CIS14: Google's Identity Toolkit

  • View
    647

  • Download
    3

Embed Size (px)

DESCRIPTION

See presentation for information.

Text of CIS14: Google's Identity Toolkit

  • 1. Identity Toolkit https://developers.google.com/identity-toolkit/ July 2014 : Cloud Identity Summit

2. Google Confidential and Proprietary Trying to eliminate passwords on the Internet Where weve been What weve learned Where were going with Identity Toolkit 3. Google Confidential and Proprietary Where weve been What weve learned Where were going with Identity Toolkit Trying to eliminate passwords on the Internet 4. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them Where weve been What weve learned Where were going 5. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them A few apps are incredibly tightly knit to one IDP Where weve been What weve learned Where were going 6. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them A few apps are incredibly tightly knit to one IDP A few apps have stricter security or regulatory concerns (can often be handled by layering on the flows well discuss) Where weve been What weve learned Where were going 7. Google Confidential and Proprietary Passwords (wordpress.com) What weve learned Where were goingWhere weve been 8. Google Confidential and Proprietary Passwords Usernames are hard to remember (wordpress.com) What weve learned Where were goingWhere weve been 9. Google Confidential and Proprietary Passwords Usernames are hard to remember Passwords are hard to remember (wordpress.com) What weve learned Where were goingWhere weve been 10. Google Confidential and Proprietary Passwords Usernames are hard to remember Passwords are hard to remember Typing is annoying (wordpress.com) What weve learned Where were goingWhere weve been 11. Google Confidential and Proprietary Passwords Usernames are hard to remember Passwords are hard to remember Typing is annoying Recovery based on email msgs (wordpress.com) What weve learned Where were goingWhere weve been 12. Google Confidential and Proprietary Passwords Usernames are hard to remember Passwords are hard to remember Typing is annoying Recovery based on email msgs Password databases get hacked (wordpress.com) What weve learned Where were goingWhere weve been 13. Google Confidential and Proprietary Passwords Usernames are hard to remember Passwords are hard to remember Typing is annoying Recovery based on email msgs Password databases get hacked Often no risk-based challenges(wordpress.com) What weve learned Where were goingWhere weve been 14. Google Confidential and Proprietary Federated login What weve learned Where were goingWhere weve been 15. Google Confidential and Proprietary Federated login Simple What weve learned Where were goingWhere weve been 16. Google Confidential and Proprietary Federated login Simple Secure What weve learned Where were goingWhere weve been 17. Google Confidential and Proprietary Federated login Simple Secure ...in isolation What weve learned Where were goingWhere weve been 18. Google Confidential and Proprietary Where weve been What weve learned Where were going with Identity Toolkit 19. Google Confidential and Proprietary Password and federation side-by-side is common (opentable.com) Where weve been What weve learned Where were going 20. Google Confidential and Proprietary Password recovery as login is growing (WeChat) Where weve been Where were goingWhat weve learned 21. Google Confidential and Proprietary Password-only is still common (nytimes.com) Where weve been Where were goingWhat weve learned 22. Google Confidential and Proprietary What weve learned from federated login Users are Where weve been Where were goingWhat weve learned 23. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? Where weve been Where were goingWhat weve learned 24. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? confused by permissions and their privacy implications Where weve been Where were goingWhat weve learned 25. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? confused by permissions and their privacy implications locked out when their IDP account is inaccessible Where weve been Where were goingWhat weve learned 26. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? confused by permissions and their privacy implications locked out when their IDP account is inaccessible Developers are... Where weve been Where were goingWhat weve learned 27. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? confused by permissions and their privacy implications locked out when their IDP account is inaccessible Developers are... still using username/password because its in frameworks Where weve been Where were goingWhat weve learned 28. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? confused by permissions and their privacy implications locked out when their IDP account is inaccessible Developers are... still using username/password because its in frameworks (often unknowingly) not handling edge cases Where weve been Where were goingWhat weve learned 29. Google Confidential and Proprietary What weve learned from federated login Users are... being asked questions like How do you want to authenticate? confused by permissions and their privacy implications locked out when their IDP account is inaccessible Developers are... still using username/password because its in frameworks (often unknowingly) not handling edge cases Where weve been Where were goingWhat weve learned 30. Google Confidential and Proprietary Where weve been What weve learned Where were going with Identity Toolkit 31. Google Confidential and Proprietary Demos of Identity Toolkit v3 http://goo.gl/Bm1bpc Where weve been What weve learned Where were going 32. Google Confidential and Proprietary Identify the user, then authenticate Where weve been What weve learned Where were going 33. Google Confidential and Proprietary Existing users Where weve been What weve learned Where were going Identify the user, then authenticate 34. Google Confidential and Proprietary Existing users Prompt for existing password Where weve been What weve learned Where were going Identify the user, then authenticate 35. Google Confidential and Proprietary New users Where weve been What weve learned Where were going Identify the user, then authenticate 36. Google Confidential and Proprietary New users Prompt to create password Where weve been What weve learned Where were going Identify the user, then authenticate 37. Google Confidential and Proprietary Existing Sign in with Google users Where weve been What weve learned Where were going Identify the user, then authenticate 38. Google Confidential and Proprietary Existing Sign in with Google users Route to Sign in with Google login flow Where weve been What weve learned Where were going Identify the user, then authenticate 39. Google Confidential and Proprietary Existing users Password sarah@comcast.net nikhil@gmail.com meng@outlook.com bruno@yahoo.com Where weve been What weve learned Where were going Identify the user, then authenticate 40. Google Confidential and ProprietaryWhere weve been What weve learned Where were going Identify the user, then authenticate 41. Google Confidential and Proprietary New users Where weve been What weve learned Where were going Identify the user, then authenticate 42. Google Confidential and Proprietary New users Where weve been What weve learned Identify the user, then authenticate Where were going 43. Google Confidential and Proprietary Identify the user, then authenticate New users 1. Identifiable IDP 2. Fast Email Verification Where weve been What weve learned Where were going 44. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time Where weve been What weve learned Where were going 45. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email Where weve been What weve learned Where were going 46. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the users email address Where weve been What weve learned Where were going 47. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the users email address True/False, is the email address signed in to the user agent? Where weve been What weve learned Where were going 48. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the users email address True/False, is the email address signed in to the user agent?User is authenticated Where weve been What weve learned Where were going 49. Google Confidential and Proprietary Where were going with Identity Toolkit Fast email verification Avoid double consent since user gave the email address to the RP IDP could provide public info associated with the email if useful (profile picture, public username, etc.) Where weve bee