how to stop reinventing the auth wheel
TRANSCRIPT
Tuesday, September 3, 13
An iOS Authentication Architecture for All
How to stop reinventing the auth wheel
Tuesday, September 3, 13
Great Apps
Tuesday, September 3, 13
What makes an app
truly great?
Tuesday, September 3, 13
AmazingFirst Impressions
Tuesday, September 3, 13
Reliableand
Secure
Tuesday, September 3, 13
Connected
Tuesday, September 3, 13
Personal
Tuesday, September 3, 13
WHAT’S THE BIG DEAL?
Tuesday, September 3, 13
Identity has a Roleto Play
Tuesday, September 3, 13
But, There’s A ProblemTuesday, September 3, 13
It’s ComplicatedTuesday, September 3, 13
So we end up like...
Tuesday, September 3, 13
Tuesday, September 3, 13
Instead we should...
Tuesday, September 3, 13
SpendTime
Building Features
that ROCK
Tuesday, September 3, 13
The good news...
Tuesday, September 3, 13
PatternThere’s a
for That
Tuesday, September 3, 13
‘Simplicity is the ultimate sophistication.’
- Steve Jobs
Tuesday, September 3, 13
So, auth is complicated.
Tuesday, September 3, 13
Why?
Tuesday, September 3, 13
It’s not our core competency.
Tuesday, September 3, 13
Tons AND TONS of Detail.
Tuesday, September 3, 13
Never stops evolving.
Tuesday, September 3, 13
and so...
Tuesday, September 3, 13
we spend a lot of time
Tuesday, September 3, 13
and, we get frustrated.
Tuesday, September 3, 13
Not only is it complicated,
Tuesday, September 3, 13
it can lead to poor user experiences.
Tuesday, September 3, 13
like...
Tuesday, September 3, 13
The WallTuesday, September 3, 13
Account creationTuesday, September 3, 13
Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords
PasswordsTuesday, September 3, 13
However,the big issue is...
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
So what do we need?
Tuesday, September 3, 13
Tools, APIs, & Services
Tuesday, September 3, 13
That are...
Tuesday, September 3, 13
Easy & Secure
Tuesday, September 3, 13
Simple. Accessible.
Tuesday, September 3, 13
Rely on ExpertsTuesday, September 3, 13
Is there a painkiller?
Tuesday, September 3, 13
Tuesday, September 3, 13
But first...
Tuesday, September 3, 13
Tuesday, September 3, 13
Fav MOV
Tuesday, September 3, 13
Demo
Tuesday, September 3, 13
/RCacheaux/FAVMOV
Tuesday, September 3, 13
Tuesday, September 3, 13
Ok. Let’s personalize.
Tuesday, September 3, 13
Need Username and Profile Photo
Tuesday, September 3, 13
To be or not to be custom is the question.
Tuesday, September 3, 13
Identity Provider
Tuesday, September 3, 13
Tuesday, September 3, 13
Salt & Hash Passwords
Provide Two Factor Auth
Use Modern Irreversible Hash Function
Automatic Monitors
Operate Help Desk
Tuesday, September 3, 13
Tuesday, September 3, 13
Choose WiselyTuesday, September 3, 13
Relying Party
Tuesday, September 3, 13
Ok. Enough Vocabulary
Tuesday, September 3, 13
1
2
3
4
Pick an Identity Provider
Register Client
Incorporate API
Code Against API
Using an Identity Provider
Tuesday, September 3, 13
Let’s pick an IDP...
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Authenticationvs
Authorization
Tuesday, September 3, 13
Scoping
Tuesday, September 3, 13
Demo
Tuesday, September 3, 13
‘That’s great, but what if my users don’t have
Facebook accounts.’
Tuesday, September 3, 13
Let’s pick another IDP...
Tuesday, September 3, 13
ARCHITECTURE
Tuesday, September 3, 13
Before, let’s walk through the code.
Tuesday, September 3, 13
Demo
Tuesday, September 3, 13
Now we can hold another IDP, which one?
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
ARCHITECTURE
Tuesday, September 3, 13
Accounts Framework
Tuesday, September 3, 13
Recommended Identity Providers
Tuesday, September 3, 13
What if my identity provider does not have an iOS API?
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
So you want a serverTuesday, September 3, 13
Backend as a Service
Tuesday, September 3, 13
Tuesday, September 3, 13
Now, you need custom accounts.
Tuesday, September 3, 13
Sign In vs Sign Up
Tuesday, September 3, 13
What about custom back-ends?
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
1
2
3
Secrets & Tokens
Single Sign On
Two Factor Authentication
Tuesday, September 3, 13
1
2
3
Secrets & Tokens
Single Sign On
Two Factor Authentication
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Get,Store, Use
Tuesday, September 3, 13
Getting Tokens
Tuesday, September 3, 13
Basic HTTP Authentication
Tuesday, September 3, 13
Tuesday, September 3, 13
The Access TokenTuesday, September 3, 13
A word about OAuth 1
Tuesday, September 3, 13
OAUTH 1Tuesday, September 3, 13
Where to Store?
Tuesday, September 3, 13
The KeychainTuesday, September 3, 13
The Operating System
Tuesday, September 3, 13
Server-side
Tuesday, September 3, 13
Browser Cookies
Tuesday, September 3, 13
The FlowsTuesday, September 3, 13
App App App App
IDP App Browser
UIWebView
OS
Tuesday, September 3, 13
How to Use Tokens
Tuesday, September 3, 13
HTTP Authentication
Tuesday, September 3, 13
1
2
3
Secrets & Tokens
Single Sign On
Two Factor Authentication
Tuesday, September 3, 13
1
2
3
Secrets & Tokens
Single Sign On
Two Factor Authentication
Tuesday, September 3, 13
Sharable Tokens
Tuesday, September 3, 13
Across Apps
Tuesday, September 3, 13
Across DevicesTuesday, September 3, 13
Across Platforms
Tuesday, September 3, 13
1
2
3
Secrets & Tokens
Single Sign On
Two Factor Authentication
Tuesday, September 3, 13
1
2
3
Secrets & Tokens
Single Sign On
Two Factor Authentication
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
The future
Tuesday, September 3, 13
biometrics
Tuesday, September 3, 13
ID
Tuesday, September 3, 13
More in accounts framework
Tuesday, September 3, 13
Less Custom Accounts
Tuesday, September 3, 13
Account Chooser
Tuesday, September 3, 13
cross Platform sign on
Tuesday, September 3, 13
WHAT’S THE BIG DEAL?
Tuesday, September 3, 13
Taking care of identity has many
benefits...
Tuesday, September 3, 13
Improve Lives
Tuesday, September 3, 13
More Usage
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
Less of this
Tuesday, September 3, 13
And More of this
Tuesday, September 3, 13
remember
Tuesday, September 3, 13
delight your users
Tuesday, September 3, 13
Resources
Tuesday, September 3, 13
Tuesday, September 3, 13
Tuesday, September 3, 13
http://www.ietf.org/rfc/rfc6749.txtOAuth 2.0 RFC
http://www.ietf.org/rfc/rfc2617.txtHTTP Authentication RFC
http://openid.net/connect/OpenID Connect
Tuesday, September 3, 13
Twitter IntegrationWWDC 2011
Integrating With Facebook, Twitter and Sina Weibo
WWDC 2012
Protecting Secrets with the KeychainWWDC 2013
Tuesday, September 3, 13
Google IO 2013
https://developers.google.com/live/shows/576883641Identity Tech Overview: Less Pain, More Gain
https://developers.google.com/live/shows/601975672
How to Offer Google+ Sign-In Alongside Other Social Sign-In Services
Tuesday, September 3, 13
http://www.parse.comParse
http://www.windowsazure.com/en-us/develop/mobile/
Windows Azure Mobile Services
Backend as a Service
Tuesday, September 3, 13
http://www.accountchooser.comAccount Chooser
https://www.tbray.org/ongoing/Tim Bray’s Ongoing Blog
Tuesday, September 3, 13
https://code.google.com/p/gtm-oauth/GTM OAuth
https://github.com/facebook/facebook-ios-sdkFacebook iOS SDK
Libraries
https://developers.google.com/+/Google+ Sign In
Tuesday, September 3, 13
/RCacheaux/FAVMOV
Tuesday, September 3, 13
Tuesday, September 3, 13