CIS14: Google's Identity Toolkit
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

CIS14: Google's Identity Toolkit

  • 418 views
Uploaded on

See presentation for information.

See presentation for information.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
418
On Slideshare
418
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
18
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Identity Toolkit https://developers.google.com/identity-toolkit/ July 2014 : Cloud Identity Summit
  • 2. Google Confidential and Proprietary Trying to eliminate passwords on the Internet Where we’ve been What we’ve learned Where we’re going with Identity Toolkit
  • 3. Google Confidential and Proprietary Where we’ve been What we’ve learned Where we’re going with Identity Toolkit Trying to eliminate passwords on the Internet
  • 4. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them Where we’ve been What we’ve learned Where we’re going
  • 5. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them ● A few apps are incredibly tightly knit to one IDP Where we’ve been What we’ve learned Where we’re going
  • 6. Google Confidential and Proprietary Which apps and websites are we talking about? The vast majority of them, but not all of them ● A few apps are incredibly tightly knit to one IDP ● A few apps have stricter security or regulatory concerns (can often be handled by layering on the flows we’ll discuss) Where we’ve been What we’ve learned Where we’re going
  • 7. Google Confidential and Proprietary Passwords (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 8. Google Confidential and Proprietary Passwords ● Usernames are hard to remember (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 9. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 10. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 11. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying ● Recovery based on email msgs (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 12. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying ● Recovery based on email msgs ● Password databases get hacked (wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 13. Google Confidential and Proprietary Passwords ● Usernames are hard to remember ● Passwords are hard to remember ● Typing is annoying ● Recovery based on email msgs ● Password databases get hacked ● Often no risk-based challenges(wordpress.com) What we’ve learned Where we’re goingWhere we’ve been
  • 14. Google Confidential and Proprietary Federated login What we’ve learned Where we’re goingWhere we’ve been
  • 15. Google Confidential and Proprietary Federated login Simple What we’ve learned Where we’re goingWhere we’ve been
  • 16. Google Confidential and Proprietary Federated login Simple Secure What we’ve learned Where we’re goingWhere we’ve been
  • 17. Google Confidential and Proprietary Federated login Simple Secure ...in isolation What we’ve learned Where we’re goingWhere we’ve been
  • 18. Google Confidential and Proprietary Where we’ve been What we’ve learned Where we’re going with Identity Toolkit
  • 19. Google Confidential and Proprietary Password and federation side-by-side is common (opentable.com) Where we’ve been What we’ve learned Where we’re going
  • 20. Google Confidential and Proprietary Password recovery as login is growing (WeChat) Where we’ve been Where we’re goingWhat we’ve learned
  • 21. Google Confidential and Proprietary Password-only is still common (nytimes.com) Where we’ve been Where we’re goingWhat we’ve learned
  • 22. Google Confidential and Proprietary What we’ve learned from federated login Users are… Where we’ve been Where we’re goingWhat we’ve learned
  • 23. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” Where we’ve been Where we’re goingWhat we’ve learned
  • 24. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications Where we’ve been Where we’re goingWhat we’ve learned
  • 25. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Where we’ve been Where we’re goingWhat we’ve learned
  • 26. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... Where we’ve been Where we’re goingWhat we’ve learned
  • 27. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... ● still using username/password because it’s in frameworks Where we’ve been Where we’re goingWhat we’ve learned
  • 28. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... ● still using username/password because it’s in frameworks ● (often unknowingly) not handling edge cases Where we’ve been Where we’re goingWhat we’ve learned
  • 29. Google Confidential and Proprietary What we’ve learned from federated login Users are... ● being asked questions like “How do you want to authenticate?” ● confused by permissions and their privacy implications ● locked out when their IDP account is inaccessible Developers are... ● still using username/password because it’s in frameworks ● (often unknowingly) not handling edge cases Where we’ve been Where we’re goingWhat we’ve learned
  • 30. Google Confidential and Proprietary Where we’ve been What we’ve learned Where we’re going with Identity Toolkit
  • 31. Google Confidential and Proprietary Demos of Identity Toolkit v3 http://goo.gl/Bm1bpc Where we’ve been What we’ve learned Where we’re going
  • 32. Google Confidential and Proprietary Identify the user, then authenticate Where we’ve been What we’ve learned Where we’re going
  • 33. Google Confidential and Proprietary Existing users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 34. Google Confidential and Proprietary Existing users Prompt for existing password Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 35. Google Confidential and Proprietary New users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 36. Google Confidential and Proprietary New users Prompt to create password Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 37. Google Confidential and Proprietary Existing “Sign in with Google” users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 38. Google Confidential and Proprietary Existing “Sign in with Google” users Route to Sign in with Google login flow Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 39. Google Confidential and Proprietary Existing users Password sarah@comcast.net nikhil@gmail.com meng@outlook.com bruno@yahoo.com Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 40. Google Confidential and ProprietaryWhere we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 41. Google Confidential and Proprietary New users Where we’ve been What we’ve learned Where we’re going Identify the user, then authenticate
  • 42. Google Confidential and Proprietary New users Where we’ve been What we’ve learned Identify the user, then authenticate Where we’re going
  • 43. Google Confidential and Proprietary Identify the user, then authenticate New users 1. Identifiable IDP 2. Fast Email Verification Where we’ve been What we’ve learned Where we’re going
  • 44. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time Where we’ve been What we’ve learned Where we’re going
  • 45. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email Where we’ve been What we’ve learned Where we’re going
  • 46. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the user’s email address Where we’ve been What we’ve learned Where we’re going
  • 47. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the user’s email address True/False, is the email address signed in to the user agent? Where we’ve been What we’ve learned Where we’re going
  • 48. Google Confidential and Proprietary Fast email verification Essentially doing a password reset email every time ...without sending an email RP IDP Provides the user’s email address True/False, is the email address signed in to the user agent?User is authenticated Where we’ve been What we’ve learned Where we’re going
  • 49. Google Confidential and Proprietary Where we’re going with Identity Toolkit Fast email verification ● Avoid double consent since user gave the email address to the RP ● IDP could provide public info associated with the email if useful (profile picture, public username, etc.) Where we’ve been What we’ve learned Where we’re going
  • 50. Google Confidential and Proprietary Where we’re going with Identity Toolkit Typing an email address?! Where we’ve been What we’ve learned Where we’re going
  • 51. Google Confidential and Proprietary Where we’re going with Identity Toolkit Typing an email address? ...use an account chooser instead Where we’ve been What we’ve learned Where we’re going
  • 52. Google Confidential and Proprietary Where we’re going with Identity Toolkit Typing an email address? ...use accountchooser.com instead Where we’ve been What we’ve learned Where we’re going
  • 53. Google Confidential and Proprietary Where we’re going with Identity Toolkit Recap: Putting all of the pieces together [demos, take 2] Where we’ve been What we’ve learned Where we’re going
  • 54. Google Confidential and Proprietary Authorization is important though! Limited permissions makes login smoother for users Where we’ve been What we’ve learned Where we’re going
  • 55. Google Confidential and Proprietary Authorization is important though! Limited permissions makes login smoother for users Incremental auth makes interesting apps possible! ● Calendar management services ● Social-recommendation-based services ● Cloud storage management/viewing services Where we’ve been What we’ve learned Where we’re going
  • 56. Google Confidential and Proprietary How do sites enable this experience? Where we’ve been What we’ve learned Where we’re going
  • 57. Google Confidential and Proprietary It should be easy, but it’s not Developers shouldn’t need to be security experts. Where we’ve been What we’ve learned Where we’re going
  • 58. Google Confidential and Proprietary It should be easy, but it’s not Developers shouldn’t need to be security experts. ~150k views ~65k views ~17k views Where we’ve been What we’ve learned Where we’re going
  • 59. Google Confidential and Proprietary We’re making progress Where we’ve been What we’ve learned Where we’re going
  • 60. Google Confidential and Proprietary But we’re not there yet The easiest authentication system to build is username/password It’s still the default Where we’ve been What we’ve learned Where we’re going
  • 61. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols Where we’ve been What we’ve learned Where we’re going
  • 62. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal Where we’ve been What we’ve learned Where we’re going
  • 63. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie Where we’ve been What we’ve learned Where we’re going { "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : "google.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "jsmith@gmail.com" }
  • 64. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs Where we’ve been { "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : " facebook.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "jsmith@gmail.com" } What we’ve learned Where we’re going
  • 65. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement Where we’ve been What we’ve learned Where we’re going
  • 66. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement ● Pre-built widgets for Android, iOS, and JavaScript Where we’ve been What we’ve learned Where we’re going
  • 67. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement ● Pre-built widgets for Android, iOS, and JavaScript Edge cases are everywhere (merging, mutating, marooning) Where we’ve been What we’ve learned Where we’re going
  • 68. Google Confidential and Proprietary Google Identity Toolkit intends to lower the bar Handles multiple protocols ● Google, Facebook, Yahoo, AOL, Microsoft and Paypal ● Just verify a JWT and issue a session cookie ● Same process for all IDPs, same format JWT for all IDPs UX is hard to implement ● Pre-built widgets for Android, iOS, and JavaScript Edge cases are everywhere (merging, mutating, marooning) Where we’ve been What we’ve learned Where we’re going
  • 69. Google Confidential and Proprietary Identity Toolkit intends to lower the bar Migration for existing sites 1. Upload UIDs, emails, and passwords 2. Implement widgets 3. Slowly roll-out federated login Where we’ve been What we’ve learned Where we’re going
  • 70. Google Confidential and Proprietary Identity Toolkit intends to lower the bar Migration for existing sites 1. Upload UIDs, emails, and passwords 2. Implement widgets 3. Slowly roll-out federated login ○ Yahoo mail users slowly get migrated to Yahoo federation ○ Outlook users slowly get migrated to Microsoft federation ○ Gmail users slowly get migrated to Google federation ○ AOL users slowly get migrated to AOL federation Where we’ve been What we’ve learned Where we’re going
  • 71. Google Confidential and Proprietary Thanks! I’m Jack Greenberg jgreenberg@google.com See https://developers.google.com/identity-toolkit/ to implement it yourself