Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Online identity

Online identity

Getting to know your users.

A talk I gave at London Web Standards

E0ee803f10db4d5fb85f8288a421850b?s=128

Cristiano Betta

October 24, 2013
Tweet

Transcript

  1. Online Identity Getting to know your users Cristiano Betta, Developer

    Evangelist
  2. Developer Evangelist

  3. Why am I here?

  4. None
  5. Do we always want to use the same identity?

  6. Should we always want to use the same identity?

  7. Authentication vs Authorisation

  8. None
  9. None
  10. A little history lesson

  11. Username + password

  12. None
  13. Security considerations

  14. Security nightmare

  15. 4.7% of users have the password password 8.5% have the

    passwords password or 123456 9.8% have the passwords password, 123456 or 12345678 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords Source: xato.net/passwords/more-top-worst-passwords/
  16. wiki.skullsecurity.org/Passwords

  17. 45% admit to leaving a website instead of re- setting

    their password or answering security questions Source: bit.ly/bluestats
  18. None
  19. None
  20. OpenID

  21. None
  22. None
  23. OAuth 1.0

  24. None
  25. Request' Request'Token' Grant' Request'Token' Direct'User'to'Service' Obtain'Authoriza:on' Direct'to'Consumer' Request' Access'Token' Grant'

    Access'Token' Access' Resources'
  26. None
  27. OAuth 1.0a

  28. None
  29. OAuth 2.0

  30. OAuth 2.0

  31. Direct'User'to'Service' Obtain'Authoriza5on' Request' Access'Token' Grant' Access'Token' Direct'to'Consumer' Access' Resources'/'Profile' Consumer'

    Service-Provider'
  32. None
  33. OAuth 2.0 and the Road to Hell homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html

  34. OAuth 2.0 + OpenID Connect

  35. None
  36. Identity Providers

  37. Out of 657 surveyed users 66% think that social sign-in

    is a desirable alternative. Source: bit.ly/bluestats
  38. Google Facebook Twitter

  39. None
  40. Social vs Concrete

  41. None
  42. None
  43. None
  44. None
  45. None
  46. • Name, email, location

  47. • Name, email, location • Friends, address

  48. • Name, email, location • Friends, address • Verified address,

    payment address, account type
  49. • Name, email, location • Friends, address • Verified address,

    payment address, account type • Seamless checkout
  50. Demo

  51. The nature of an identity matters

  52. Recognize the difference between authentication and authorization

  53. Well used authorization can improve the user experience beyond plain

    user identification
  54. The user experience should be enhanced not impaired by user

    authentication
  55. None
  56. Questions cbetta@paypal.com slideshare.net/paypal