Slides for talk given at the Identity Toolkit session hosted by the GDG Ibadan

1. Google Identity Toolkit
Gbolahan Alli
@purple_heart_me
Google Developer Group, Ibadan September 7, 2015

2. Developers shouldn’t need to be security experts.

3. The hack that makes Internet Identity possible

4. The Hack
Logging into a website using your email address.
Proving you were the owner of that email address by having the site send
you an SMTP message with a hyperlink back to the site which contained a
long code.

5. Email have downsides as identifiers.
❏Users change email address over time
❏The same email address is sometimes assigned to different people at
different time periods

6. Solution ?
Almost every website still maintains its own “local ID” system just as user
accounts did before the 90s.

7. A plus ?
The local IDs are then mapped to and from a user’s email address.

8. Remember !!!
We are still talking identity here

9. Which face are you presenting to the world?

10. Which face are you presenting to the world?
Some websites such as government
websites for taxes and social services try to
get closer to mapping to an actual person, .

11. Which face are you presenting to the world?
Human -> Emails -> Local IDs -> Passwords

12. Which face are you presenting to the world?
In short :
The security of the Internet as a whole is now
equivalent to the security level of websites
with the worst security

13. Which face are you presenting to the world?
In short :
● The security of the Internet as a whole is now equivalent to the security
level of websites with the worst security
● Unless you work for a firm with hundreds of
dedicated security personnel, there generally is no
reason for your site to require that users are
authenticated with passwords.

14. September 7, 2015

15. The year 2008?

16. A Solution ?

17. We need to understand that :
● Each person tends to access the Internet with multiple devices, and about the
only thing in common is that they have a browser, and not necessarily a fancy
modern browser, especially on mobile devices.
● Each device may be used by multiple people, who have multiple emails.
● People need a (mostly) consistent experience for logging into a website, no matter
what device they are using
● You can’t show a different initial login experience on your site to different people,
because before they login, you don’t know who they are. This also means you
can’t do % experiments for that initial experience
● People are lazy

18. People are lazy but they are willing
to invest in a longer task one-time
to make their lives easier in the
future.

19. Who are Identity Providers ?

20. The Identity
Toolkit
from

21. The Identity Toolkit

22. The Identity Toolkit
A set of Libraries that integrate with the Google Identity
Toolkit API.
Available for :
● For Web
● For Android
● For iOS
Pre-built widgets for Android, iOS, and JavaScript

23. The benefits

24. The Approach

25. The Approach ( cont’d )

26. The Approach ( cont’d )
Image courtsey : Adam Dawes, Google https://goo.gl/TPLOeD

27. Benefits
●Device flows
●Streamlined federations flows
●Risk challenges
●Simplified UX for users

28. The Identity Toolkit
●Google, Facebook, Yahoo, AOL, Microsoft and Paypal
●Just verify a JWT and issue a session cookie
●Same process for all IDPs, same format JWT for all IDPs
{
"iss" : "https://identitytoolkit.google.com",
"user_id" : 123,
"aud" : "6332423432073.apps.googleusercontent.com",
"provider_id" : "facebook.com",
"exp" : 1407089191,
"iat" : 1405879591,
"email" : "jsmith@gmail.com"
}

30. http://goo.gl/
T: @gdgibadan
F: /gdgibadan
Questions ?

31. Hacks!!! Hacks!!
cat ~/.ssh/id_rsa.pub
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa

32. Fetch the GDG Ibadan identity toolkit client repo ->
http://bitbucket.org/gdgibadan
Merge with your local repo
Go to https://console.developers.google.com
Documentation here https://developers.google.com/identity/toolkit/
Next Steps