2. Google Confidential and Proprietary
Trying to eliminate passwords on the Internet
Where we’ve been
What we’ve
learned
Where we’re
going with
Identity
Toolkit
3. Google Confidential and Proprietary
Where we’ve been
What we’ve
learned
Where we’re
going with
Identity
Toolkit
Trying to eliminate passwords on the Internet
4. Google Confidential and Proprietary
Which apps and websites are we talking about?
The vast majority of them, but not all of them
Where we’ve been What we’ve learned Where we’re going
5. Google Confidential and Proprietary
Which apps and websites are we talking about?
The vast majority of them, but not all of them
● A few apps are incredibly tightly knit to one IDP
Where we’ve been What we’ve learned Where we’re going
6. Google Confidential and Proprietary
Which apps and websites are we talking about?
The vast majority of them, but not all of them
● A few apps are incredibly tightly knit to one IDP
● A few apps have stricter security or regulatory concerns
(can often be handled by layering on the flows we’ll discuss)
Where we’ve been What we’ve learned Where we’re going
7. Google Confidential and Proprietary
Passwords
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
8. Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
9. Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
10. Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
11. Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
● Recovery based on email msgs
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
12. Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
● Recovery based on email msgs
● Password databases get hacked
(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
13. Google Confidential and Proprietary
Passwords
● Usernames are hard to remember
● Passwords are hard to remember
● Typing is annoying
● Recovery based on email msgs
● Password databases get hacked
● Often no risk-based challenges(wordpress.com)
What we’ve learned Where we’re goingWhere we’ve been
14. Google Confidential and Proprietary
Federated login
What we’ve learned Where we’re goingWhere we’ve been
15. Google Confidential and Proprietary
Federated login
Simple
What we’ve learned Where we’re goingWhere we’ve been
16. Google Confidential and Proprietary
Federated login
Simple
Secure
What we’ve learned Where we’re goingWhere we’ve been
17. Google Confidential and Proprietary
Federated login
Simple
Secure
...in isolation
What we’ve learned Where we’re goingWhere we’ve been
18. Google Confidential and Proprietary
Where we’ve been
What we’ve
learned
Where we’re
going with
Identity
Toolkit
19. Google Confidential and Proprietary
Password and federation side-by-side is common
(opentable.com)
Where we’ve been What we’ve learned Where we’re going
20. Google Confidential and Proprietary
Password recovery as login is growing
(WeChat)
Where we’ve been Where we’re goingWhat we’ve learned
21. Google Confidential and Proprietary
Password-only is still common
(nytimes.com)
Where we’ve been Where we’re goingWhat we’ve learned
22. Google Confidential and Proprietary
What we’ve learned from federated login
Users are…
Where we’ve been Where we’re goingWhat we’ve learned
23. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
Where we’ve been Where we’re goingWhat we’ve learned
24. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
Where we’ve been Where we’re goingWhat we’ve learned
25. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Where we’ve been Where we’re goingWhat we’ve learned
26. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...
Where we’ve been Where we’re goingWhat we’ve learned
27. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...
● still using username/password because it’s in frameworks
Where we’ve been Where we’re goingWhat we’ve learned
28. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...
● still using username/password because it’s in frameworks
● (often unknowingly) not handling edge cases
Where we’ve been Where we’re goingWhat we’ve learned
29. Google Confidential and Proprietary
What we’ve learned from federated login
Users are...
● being asked questions like “How do you want to authenticate?”
● confused by permissions and their privacy implications
● locked out when their IDP account is inaccessible
Developers are...
● still using username/password because it’s in frameworks
● (often unknowingly) not handling edge cases
Where we’ve been Where we’re goingWhat we’ve learned
30. Google Confidential and Proprietary
Where we’ve been
What we’ve
learned
Where we’re
going with
Identity
Toolkit
31. Google Confidential and Proprietary
Demos of Identity Toolkit v3
http://goo.gl/Bm1bpc
Where we’ve been What we’ve learned Where we’re going
32. Google Confidential and Proprietary
Identify the user, then authenticate
Where we’ve been What we’ve learned Where we’re going
33. Google Confidential and Proprietary
Existing users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
34. Google Confidential and Proprietary
Existing users
Prompt for
existing
password
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
35. Google Confidential and Proprietary
New users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
36. Google Confidential and Proprietary
New users
Prompt to
create
password
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
37. Google Confidential and Proprietary
Existing “Sign in with Google” users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
38. Google Confidential and Proprietary
Existing “Sign in with Google” users
Route to
Sign in with Google
login flow
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
39. Google Confidential and Proprietary
Existing users
Password
sarah@comcast.net
nikhil@gmail.com
meng@outlook.com
bruno@yahoo.com
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
40. Google Confidential and ProprietaryWhere we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
41. Google Confidential and Proprietary
New users
Where we’ve been What we’ve learned Where we’re going
Identify the user, then authenticate
42. Google Confidential and Proprietary
New users
Where we’ve been What we’ve learned
Identify the user, then authenticate
Where we’re going
43. Google Confidential and Proprietary
Identify the user, then authenticate
New users
1. Identifiable IDP
2. Fast Email Verification
Where we’ve been What we’ve learned Where we’re going
44. Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time
Where we’ve been What we’ve learned Where we’re going
45. Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time
...without sending an email
Where we’ve been What we’ve learned Where we’re going
46. Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time
...without sending an email
RP IDP
Provides the user’s
email address
Where we’ve been What we’ve learned Where we’re going
47. Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time
...without sending an email
RP IDP
Provides the user’s
email address True/False, is the
email address
signed in to the
user agent?
Where we’ve been What we’ve learned Where we’re going
48. Google Confidential and Proprietary
Fast email verification
Essentially doing a password reset email every time
...without sending an email
RP IDP
Provides the user’s
email address True/False, is the
email address
signed in to the
user agent?User is authenticated
Where we’ve been What we’ve learned Where we’re going
49. Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Fast email verification
● Avoid double consent since user gave the email address to the RP
● IDP could provide public info associated with the email if useful (profile
picture, public username, etc.)
Where we’ve been What we’ve learned Where we’re going
50. Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Typing an email address?!
Where we’ve been What we’ve learned Where we’re going
51. Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Typing an email address? ...use an account chooser instead
Where we’ve been What we’ve learned Where we’re going
52. Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Typing an email address? ...use accountchooser.com instead
Where we’ve been What we’ve learned Where we’re going
53. Google Confidential and Proprietary
Where we’re going with Identity Toolkit
Recap: Putting all of the pieces together
[demos, take 2]
Where we’ve been What we’ve learned Where we’re going
54. Google Confidential and Proprietary
Authorization is important though!
Limited permissions makes login smoother for users
Where we’ve been What we’ve learned Where we’re going
55. Google Confidential and Proprietary
Authorization is important though!
Limited permissions makes login smoother for users
Incremental auth makes interesting apps possible!
● Calendar management services
● Social-recommendation-based services
● Cloud storage management/viewing services
Where we’ve been What we’ve learned Where we’re going
56. Google Confidential and Proprietary
How do sites enable this experience?
Where we’ve been What we’ve learned Where we’re going
57. Google Confidential and Proprietary
It should be easy, but it’s not
Developers shouldn’t need to be security experts.
Where we’ve been What we’ve learned Where we’re going
58. Google Confidential and Proprietary
It should be easy, but it’s not
Developers shouldn’t need to be security experts.
~150k views
~65k views
~17k views
Where we’ve been What we’ve learned Where we’re going
59. Google Confidential and Proprietary
We’re making progress
Where we’ve been What we’ve learned Where we’re going
60. Google Confidential and Proprietary
But we’re not there yet
The easiest authentication system to build is username/password
It’s still the default
Where we’ve been What we’ve learned Where we’re going
61. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
Where we’ve been What we’ve learned Where we’re going
62. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
Where we’ve been What we’ve learned Where we’re going
63. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
● Just verify a JWT and issue a session cookie
Where we’ve been What we’ve learned Where we’re going
{
"iss" : "https://identitytoolkit.google.com",
"user_id" : 123,
"aud" : "6332423432073.apps.googleusercontent.com",
"provider_id" : "google.com",
"exp" : 1407089191,
"iat" : 1405879591,
"email" : "jsmith@gmail.com"
}
64. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
● Just verify a JWT and issue a session cookie
● Same process for all IDPs, same format JWT for all IDPs
Where we’ve been
{
"iss" : "https://identitytoolkit.google.com",
"user_id" : 123,
"aud" : "6332423432073.apps.googleusercontent.com",
"provider_id" : " facebook.com",
"exp" : 1407089191,
"iat" : 1405879591,
"email" : "jsmith@gmail.com"
}
What we’ve learned Where we’re going
65. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
● Just verify a JWT and issue a session cookie
● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement
Where we’ve been What we’ve learned Where we’re going
66. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
● Just verify a JWT and issue a session cookie
● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement
● Pre-built widgets for Android, iOS, and JavaScript
Where we’ve been What we’ve learned Where we’re going
67. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
● Just verify a JWT and issue a session cookie
● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement
● Pre-built widgets for Android, iOS, and JavaScript
Edge cases are everywhere (merging, mutating, marooning)
Where we’ve been What we’ve learned Where we’re going
68. Google Confidential and Proprietary
Google Identity Toolkit intends to lower the bar
Handles multiple protocols
● Google, Facebook, Yahoo, AOL, Microsoft and Paypal
● Just verify a JWT and issue a session cookie
● Same process for all IDPs, same format JWT for all IDPs
UX is hard to implement
● Pre-built widgets for Android, iOS, and JavaScript
Edge cases are everywhere (merging, mutating, marooning)
Where we’ve been What we’ve learned Where we’re going
69. Google Confidential and Proprietary
Identity Toolkit intends to lower the bar
Migration for existing sites
1. Upload UIDs, emails, and passwords
2. Implement widgets
3. Slowly roll-out federated login
Where we’ve been What we’ve learned Where we’re going
70. Google Confidential and Proprietary
Identity Toolkit intends to lower the bar
Migration for existing sites
1. Upload UIDs, emails, and passwords
2. Implement widgets
3. Slowly roll-out federated login
○ Yahoo mail users slowly get migrated to Yahoo federation
○ Outlook users slowly get migrated to Microsoft federation
○ Gmail users slowly get migrated to Google federation
○ AOL users slowly get migrated to AOL federation
Where we’ve been What we’ve learned Where we’re going
71. Google Confidential and Proprietary
Thanks!
I’m Jack Greenberg
jgreenberg@google.com
See https://developers.google.com/identity-toolkit/ to
implement it yourself