Click here to load reader
Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | paypal |
View: | 812 times |
Download: | 3 times |
Click here to load reader
Authentication for DroidsThese are the droids you are looking for
Tim Messerschmidt@SeraAndroid
Developer Evangelist
Why am I here?
Rebuilding the Developer Experience:developer.paypal.com
Do we always use the same identity?
Should we always use the same identity?
Authentication vs.Authorization
Current standards
Basic Authenticationusername:password
Passwordswiki.scullsecurity.org/Passwords
Security Nightmare
4.7% of users have the password password8.5% have the passwords password or 1234569.8% have the passwords password, 123456, 1234567814% have a password from the top 10 passwords40% have a password from the top 100 passwords79% have a password from the top 500 passwords91% have a password from the top 1000 passwords
Allow your users to seetheir input
OAuth 1.0
RequestRequest Token
GrantRequest Token
Direct User to Service Obtain Authorization
Direct to ConsumerRequestAccess Token
GrantAccess Token
AccessResources
Consumer Service Provider
OAuth 1.0a
Signpost <3github.com/mttkay/signpost
OAuth 2.0
Direct User to Service Obtain Authorization
RequestAccess Token
GrantAccess Token
Direct to ConsumerAccessResources / Profile
Consumer Service Provider
URL url = new URL(”http://url.com/”);HttpURLConnection urlConnection =
(HttpURLConnection) url.openConnection();
setRequestProperty(”Authorization”, ”Bearer …”);
HTTP Header
“url.com/oauth?access_token=…”
URI parameter
Scribegithub.com/fernandezpablo85/scribe
PostmanLibgithub.com/fedepaol/PostmanLib--Rings-Twice--Android
OAuth 2.0 and the Road to Hellhttp://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
http://homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
Name
Date of Birth
LocaleTime Zone
Address
Gender
Language
Phone Number
Creation Date
OpenID
BrowserIDPersona
How to combine both?
OpenID with OAuth Hybrid Extension
OpenID Connect
Identity ProvidersSocial vs. Concrete
Log in via PayPal in the browser or a WebView.
Yeah, nice.. but why?
People forget passwords…
45% admit to leaving a website instead of re-setting their password or answering security questions *
* Blue Inc. 2011
Also they hate to register
Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. *
* Blue Inc. 2011
Wrap upIdentity does matterDifference between authentication and authorizationUser Experience should be enhanced not impaired
[email protected]@SeraAndroidslideshare.com/paypal