• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Authentication for Droids
 

Authentication for Droids

on

  • 817 views

This talk about identity and authentication was held at Droidcon UK 2013. It goes into the differences of different authorization and authentication techniques and tries to shed some light on best ...

This talk about identity and authentication was held at Droidcon UK 2013. It goes into the differences of different authorization and authentication techniques and tries to shed some light on best practices.

Technologies being covered are OAuth, OpenID and OpenID Connect.

Statistics

Views

Total Views
817
Views on SlideShare
670
Embed Views
147

Actions

Likes
0
Downloads
6
Comments
0

5 Embeds 147

http://blog.cohen-rose.org 139
http://cloud.feedly.com 4
https://twitter.com 2
http://6382212051821902995_f7878402041075a95796c9340b684a289a068f3d.blogspot.com 1
http://feeds.feedburner.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • We’re having a mobile first approach where we push our productsPayPal is opening up to technology and developers
  • There is no way to better explain anything than using Lego and NinjasPic: http://www.flickr.com/photos/mac_filko/5471023503/
  • Authorization firstDo we always need to have site-specific passwords?
  • Passed as header in the requestsencodedas Base64
  • Passed as header in the requestsencodedas Base64
  • Passed as header in the requestsencodedas Base64
  • http://www.nngroup.com/articles/stop-password-masking/Jakob Nielsen 2009
  • Final Draft 2007Eran HammerTwitter, Yahoo, Google
  • Request TokenAccess Token
  • 2009 Possible man-in-the-middle attackRedirect url moved from step 2 to 1
  • Matthias KäpplerQype / SoundCloud
  • Focus on simplicity and different scenariosMain framework published in 2012Bearer token
  • Authorization codeAccess tokenRefresh token
  • Eran Hammer discusses disadvantages of OAuth 2.0Blueprint for an authorization protocol
  • Security flawsthatneedtobesolved in theimplementationEgorHomakov
  • This is about proving that it’s actually mehttp://www.flickr.com/photos/gaelx/5445598436
  • To name just a few interesting pieces of informationDefinition via scopes which can be static or dynamic
  • Developed in 20052012 Authenticationbug hijackingMyOpenID.com to shut down in 2014 (JanRain)
  • Launched 2011Pushed via MozillaIdentity Bridging in 2013 (via Gmail, ..)
  • ProvidesidentityandgrantsaccesstoresourcesDraft in 2009UsesOAuth 1.0
  • Identity layer on top of OAuth 2.0Access profile information in a REST-friendly wayCurrently still a draftSession management
  • SocialconnectstomyfriendsandshowsinterestsConcrete pulls real data
  • Source: http://www.shop.org/sites/default/files/janrain_-_consumer_perceptions_of_online_registration_social_sign_in_0.pdf
  • Don‘tuseidentityasbarrierDon‘tforceusersintoitPicture: http://www.flickr.com/photos/pagedooley/5313215496

Authentication for Droids Authentication for Droids Presentation Transcript

  • Authentication for Droids These are the droids you are looking for Tim Messerschmidt @SeraAndroid
  • Developer Evangelist
  • Why am I here?
  • Rebuilding the Developer Experience: developer.paypal.com
  • Do we always use the same identity?
  • Should we always use the same identity?
  • Authentication vs. Authorization
  • Current standards
  • Basic Authentication username:password
  • Passwords wiki.scullsecurity.org/Passwords
  • Security Nightmare 4.7% of users have the password password 8.5% have the passwords password or 123456 9.8% have the passwords password, 123456, 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
  • Allow your users to see their input
  • OAuth 1.0
  • Consumer Service Provider Request Request Token Grant Request Token Direct User to Service Obtain Authorization Request Access Token Direct to Consumer Access Resources Grant Access Token
  • OAuth 1.0a
  • Signpost <3 github.com/mttkay/signpost
  • OAuth 2.0
  • Consumer Service Provider Direct User to Service Obtain Authorization Request Access Token Grant Access Token Access Resources / Profile Direct to Consumer
  • HTTP Header URL url = new URL(”http://url.com/”); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(); setRequestProperty(”Authorization”, ”Bearer …”); URI parameter “url.com/oauth?access_token=…”
  • Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib-Rings-Twice--Android
  • OAuth 2.0 and the Road to Hell http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
  • http://homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
  • Date of Birth Name Creation Date Email Time Zone Gender Phone Number Language Locale Address
  • OpenID
  • BrowserID Persona
  • How to combine both?
  • OpenID with OAuth Hybrid Extension
  • OpenID Connect
  • Identity Providers Social vs. Concrete
  • Log in via PayPal in the browser or a WebView.
  • Yeah, nice.. but why? People forget passwords… 45% admit to leaving a website instead of resetting their password or answering security questions * * Blue Inc. 2011
  • Also they hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
  • Wrap up Identity does matter Difference between authentication and authorization User Experience should be enhanced not impaired
  • Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal