service' Obtain'Authoriza:on'
Direct'to'Consumer'Request'Access'Token'
Grant'Access'Token'
Access'Resources'
OAuth 1.0a
OAuth 2.0
OAuth 2.0
Direct'User'to'Service' Obtain'Authoriza5on'
Request'Access'Token'
Grant'Access'Token'
Direct'to'Consumer'Access'Resources'/'Profile'
Consumer' Service-Provider'
OAuth 2.0 and the Road to Hellhomakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
OAuth 2.0 + OpenID Connect
Identity Providers
Out of 657 surveyed users 66% think that social sign-in is a desirable alternative.Source: bit.ly/bluestats
Google Facebook Twitter
Social vs Concrete
• Name, email, location
• Name, email, location
• Friends, address
• Name, email, location
• Friends, address
• Verified address, payment address, account type
• Name, email, location
• Friends, address
• Verified address, payment address, account type
• Seamless checkout
Demo
The nature of an identity matters
Recognize the difference between authentication and authorization
Well used authorization can improve the user experience beyond plain user identification
The user experience should be enhanced not impaired by user authentication