identity toolkit
TRANSCRIPT
Google Identity Toolkit
Gbolahan Alli @purple_heart_me
Google Developer Group, Ibadan September 7, 2015
Developers shouldn’t need to be security experts.
The hack that makes Internet Identity possible
The HackLogging into a website using your email address.
Proving you were the owner of that email address by having the site send you an SMTP message with a hyperlink back to the site which contained a long code.
Email have downsides as identifiers.
❏Users change email address over time
❏The same email address is sometimes assigned to different people at different time periods
Solution ?
Almost every website still maintains its own “local ID” system just as user accounts did before the 90s.
A plus ?
The local IDs are then mapped to and from a user’s email address.
Remember !!!
We are still talking identity here
Which face are you presenting to the world?
Which face are you presenting to the world?
Some websites such as governmentwebsites for taxes and social services
try to get closer to mapping to an actual person, .
Which face are you presenting to the world?
Human -> Emails -> Local IDs -> Passwords
Which face are you presenting to the world?
In short :The security of the Internet as a whole is now equivalent to the security level of websites with the worst security
Which face are you presenting to the world?
In short :● The security of the Internet as a whole is now equivalent to the
security level of websites with the worst security
● Unless you work for a firm with hundreds of dedicated security personnel, there generally is no reason for your site to require that users are authenticated with passwords.
September 7, 2015
The year 2008?
A Solution ?
We need to understand that :● Each person tends to access the Internet with multiple devices, and
about the only thing in common is that they have a browser, and not necessarily a fancy modern browser, especially on mobile devices.
● Each device may be used by multiple people, who have multiple emails.
● People need a (mostly) consistent experience for logging into a website, no matter what device they are using
● You can’t show a different initial login experience on your site to different people, because before they login, you don’t know who they are. This also means you can’t do % experiments for that initial experience
●People are lazy
People are lazy but they are willing to invest in a longer task one-time to make their lives easier in the future.
Who are Identity Providers ?
The Identity Toolkit
from
The Identity Toolkit
The Identity Toolkit A set of Libraries that integrate with the Google Identity Toolkit API.Available for :
● For Web● For Android● For iOS
Pre-built widgets for Android, iOS, and JavaScript
The benefits
The Approach
The Approach ( cont’d )
The Approach ( cont’d )
Image courtsey : Adam Dawes, Google https://goo.gl/TPLOeD
Benefits●Device flows●Streamlined federations flows●Risk challenges●Simplified UX for users
The Identity Toolkit ●Google, Facebook, Yahoo, AOL, Microsoft and Paypal●Just verify a JWT and issue a session cookie●Same process for all IDPs, same format JWT for all IDPs{ "iss" : "https://identitytoolkit.google.com", "user_id" : 123, "aud" : "6332423432073.apps.googleusercontent.com", "provider_id" : "facebook.com", "exp" : 1407089191, "iat" : 1405879591, "email" : "[email protected]"}
Hacks!!! Hacks!!cat ~/.ssh/id_rsa.pubssh-keygen -t rsa -b 4096 -C "[email protected]"
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa
Fetch the GDG Ibadan identity toolkit client repo -> http://bitbucket.org/gdgibadan
Merge with your local repo
Go to https://console.developers.google.com
Documentation here https://developers.google.com/identity/toolkit/
Next Steps