1 of 40

2 of 40

Leave it to the professionals!

Eric Sachs

Director of Product Management for Identity

Google

3 of 40

Best quote of the week...

Building a login system is like paying taxes…

I know I have to do it

I don’t want to do it

I know I’m going to leave money on the table

4 of 40

IDaaS Categories

Employees � Okta, OneLogin, PingOne, Azure Active Directory, Centrify

... or Google Apps with SecurityKey support

B2C (Business-to-Consumer)

B2B (Business-to-Business/Extranet)

To find the slides search for:

Google Internet Identity Research

5 of 40

Making progress towards unphishable authentication

Enforcing the use of your security key through the Admin Console

Proprietary + Confidential

6 of 40

IDaaS Categories

Employees � Okta, OneLogin, PingOne, Azure Active Directory

... or Google Apps with SecurityKey support

B2C (Business-to-Consumer)

B2B (Business-to-Business/Extranet)

7 of 40

What’s the value for Google?

Proprietary + Confidential

8 of 40

Improving the search experience

9 of 40

Source: Blue Research & Instant Checkmate

54%

92%

73%

3’

Users will quit

before doing yet-another-signup

Users will give up if they don’t remember

a username or password

Users use the same password across multiple sites

For an expert hacker to crack the average password

10 of 40

Comprehensive UX flows - no user left behind

Android/Chrome

Google SignIN

IDaaS/DIY

11 of 40

Google Sign In - Old permission model

12 of 40

Google Sign In - New permission model

sebatest@testsebax.cl

test4test@testseba.cl

13 of 40

Android & Chrome Sign-ins assisted a month

8

billion

14 of 40

Google API for seamless sign-up and sign-in on Android

INTRODUCING

15 of 40

44%

increase in cross-device sign-in

16 of 40

20%

reduction in support contact volume

17 of 40

15%

increase in successful sign-ups on Android

Up to

18 of 40

Automatic

Sign In

Success

Sign Out

And SmartLock isn’t limited to Android. On Chrome we now have beta support for a W3C Credential Management API that is already being used by some web-apps to get features like auto-signin, and improved UX for password saving.

AliExpress is a great example of the kinds of flows that this API enables. It's a shopping application, and it is important for users to be signed in right away to ensure that they have access to their shopping cart, and to streamline the checkout process so that they can actually buy the things they want to buy.

AliExpress is actually an example of a ProgressiveWebApp which means it is a browser app, not an Android app, but it leverages new APIs like SmartLock and ServiceWorks and the ability for users to add a bookmark for the app to their home screen. Here, the user has added it, and when it's tapped, it loads up a shell, then populating it with information from the server.

During this flow, AliExpress will ask the browser for the user's credentials. The browser is able to provide them, and AliExpress can seamlessly sign the user in using the mechanisms we've just discussed.

19 of 40

10X

account creation

Find out more about these partners at

g.co/SmartLockCaseStudies

20 of 40

Secure

Improve email sign-in security

Token-based authentication in place of email verification or manual password entry.

Cryptographic assertion of user identity from Google

21 of 40

Comprehensive UX flows - no user left behind

Android/Chrome

Google SignIN

IDaaS/DIY

22 of 40

All you need to do is build this…

23 of 40

Even if you could build that yourself...

Do you have a secured UX for account linking so the user (not hijacker) gets to pick their IDP?

Do you allow remote session revocation for a user whose IDP account was hijacked?

Are you using NAPPS on mobile?

What about other common mobile mistakes (email or user ID substitution attack, Access token substitution attack, requesting unnecessary permissions, Getting ID Token for your backend)

24 of 40

IDaaS Categories

Employees

B2C (Business-to-Consumer)

B2B (Business-to-Business/Extranet)

All the challenges of B2C plus...

... lots and lots of IDPs (one of which is your Employee IDP)

... async user provisioning including meta-data like group membership

25 of 40

Who are the professionals?

Start with the OpenID Foundation:

http://openid.net/foundation/sponsoring-members/

Shared UX & security best practices (including alerts of security issues with protocols/implementations)

Focus on IDaaS, not software

Otherwise impossible to keep up with security & UX issues

The title of this talk is “Leave it to the professionals,” so let’s talk about finding them.

Start with the OpenID foundation. That group doesn’t just focus on the OIDC protocol. They are a small group of people across a few companies tracking the latest UX best practices, and more important the security aspects of the protocols. When a significant security issue is identified, the responsible disclosure process we use involves first distributing the information to those OIDF members so they can evaluate the threat in their products. They can usually update IDaaS offerings quickly, and then prepare messaging for customers of their software products.

While there are OIDF members with software IAM products , Google suggests trying to minimize the use of software approaches for authentication if there is any UI involved. Based on the last 5 years of experience, it is just not reasonable to keep up with the evolving security and UX issues.

26 of 40

Who are the professionals?

27 of 40

Identity made simple for developers

is like

or

for Identity

28 of 40

Azure AD: The Vision

Customers

On-premises

Partners

Azure

Cloud

Public

cloud

Microsoft Azure Active Directory

A modern identity management system spanning cloud and on-premises, providing federation, identity management, device registration, user provisioning, application access control & data protection.

BYO

Windows Server

Active Directory

29 of 40

Super-fast getting started

Console setup, client & server SDKs, pre-provisioned back end

High conversion end user UX� Customizable open source, Smart Lock, Identifier First, Sign-in & Sign disambiguation

Best practices in security

Session management, safe account linking, standards based, abuse prevention

Firebase Authentication

30 of 40

Gigya Platform Overview

CONNECT

Registration & Access Management

COLLECT

CONVERT

Engagement

Share / Reactions

Customer Identity Management Platform

Commenting / Reviews

Loyalty / Gamification

RaaS

Analytics and Content

Identity Management

Data Exchange Services

IDX

Customer Insights / Query Tool

On-Demand APIs

ETL

(Extract, Transform, Load)

31 of 40

Janrain solution overview

Real-time validation
MFA, OTP, Biometrics
Identity services

Scoped access for governance
Legal compliance management

Customer segmentation
Customer journey analytics
Real-time synchronization

40+ applications
Anonymous-to-known

31

32 of 40

Okta Application Network

Mobility Management

Single Sign On

Adaptive MFA

Provisioning

Universal Directory

C ustomers

P artners

C onsumers

S uppliers

Social Authentication

Inbound

Federation

Connecting to External Identities

Native

Mobile Apps

Portals

32

33 of 40

ALL USERS & DEVICES

ALL APPLICATIONS

SaaS

Public/Private

Apps

On-prem�Applications

Employees

Partners

Customers

Consumers

Things

Billions of devices

All environments + web / mobile / API

34 of 40

Amazon Cognito Identity and User Experience Today

Amazon�API Gateway

Sign in with Facebook

Or

Username

Password

Sign In

Or

Start as a guest

Amazon Cognito Identity

Federated Identities and Secure Access to AWS Service for Apps

Authenticate via 3 ^rd party Identity Providers

Guest Access

Authenticate via Developer Provided Authentication

Amazon Cognito Identity provides temporary credentials to securely access your resources

Amazon�DynamoDB

Amazon S3

35 of 40

IDaaS -> Users

IDaaS is focused on Authentication UX & Security

Vendors have other user account focused offerings:

User meta-data, Claims management, ACLs/Authorization, Marketing, Analytics, …

AuthN is usually interchangeable

36 of 40

Firebase

Develop

your app

Grow

usage

Earn

more money

37 of 40

Grow

Earn

Notifications Console

Durable Links

Invites

App Indexing

AdWords

AdMob

Analytics

Develop

Backend Services

Realtime Database

File/Image Storage

Authentication

Remote Config

Hosting

Cloud Messaging

App Quality

Test Lab

Crash Reporting

38 of 40

IDaaS Categories

Employees

B2C (Business-to-Consumer)

B2B (Business-to-Business/Extranet)

39 of 40

Comprehensive UX flows

No user left behind

Search for “Google Internet Identity Research” to find these slides

Android/Chrome

Google SignIN

IDaaS/DIY

40 of 40

USE

PASSWORDS,

NOT TOO MANY,

MOSTLY LOCKSCREENS.