Embed Size (px)
DESCRIPTION
See presentation for information.
Citation preview
Identity Toolkithttps://developers.google.com/identity-toolkit/
July 2014 : Cloud Identity Summit
Google Confidential and Proprietary
Trying to eliminate passwords on the Internet
Where we’ve been What we’ve learned
Where we’re going with
Identity Toolkit
Google Confidential and Proprietary
Where we’ve been What we’ve learned
Where we’re going with
Identity Toolkit
Trying to eliminate passwords on the Internet
Google Confidential and Proprietary
Which apps and websites are we talking about?
The vast majority of them, but not all of them
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Which apps and websites are we talking about?
The vast majority of them, but not all of them
● A few apps are incredibly tightly knit to one IDP
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Which apps and websites are we talking about?
The vast majority of them, but not all of them
● A few apps are incredibly tightly knit to one IDP
● A few apps have stricter security or regulatory concerns(can often be handled by layering on the flows we’ll discuss)
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Passwords
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
● Recovery based on email msgs
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
● Recovery based on email msgs
● Password databases get hacked(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
● Recovery based on email msgs
● Password databases get hacked
● Often no risk-based challenges(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Federated login
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Federated login
Simple
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Federated login
Simple
Secure
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Federated login
Simple
Secure
...in isolation
What we’ve learned Where we’re goingWhere we’ve been
Google Confidential and Proprietary
Where we’ve been What we’ve learned
Where we’re going with
Identity Toolkit
Google Confidential and Proprietary
Password and federation side-by-side is common
(opentable.com)
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Password recovery as login is growing
(WeChat)
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
Password-only is still common
(nytimes.com)
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are…
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...● still using username/password because it’s in frameworks
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...● still using username/password because it’s in frameworks
● (often unknowingly) not handling edge cases
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
What we’ve learned from federated login
Users are...● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...● still using username/password because it’s in frameworks
● (often unknowingly) not handling edge cases
Where we’ve been Where we’re goingWhat we’ve learned
Google Confidential and Proprietary
Where we’ve been What we’ve learned
Where we’re going with
Identity Toolkit
Google Confidential and Proprietary
Demos of Identity Toolkit v3
http://goo.gl/Bm1bpc
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Identify the user, then authenticate
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Existing users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
Existing users
Prompt for existing
password
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
New users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
New users
Prompt tocreate
password
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
Existing “Sign in with Google” users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
Existing “Sign in with Google” users
Route to Sign in with Google
login flow
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
Existing users
Password
[email protected]@outlook.com
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and ProprietaryWhere we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
New users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
Google Confidential and Proprietary
New users
Where we’ve been What we’ve learned
Identify the user, then authenticate
Where we’re going
Google Confidential and Proprietary
Identify the user, then authenticate
New users
1. Identifiable IDP2. Fast Email Verification
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time...without sending an email
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time...without sending an email
RP IDP
Provides the user’s email address
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time...without sending an email
RP IDP
Provides the user’s email address True/False, is the
email address signed in to the
user agent?
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time...without sending an email
RP IDP
Provides the user’s email address True/False, is the
email address signed in to the
user agent?User is authenticated
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Fast email verification
● Avoid double consent since user gave the email address to the RP
● IDP could provide public info associated with the email if useful (profile picture, public username, etc.)
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Typing an email address?!
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Typing an email address? ...use an account chooser instead
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Typing an email address? ...use accountchooser.com instead
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Recap: Putting all of the pieces together
[demos, take 2]
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Authorization is important though!
Limited permissions makes login smoother for users
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Authorization is important though!
Limited permissions makes login smoother for users
Incremental auth makes interesting apps possible!
● Calendar management services● Social-recommendation-based services● Cloud storage management/viewing services
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
How do sites enable this experience?
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
It should be easy, but it’s not
Developers shouldn’t need to be security experts.
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
It should be easy, but it’s not
Developers shouldn’t need to be security experts.
~150k views
~65k views
~17k views
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
We’re making progress
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
But we’re not there yet
The easiest authentication system to build is username/password
It’s still the default
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal● Just verify a JWT and issue a session cookie
Where we’ve been What we’ve learned Where we’re going
{ "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : "google.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "[email protected]"}
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal● Just verify a JWT and issue a session cookie● Same process for all IDPs, same format JWT for all IDPs
Where we’ve been
{ "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : " facebook.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "[email protected]"}
What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal● Just verify a JWT and issue a session cookie● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal● Just verify a JWT and issue a session cookie● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement● Pre-built widgets for Android, iOS, and JavaScript
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal● Just verify a JWT and issue a session cookie● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement● Pre-built widgets for Android, iOS, and JavaScript
Edge cases are everywhere (merging, mutating, marooning)
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols● Google, Facebook, Yahoo, AOL, Microsoft and Paypal● Just verify a JWT and issue a session cookie● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement● Pre-built widgets for Android, iOS, and JavaScript
Edge cases are everywhere (merging, mutating, marooning)
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Identity Toolkit intends to lower the bar
Migration for existing sites1. Upload UIDs, emails, and passwords
2. Implement widgets
3. Slowly roll-out federated login
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Identity Toolkit intends to lower the bar
Migration for existing sites1. Upload UIDs, emails, and passwords
2. Implement widgets
3. Slowly roll-out federated login
○ Yahoo mail users slowly get migrated to Yahoo federation○ Outlook users slowly get migrated to Microsoft federation○ Gmail users slowly get migrated to Google federation○ AOL users slowly get migrated to AOL federation
Where we’ve been What we’ve learned Where we’re going
Google Confidential and Proprietary
Thanks!
I’m Jack [email protected]
See https://developers.google.com/identity-toolkit/ to implement it yourself
