Online identity getting to know your users

276
-1

Published on

A talk I gave at London Web Standards

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
276
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Online identity getting to know your users

  1. 1. Online Identity Getting to know your users Cristiano Betta, Developer Evangelist
  2. 2. Developer Evangelist
  3. 3. Why am I here?
  4. 4. Do we always want to use the same identity?
  5. 5. Should we always want to use the same identity?
  6. 6. Authentication vs Authorisation
  7. 7. A little history lesson
  8. 8. Username + password
  9. 9. Security considerations
  10. 10. Security nightmare
  11. 11. 4.7% of users have the password password 8.5% have the passwords password or 123456 9.8% have the passwords password, 123456 or 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords Source: xato.net/passwords/more-top-worst-passwords/
  12. 12. wiki.skullsecurity.org/Passwords
  13. 13. 45% admit to leaving a website instead of resetting their password or answering security questions Source: bit.ly/bluestats
  14. 14. OpenID
  15. 15. OAuth 1.0
  16. 16. Request' Request'Token' Grant' Request'Token' Direct'User'to'Service' Obtain'Authoriza:on' Request' Access'Token' Direct'to'Consumer' Access' Resources' Grant' Access'Token'
  17. 17. OAuth 1.0a
  18. 18. OAuth 2.0
  19. 19. OAuth 2.0
  20. 20. Consumer' Service-Provider' Direct'User'to'Service' Obtain'Authoriza5on' Request' Access'Token' Grant' Access'Token' Access' Resources'/'Profile' Direct'to'Consumer'
  21. 21. OAuth 2.0 and the Road to Hell homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
  22. 22. OAuth 2.0 + OpenID Connect
  23. 23. Identity Providers
  24. 24. Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. Source: bit.ly/bluestats
  25. 25. Google Facebook Twitter
  26. 26. Social vs Concrete
  27. 27. • Name, email, location
  28. 28. • Name, email, location • Friends, address
  29. 29. • Name, email, location • Friends, address • Verified address, payment address, account type
  30. 30. • Name, email, location • Friends, address • Verified address, payment address, account type • Seamless checkout
  31. 31. Demo
  32. 32. The nature of an identity matters
  33. 33. Recognize the difference between authentication and authorization
  34. 34. Well used authorization can improve the user experience beyond plain user identification
  35. 35. The user experience should be enhanced not impaired by user authentication
  36. 36. Questions cbetta@paypal.com slideshare.net/paypal

×