Online Identity: Getting to know your users

•

2 likes•940 views

This document discusses online identity and authentication. It provides a history of authentication methods like usernames and passwords, which have security issues. OpenID and OAuth 1.0/2.0 were developed to improve authentication but still have flaws. Identity providers like Google, Facebook and Twitter now allow social authentication, which two-thirds of users prefer over creating new accounts. While convenient, social logins reveal more user data than required just for authentication. The document stresses the difference between authentication and authorization, and that authorization should enhance rather than impair the user experience when used properly.

Technology

Online Identity
Getting to know your users
Cristiano Betta, Developer Evangelist

Do we always want to use the
same identity?

Should we always want to
use the same identity?

4.7% of users have the password password
8.5% have the passwords password or 123456
9.8% have the passwords password, 123456 or 12345678
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
Source: xato.net/passwords/more-top-worst-passwords/

45% admit to leaving a website instead of resetting their password or answering security questions
Source: bit.ly/bluestats

Request'
Request'Token'

Grant'
Request'Token'

Direct'User'to'Service'

Obtain'Authoriza:on'

Request'
Access'Token'

Direct'to'Consumer'

Access'
Resources'

Grant'
Access'Token'

Consumer'

Service-Provider'

Direct'User'to'Service'

Obtain'Authoriza5on'

Request'
Access'Token'

Grant'
Access'Token'

Access'
Resources'/'Proﬁle'

Direct'to'Consumer'

OAuth 2.0 and the Road to Hell
homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html

Out of 657 surveyed users 66% think that social
sign-in is a desirable alternative.
Source: bit.ly/bluestats

• Name, email, location
• Friends, address

• Name, email, location
• Friends, address
• Veriﬁed address, payment address, account type

• Name, email, location
• Friends, address
• Veriﬁed address, payment address, account type
• Seamless checkout

Recognize the difference between authentication
and authorization

Well used authorization can improve the user
experience beyond plain user identiﬁcation

The user experience should be enhanced not
impaired by user authentication

Questions
cbetta@paypal.com
slideshare.net/paypal

Viewers also liked

Digital Zen with Productivity & Timesaving AppsShelly Sanchez Terrell

Levona travel presentation englishLevona Travel

8 2-30-slideshare-citasyreferenciasbibliograficas-valentina riveraortizValentinarivera05

Spanish cinemagiselle ramón yebra

Cool CarsPeety G

An Evaluation of Pair Programming PracticeKranthi Lakum

DAILY AGRI REPORT BY EPIC RESEARCH-19 NOVEMBER 2012Epic Research Limited

Аппаратная реализация бортовой автономной системы улучшенного и синтезированн...kulibin

150509 storm cv activeer je ambitieStormCv

Nigeria social progress index 2014statisense

#NoProjects - Beyond Projectsallan kelly

Viewers also liked (11)

Digital Zen with Productivity & Timesaving Apps

Levona travel presentation english

8 2-30-slideshare-citasyreferenciasbibliograficas-valentina riveraortiz

Spanish cinema

Cool Cars

An Evaluation of Pair Programming Practice

DAILY AGRI REPORT BY EPIC RESEARCH-19 NOVEMBER 2012

Аппаратная реализация бортовой автономной системы улучшенного и синтезированн...

150509 storm cv activeer je ambitie

Nigeria social progress index 2014

#NoProjects - Beyond Projects

Similar to Online Identity: Getting to know your users

Authentication for DroidsPayPal

Death To PasswordsDroidConTLV

Death To PasswordsTim Messerschmidt

Death To Passwords Droid EditionPayPal

Death To PasswordsPayPal

Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc

Token Authentication for Java ApplicationsStormpath

The life of breached data and the attack lifecycleJarrod Overson

Cyber Safety Hacks for Women and Children by Catalyst Woman ConsultancyMariam Sb

The State of Passwordless Auth on the Web - Phil NashAll Things Open

The state of passwordless auth on the web Phil Nash

Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis

Why Two-Factor Isn't EnoughSecureAuth

Cyber Threats and Data Privacy in a Digital Worldqubanewmedia

Catch T&E and P-Card Fraudsters Using Data AnalyticsFraudBusters

Getting Started With WebAuthnFIDO Alliance

Hardware and the commerce revolutionCristiano Betta

Things that go bump on the web - Web Application SecurityChristian Heilmann

OmniAuth: From the Ground UpMichael Bleigh

The state of passwordless auth on the webPhil Nash

Similar to Online Identity: Getting to know your users (20)

Authentication for Droids

Death To Passwords

Death To Passwords Droid Edition

Death To Passwords

Securing RESTful APIs using OAuth 2 and OpenID Connect

Token Authentication for Java Applications

The life of breached data and the attack lifecycle

Cyber Safety Hacks for Women and Children by Catalyst Woman Consultancy

The State of Passwordless Auth on the Web - Phil Nash

The state of passwordless auth on the web

Benefits and Risks of a Single Identity - IBM Connect 2017

Why Two-Factor Isn't Enough

Cyber Threats and Data Privacy in a Digital World

Catch T&E and P-Card Fraudsters Using Data Analytics

Getting Started With WebAuthn

Hardware and the commerce revolution

Things that go bump on the web - Web Application Security

OmniAuth: From the Ground Up

The state of passwordless auth on the web

Recently uploaded

Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School

IESVE for Early Stage Design and PlanningIES VE

Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra

Knowledge engineering: from people to machines and backElena Simperl

How world-class product teams are winning in the AI era by CEO and Founder, P...Product School

Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung

UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10

Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin

Optimizing NoSQL Performance Through ObservabilityScyllaDB

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin

10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin

Demystifying gRPC in .Net by John StaveleyJohn Staveley

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School

Recently uploaded (20)

Mission to Decommission: Importance of Decommissioning Products to Increase E...

IESVE for Early Stage Design and Planning

Search and Society: Reimagining Information Access for Radical Futures

Knowledge engineering: from people to machines and back

How world-class product teams are winning in the AI era by CEO and Founder, P...

Key Trends Shaping the Future of Infrastructure.pdf

UiPath Test Automation using UiPath Test Suite series, part 3

Powerful Start- the Key to Project Success, Barbara Laskowska

Optimizing NoSQL Performance Through Observability

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

Demystifying gRPC in .Net by John Staveley

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Online Identity: Getting to know your users

1. Online Identity Getting to know your users Cristiano Betta, Developer Evangelist

2. Developer Evangelist

3. Why am I here?

5. Do we always want to use the same identity?

6. Should we always want to use the same identity?

7. Authentication vs Authorisation

10. A little history lesson

11. Username + password

12.

13. Security considerations

14. Security nightmare

15. 4.7% of users have the password password 8.5% have the passwords password or 123456 9.8% have the passwords password, 123456 or 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords Source: xato.net/passwords/more-top-worst-passwords/

16. wiki.skullsecurity.org/Passwords

17. 45% admit to leaving a website instead of resetting their password or answering security questions Source: bit.ly/bluestats

18.

19.

20. OpenID

21.

22.

23. OAuth 1.0

24.

25. Request' Request'Token' Grant' Request'Token' Direct'User'to'Service' Obtain'Authoriza:on' Request' Access'Token' Direct'to'Consumer' Access' Resources' Grant' Access'Token'

26.

27. OAuth 1.0a