CIS14: Google's Identity Toolkit

1,244
-1

Published on

See presentation for information.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,244
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

CIS14: Google's Identity Toolkit

  1. 1. Identity Toolkit https://developers.google.com/identity-toolkit/ July 2014 : Cloud Identity Summit
  2. 2. Google Confidential and Proprietary Trying to eliminate passwords on the Internet Where we’ve been What we’ve learned Where we’re going with Identity Toolkit
  3. 3. Google Confidential and Proprietary Where we’ve been What we’ve learned Where we’re going with Identity Toolkit Trying to eliminate passwords on the Internet
  4. 4. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them Where we’ve been What we’ve learned Where we’re going
  5. 5. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them ● A few apps are incredibly tightly knit to one IDP Where we’ve been What we’ve learned Where we’re going
  6. 6. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them ● A few apps are incredibly tightly knit to one IDP ● A few apps have stricter security or regulatory concerns (can often be handled by layering on the flows we’ll discuss) Where we’ve been What we’ve learned Where we’re going
  7. 7. Google Confidential and Proprietary Passwords (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  8. 8. Google Confidential and Proprietary Passwords ● Usernames are hard to remember (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  9. 9. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  10. 10. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  11. 11. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying ● Recovery based on email msgs (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  12. 12. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying ● Recovery based on email msgs ● Password databases get hacked (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  13. 13. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying ● Recovery based on email msgs ● Password databases get hacked ● Often no risk-based challenges(wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  14. 14. Google Confidential and Proprietary Federated login What we’ve learned Where we’re goingWhere we’ve been
  15. 15. Google Confidential and Proprietary Federated login Simple What we’ve learned Where we’re goingWhere we’ve been
  16. 16. Google Confidential and Proprietary Federated login Simple Secure What we’ve learned Where we’re goingWhere we’ve been
  17. 17. Google Confidential and Proprietary Federated login Simple Secure ...in isolation What we’ve learned Where we’re goingWhere we’ve been
  18. 18. Google Confidential and Proprietary Where we’ve been What we’ve learned Where we’re going with Identity Toolkit
  19. 19. Google Confidential and Proprietary Password and federation side-by-side is common (opentable.com) Where we’ve been What we’ve learned Where we’re going
  20. 20. Google Confidential and Proprietary Password recovery as login is growing (WeChat) Where we’ve been Where we’re goingWhat we’ve learned
  21. 21. Google Confidential and Proprietary Password-only is still common (nytimes.com) Where we’ve been Where we’re goingWhat we’ve learned
  22. 22. Google Confidential and Proprietary What we’ve learned from federated login Users are… Where we’ve been Where we’re goingWhat we’ve learned
  23. 23. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” Where we’ve been Where we’re goingWhat we’ve learned
  24. 24. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications Where we’ve been Where we’re goingWhat we’ve learned
  25. 25. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Where we’ve been Where we’re goingWhat we’ve learned
  26. 26. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... Where we’ve been Where we’re goingWhat we’ve learned
  27. 27. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... ● still using username/password because it’s in frameworks Where we’ve been Where we’re goingWhat we’ve learned
  28. 28. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... ● still using username/password because it’s in frameworks ● (often unknowingly) not handling edge cases Where we’ve been Where we’re goingWhat we’ve learned
  29. 29. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... ● still using username/password because it’s in frameworks ● (often unknowingly) not handling edge cases Where we’ve been Where we’re goingWhat we’ve learned
  30. 30. Google Confidential and Proprietary Where we’ve been What we’ve learned Where we’re going with Identity Toolkit
  31. 31. Google Confidential and Proprietary Demos of Identity Toolkit v3 http://goo.gl/Bm1bpc Where we’ve been What we’ve learned Where we’re going
  32. 32. Google Confidential and Proprietary Identify the user, then authenticate Where we’ve been What we’ve learned Where we’re going
  33. 33. Google Confidential and Proprietary Existing users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  34. 34. Google Confidential and Proprietary Existing users Prompt for existing password Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  35. 35. Google Confidential and Proprietary New users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  36. 36. Google Confidential and Proprietary New users Prompt to create password Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  37. 37. Google Confidential and Proprietary Existing “Sign in with Google” users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  38. 38. Google Confidential and Proprietary Existing “Sign in with Google” users Route to Sign in with Google login flow Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  39. 39. Google Confidential and Proprietary Existing users Password sarah@comcast.net nikhil@gmail.com meng@outlook.com bruno@yahoo.com Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  40. 40. Google Confidential and ProprietaryWhere we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  41. 41. Google Confidential and Proprietary New users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  42. 42. Google Confidential and Proprietary New users Where we’ve been What we’ve learned Identify the user, then authenticate Where we’re going
  43. 43. Google Confidential and Proprietary Identify the user, then authenticate New users 1. Identifiable IDP 2. Fast Email Verification Where we’ve been What we’ve learned Where we’re going
  44. 44. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time Where we’ve been What we’ve learned Where we’re going
  45. 45. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email Where we’ve been What we’ve learned Where we’re going
  46. 46. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the user’s email address Where we’ve been What we’ve learned Where we’re going
  47. 47. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the user’s email address True/False, is the email address signed in to the user agent? Where we’ve been What we’ve learned Where we’re going
  48. 48. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the user’s email address True/False, is the email address signed in to the user agent?User is authenticated Where we’ve been What we’ve learned Where we’re going
  49. 49. Google Confidential and Proprietary Where we’re going with Identity Toolkit Fast email verification ● Avoid double consent since user gave the email address to the RP ● IDP could provide public info associated with the email if useful (profile picture, public username, etc.) Where we’ve been What we’ve learned Where we’re going
  50. 50. Google Confidential and Proprietary Where we’re going with Identity Toolkit Typing an email address?! Where we’ve been What we’ve learned Where we’re going
  51. 51. Google Confidential and Proprietary Where we’re going with Identity Toolkit Typing an email address? ...use an account chooser instead Where we’ve been What we’ve learned Where we’re going
  52. 52. Google Confidential and Proprietary Where we’re going with Identity Toolkit Typing an email address? ...use accountchooser.com instead Where we’ve been What we’ve learned Where we’re going
  53. 53. Google Confidential and Proprietary Where we’re going with Identity Toolkit Recap: Putting all of the pieces together [demos, take 2] Where we’ve been What we’ve learned Where we’re going
  54. 54. Google Confidential and Proprietary Authorization is important though! Limited permissions makes login smoother for users Where we’ve been What we’ve learned Where we’re going
  55. 55. Google Confidential and Proprietary Authorization is important though! Limited permissions makes login smoother for users Incremental auth makes interesting apps possible! ● Calendar management services ● Social-recommendation-based services ● Cloud storage management/viewing services Where we’ve been What we’ve learned Where we’re going
  56. 56. Google Confidential and Proprietary How do sites enable this experience? Where we’ve been What we’ve learned Where we’re going
  57. 57. Google Confidential and Proprietary It should be easy, but it’s not Developers shouldn’t need to be security experts. Where we’ve been What we’ve learned Where we’re going
  58. 58. Google Confidential and Proprietary It should be easy, but it’s not Developers shouldn’t need to be security experts. ~150k views ~65k views ~17k views Where we’ve been What we’ve learned Where we’re going
  59. 59. Google Confidential and Proprietary We’re making progress Where we’ve been What we’ve learned Where we’re going
  60. 60. Google Confidential and Proprietary But we’re not there yet The easiest authentication system to build is username/password It’s still the default Where we’ve been What we’ve learned Where we’re going
  61. 61. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols Where we’ve been What we’ve learned Where we’re going
  62. 62. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal Where we’ve been What we’ve learned Where we’re going
  63. 63. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie Where we’ve been What we’ve learned Where we’re going { "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : "google.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "jsmith@gmail.com" }
  64. 64. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs Where we’ve been { "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : " facebook.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "jsmith@gmail.com" } What we’ve learned Where we’re going
  65. 65. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement Where we’ve been What we’ve learned Where we’re going
  66. 66. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement ● Pre-built widgets for Android, iOS, and JavaScript Where we’ve been What we’ve learned Where we’re going
  67. 67. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement ● Pre-built widgets for Android, iOS, and JavaScript Edge cases are everywhere (merging, mutating, marooning) Where we’ve been What we’ve learned Where we’re going
  68. 68. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement ● Pre-built widgets for Android, iOS, and JavaScript Edge cases are everywhere (merging, mutating, marooning) Where we’ve been What we’ve learned Where we’re going
  69. 69. Google Confidential and Proprietary Identity Toolkit intends to lower the bar Migration for existing sites 1. Upload UIDs, emails, and passwords 2. Implement widgets 3. Slowly roll-out federated login Where we’ve been What we’ve learned Where we’re going
  70. 70. Google Confidential and Proprietary Identity Toolkit intends to lower the bar Migration for existing sites 1. Upload UIDs, emails, and passwords 2. Implement widgets 3. Slowly roll-out federated login ○ Yahoo mail users slowly get migrated to Yahoo federation ○ Outlook users slowly get migrated to Microsoft federation ○ Gmail users slowly get migrated to Google federation ○ AOL users slowly get migrated to AOL federation Where we’ve been What we’ve learned Where we’re going
  71. 71. Google Confidential and Proprietary Thanks! I’m Jack Greenberg jgreenberg@google.com See https://developers.google.com/identity-toolkit/ to implement it yourself
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×