This document discusses online identity and authentication. It provides a history of authentication methods like usernames and passwords, which have security issues. OpenID and OAuth 1.0/2.0 were developed to improve authentication but still have problems. Identity providers like Google, Facebook and Twitter now allow social authentication, which many users prefer over creating new accounts. The document stresses the difference between authentication and authorization, and that authorization can enhance the user experience if used properly rather than impairing it through authentication alone. It provides examples of identity data available from different social providers and demos identity workflows.

1. Online Identity
Getting to know your users
Cristiano Betta, Developer Evangelist

2. Developer Evangelist

3. Why am I here?

5. Do we always want to use the
same identity?

6. Should we always want to
use the same identity?

7. Authentication vs
Authorisation

10. A little history lesson

11. Username + password

13. Security considerations

14. Security nightmare

15. 4.7% of users have the password password
8.5% have the passwords password or 123456
9.8% have the passwords password, 123456 or 12345678
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
Source: xato.net/passwords/more-top-worst-passwords/

16. wiki.skullsecurity.org/Passwords

17. 45% admit to leaving a website instead of resetting their password or answering security questions
Source: bit.ly/bluestats

20. OpenID

23. OAuth 1.0

25. Request'
Request'Token'
Grant'
Request'Token'
Direct'User'to'Service'
Obtain'Authoriza:on'
Request'
Access'Token'
Direct'to'Consumer'
Access'
Resources'
Grant'
Access'Token'

27. OAuth 1.0a

29. OAuth 2.0

30. OAuth 2.0

31. Consumer'
Service-Provider'
Direct'User'to'Service'
Obtain'Authoriza5on'
Request'
Access'Token'
Grant'
Access'Token'
Access'
Resources'/'Profile'
Direct'to'Consumer'

33. OAuth 2.0 and the Road to Hell
homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html

34. OAuth 2.0 +
OpenID Connect

36. Identity Providers

37. Out of 657 surveyed users 66% think that social
sign-in is a desirable alternative.
Source: bit.ly/bluestats

38. Google
Facebook
Twitter

40. Social vs Concrete

46. • Name, email, location

47. • Name, email, location
• Friends, address

48. • Name, email, location
• Friends, address
• Verified address, payment address, account type

49. • Name, email, location
• Friends, address
• Verified address, payment address, account type
• Seamless checkout

50. Demo

51. The nature of an identity matters

52. Recognize the difference between authentication
and authorization

53. Well used authorization can improve the user
experience beyond plain user identification

54. The user experience should be enhanced not
impaired by user authentication

56. Questions
cbetta@paypal.com
slideshare.net/paypal