Tim Messerschmidt, PayPal @SeraAndroid
Presentation available on slideshare
OAuth2 client libs
- scribe https://github.com/fernandezpablo85/scribe-java
postmanlib: another layer on top of scribe
-
- the lead author and editor left the working group and withdrew from the specification as he felt could no longer be associated with the standard
- OAuth 2 attack surface everywhere
- need to have proper security on server side
Identity
OpenID
- developed 2005
- 2012: discovered you can hijack it
- considered dead :-(
BrowserID & Persona
- from Mozilla
- great idea, but nobody really uses it apart from them…
OpenID Connect
- layer on top of OAuth2
- http://openid.net/connect
- still a draft but looks really good
- has a whole section on session management (i.e. stop allowing that app)
Providers
- 80-90% via Google, Facebook & Twitter
- all have their own SDKs that handle the OAuth for you
- PayPal added a new identity provider
- provides verified information
- needs to be best practice to show which information will be shared at each time
- Blue Inc 2011: Consumer Perceptions of Online Registration and Social Sign-In
- 45% admit to leaving a website instead of resetting their password or answering security questions
- 66% think that social sign-in is desirable alternative
Q&A
- on mobile, app can fake a web view and capture identity
- this is why facebook goes via app
- think about different social providers for different countries
- e.g. baidu for China, yandex for Russia
- see also Google Authenticator libraries for two factor auth
No comments:
Post a Comment