Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Authentication for Droids

1,318 views

Published on

This talk about identity and authentication was held at Droidcon UK 2013. It goes into the differences of different authorization and authentication techniques and tries to shed some light on best practices.

Technologies being covered are OAuth, OpenID and OpenID Connect.

Published in: Technology
  • Be the first to comment

Authentication for Droids

  1. 1. Authentication for Droids These are the droids you are looking for Tim Messerschmidt @SeraAndroid
  2. 2. Developer Evangelist
  3. 3. Why am I here?
  4. 4. Rebuilding the Developer Experience: developer.paypal.com
  5. 5. Do we always use the same identity?
  6. 6. Should we always use the same identity?
  7. 7. Authentication vs. Authorization
  8. 8. Current standards
  9. 9. Basic Authentication username:password
  10. 10. Passwords wiki.scullsecurity.org/Passwords
  11. 11. Security Nightmare 4.7% of users have the password password 8.5% have the passwords password or 123456 9.8% have the passwords password, 123456, 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
  12. 12. Allow your users to see their input
  13. 13. OAuth 1.0
  14. 14. Consumer Service Provider Request Request Token Grant Request Token Direct User to Service Obtain Authorization Request Access Token Direct to Consumer Access Resources Grant Access Token
  15. 15. OAuth 1.0a
  16. 16. Signpost <3 github.com/mttkay/signpost
  17. 17. OAuth 2.0
  18. 18. Consumer Service Provider Direct User to Service Obtain Authorization Request Access Token Grant Access Token Access Resources / Profile Direct to Consumer
  19. 19. HTTP Header URL url = new URL(”http://url.com/”); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(); setRequestProperty(”Authorization”, ”Bearer …”); URI parameter “url.com/oauth?access_token=…”
  20. 20. Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib-Rings-Twice--Android
  21. 21. OAuth 2.0 and the Road to Hell http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
  22. 22. http://homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
  23. 23. Date of Birth Name Creation Date Email Time Zone Gender Phone Number Language Locale Address
  24. 24. OpenID
  25. 25. BrowserID Persona
  26. 26. How to combine both?
  27. 27. OpenID with OAuth Hybrid Extension
  28. 28. OpenID Connect
  29. 29. Identity Providers Social vs. Concrete
  30. 30. Log in via PayPal in the browser or a WebView.
  31. 31. Yeah, nice.. but why? People forget passwords… 45% admit to leaving a website instead of resetting their password or answering security questions * * Blue Inc. 2011
  32. 32. Also they hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
  33. 33. Wrap up Identity does matter Difference between authentication and authorization User Experience should be enhanced not impaired
  34. 34. Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal

×