Date post: | 24-May-2015 |
Category: |
Technology |
Upload: | zx-mys |
View: | 65 times |
Download: | 6 times |
Universal LoginDaniel Wilkey
dgw2109
Cellular Networks and Mobile Computing
Spring 2014
Outline Why we hate logins
Open ID
Universal Login
Demo
Future Work
Questions
Why We Hate Logins Remembering passwords
Can I really trust this site?
How do they know it’s me?
I don’t want to enter my personal information PayPal for credit cards
What if someone hacks my account?
What if I forget to logout?
Open ID [2007] Make an account with Google/Yahoo/PayPal and use it everywhere
Same protocols can be used to verify an account with any identity provider
No identifying info needed to create an account (just an email)
Little-implemented extension for exchanging attributes (OpenID Attribute Exchange) Google does local password / account info save instead
Heterogeneous implementations of user profile
Does not address the trust issue No banks used Open ID
Universal Login Single, secure* site for user authentication
Client app runs on each device and manages security for that device
Safe, approval-driven method for exchanging private user data
Easy, push-notification-based protocol for managing logged in devices Apps can log out of private screens without refresh and without battery drain
Web authentication protocol is proprietary and unpublished, consumer apps only know how to communicate with the local client
Security standard can be published for all users to review
Would not be used for social networking
Universal Login - Architecture Server written with AppEngine
Maintains session info, user data
Android App client Allows user to sign up, login, logout, and update profile
Receives requests from other apps to login / retrieve data
Allows user to logout all other devices
• Listens to push notifications to know when to log out
• Rebroadcasts server log out notifications so that local apps are aware
Universal Login - Architecture Resource optimized
Recipient apps do not need a connection to the remote server (no chance of being sloppy)
App login and data fetch are handled with a single request to limit traffic
Secure No user data other than session info is saved locally
All private data is delivered on demand
Demo- Create Account
Welcome email sent to subscriber
Demo- Sign In
Demo- User Profile
Demo- Sign In / Data Exchange
Demo- Multi-Device Logout
Future Work Fix minor* security flaws
Introduce means of user identity establishment
2-factor authentication
MacOS/iOS, Windows OS/Phone, and Linux clients Potentially a web-based client as well
Personal data exchange audit log
Questions?