Tuesday 29 October 2013

Droidcon 2013: Authentication for Droids

Tim Messerschmidt, PayPal @SeraAndroid

Presentation available on slideshare

OAuth2 client libs


  • developed 2005
  • 2012: discovered you can hijack it
  • considered dead :-(
BrowserID & Persona
  • from Mozilla
  • great idea, but nobody really uses it apart from them…
OpenID Connect
  • layer on top of OAuth2
  • http://openid.net/connect
  • still a draft but looks really good
  • has a whole section on session management (i.e. stop allowing that app)


  • 80-90% via Google, Facebook & Twitter
  • all have their own SDKs that handle the OAuth for you
  • PayPal added a new identity provider
    • provides verified information
  • needs to be best practice to show which information will be shared at each time
  • Blue Inc 2011: Consumer Perceptions of Online Registration and Social Sign-In
    • 45% admit to leaving a website instead of resetting their password or answering security questions
    • 66% think that social sign-in is desirable alternative


  • on mobile, app can fake a web view and capture identity
    • this is why facebook goes via app
  • think about different social providers for different countries
    • e.g. baidu for China, yandex for Russia
  • see also Google Authenticator libraries for two factor auth

No comments: