Google Identity Toolkit

Gbolahan Alli @purple_heart_me

Google Developer Group, Ibadan September 7, 2015

Developers shouldn’t need to be security experts.

The hack that makes Internet Identity possible

The HackLogging into a website using your email address.

Proving you were the owner of that email address by having the site send you an SMTP message with a hyperlink back to the site which contained a long code.

Email have downsides as identifiers.

❏Users change email address over time

❏The same email address is sometimes assigned to different people at different time periods

Solution ?

Almost every website still maintains its own “local ID” system just as user accounts did before the 90s.

A plus ?

The local IDs are then mapped to and from a user’s email address.

Remember !!!

We are still talking identity here

Which face are you presenting to the world?

Which face are you presenting to the world?

Some websites such as governmentwebsites for taxes and social services

try to get closer to mapping to an actual person, .

Which face are you presenting to the world?

Human -> Emails -> Local IDs -> Passwords

Which face are you presenting to the world?

In short :The security of the Internet as a whole is now equivalent to the security level of websites with the worst security

Which face are you presenting to the world?

In short :● The security of the Internet as a whole is now equivalent to the

security level of websites with the worst security

● Unless you work for a firm with hundreds of dedicated security personnel, there generally is no reason for your site to require that users are authenticated with passwords.

September 7, 2015

The year 2008?

A Solution ?

We need to understand that :● Each person tends to access the Internet with multiple devices, and

about the only thing in common is that they have a browser, and not necessarily a fancy modern browser, especially on mobile devices.

● Each device may be used by multiple people, who have multiple emails.

● People need a (mostly) consistent experience for logging into a website, no matter what device they are using

● You can’t show a different initial login experience on your site to different people, because before they login, you don’t know who they are. This also means you can’t do % experiments for that initial experience

●People are lazy

People are lazy but they are willing to invest in a longer task one-time to make their lives easier in the future.

Who are Identity Providers ?

The Identity Toolkit

from

The Identity Toolkit

The Identity Toolkit A set of Libraries that integrate with the Google Identity Toolkit API.Available for :

● For Web● For Android● For iOS

Pre-built widgets for Android, iOS, and JavaScript

The benefits

The Approach

The Approach ( cont’d )

The Approach ( cont’d )

Image courtsey : Adam Dawes, Google https://goo.gl/TPLOeD

Benefits●Device flows●Streamlined federations flows●Risk challenges●Simplified UX for users

The Identity Toolkit ●Google, Facebook, Yahoo, AOL, Microsoft and Paypal●Just verify a JWT and issue a session cookie●Same process for all IDPs, same format JWT for all IDPs{ "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : "facebook.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "jsmith@gmail.com"}

http://goo.gl/T: @gdgibadanF: /gdgibadan

Questions ?

Hacks!!! Hacks!!cat ~/.ssh/id_rsa.pubssh-keygen -t rsa -b 4096 -C "your_email@example.com"

eval $(ssh-agent -s)

ssh-add ~/.ssh/id_rsa

Fetch the GDG Ibadan identity toolkit client repo -> http://bitbucket.org/gdgibadan

Merge with your local repo

Go to https://console.developers.google.com

Documentation here https://developers.google.com/identity/toolkit/

Next Steps