Authentication for Droids

1,255 views

Published on

This talk about identity and authentication was held at Droidcon UK 2013. It goes into the differences of different authorization and authentication techniques and tries to shed some light on best practices.

Technologies being covered are OAuth, OpenID and OpenID Connect.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,255
On SlideShare
0
From Embeds
0
Number of Embeds
227
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • We’re having a mobile first approach where we push our productsPayPal is opening up to technology and developers
  • There is no way to better explain anything than using Lego and NinjasPic: http://www.flickr.com/photos/mac_filko/5471023503/
  • Authorization firstDo we always need to have site-specific passwords?
  • Passed as header in the requestsencodedas Base64
  • Passed as header in the requestsencodedas Base64
  • Passed as header in the requestsencodedas Base64
  • http://www.nngroup.com/articles/stop-password-masking/Jakob Nielsen 2009
  • Final Draft 2007Eran HammerTwitter, Yahoo, Google
  • Request TokenAccess Token
  • 2009 Possible man-in-the-middle attackRedirect url moved from step 2 to 1
  • Matthias KäpplerQype / SoundCloud
  • Focus on simplicity and different scenariosMain framework published in 2012Bearer token
  • Authorization codeAccess tokenRefresh token
  • Eran Hammer discusses disadvantages of OAuth 2.0Blueprint for an authorization protocol
  • Security flawsthatneedtobesolved in theimplementationEgorHomakov
  • This is about proving that it’s actually mehttp://www.flickr.com/photos/gaelx/5445598436
  • To name just a few interesting pieces of informationDefinition via scopes which can be static or dynamic
  • Developed in 20052012 Authenticationbug hijackingMyOpenID.com to shut down in 2014 (JanRain)
  • Launched 2011Pushed via MozillaIdentity Bridging in 2013 (via Gmail, ..)
  • ProvidesidentityandgrantsaccesstoresourcesDraft in 2009UsesOAuth 1.0
  • Identity layer on top of OAuth 2.0Access profile information in a REST-friendly wayCurrently still a draftSession management
  • SocialconnectstomyfriendsandshowsinterestsConcrete pulls real data
  • Source: http://www.shop.org/sites/default/files/janrain_-_consumer_perceptions_of_online_registration_social_sign_in_0.pdf
  • Don‘tuseidentityasbarrierDon‘tforceusersintoitPicture: http://www.flickr.com/photos/pagedooley/5313215496
  • Authentication for Droids

    1. 1. Authentication for Droids These are the droids you are looking for Tim Messerschmidt @SeraAndroid
    2. 2. Developer Evangelist
    3. 3. Why am I here?
    4. 4. Rebuilding the Developer Experience: developer.paypal.com
    5. 5. Do we always use the same identity?
    6. 6. Should we always use the same identity?
    7. 7. Authentication vs. Authorization
    8. 8. Current standards
    9. 9. Basic Authentication username:password
    10. 10. Passwords wiki.scullsecurity.org/Passwords
    11. 11. Security Nightmare 4.7% of users have the password password 8.5% have the passwords password or 123456 9.8% have the passwords password, 123456, 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
    12. 12. Allow your users to see their input
    13. 13. OAuth 1.0
    14. 14. Consumer Service Provider Request Request Token Grant Request Token Direct User to Service Obtain Authorization Request Access Token Direct to Consumer Access Resources Grant Access Token
    15. 15. OAuth 1.0a
    16. 16. Signpost <3 github.com/mttkay/signpost
    17. 17. OAuth 2.0
    18. 18. Consumer Service Provider Direct User to Service Obtain Authorization Request Access Token Grant Access Token Access Resources / Profile Direct to Consumer
    19. 19. HTTP Header URL url = new URL(”http://url.com/”); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(); setRequestProperty(”Authorization”, ”Bearer …”); URI parameter “url.com/oauth?access_token=…”
    20. 20. Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib-Rings-Twice--Android
    21. 21. OAuth 2.0 and the Road to Hell http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
    22. 22. http://homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
    23. 23. Date of Birth Name Creation Date Email Time Zone Gender Phone Number Language Locale Address
    24. 24. OpenID
    25. 25. BrowserID Persona
    26. 26. How to combine both?
    27. 27. OpenID with OAuth Hybrid Extension
    28. 28. OpenID Connect
    29. 29. Identity Providers Social vs. Concrete
    30. 30. Log in via PayPal in the browser or a WebView.
    31. 31. Yeah, nice.. but why? People forget passwords… 45% admit to leaving a website instead of resetting their password or answering security questions * * Blue Inc. 2011
    32. 32. Also they hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
    33. 33. Wrap up Identity does matter Difference between authentication and authorization User Experience should be enhanced not impaired
    34. 34. Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal

    ×