GlueCon 2013 Notes: Keynote: Fear and Loathing and Scalable Kindness on the Internet – Tim Bray, Google

2 minute read

Keynote: Fear and Loathing and Scalable Kindness on the Internet – Tim Bray, Google

  • You go to signup for a new website: “No! Not another password!”
  • There are many bad alternatives to choosing and managing passwords, a few that aren’t easy but work fine
  • Password rules are inhumane and hurts your business and the business of others
  • Get out of the password business, or else use salted, encrypted (not hacked yet) techniques with two-factor authentication and 24/7 staff support with help for those that need help
  • http://buyaccs.com – lists of accounts, by domain, available for sale (wow)
  • Now, people expect to login via Facebook, Google, or old school password
    • aka “NASCAR pages” with lots of stickers for each network supported (Facebook, LinkedIn, Google, etc)
  • Future will require one-click signins, no passwords with two-click signup
  • Identity technologies that work
  • OAuth2 and OpenID (Google betting big on both)
  • Brian Campbell’s slides from yesterday: http://goo.gl/Sj1UF
  • OAuth2 produces an access token to allow someone to access to a resource
    • Use the HTTP header ‘Authorization’ (e.g. Authorization: Bearer ya29.AHES…)
    • Can use the Google tokeninfo service to peek into an access token
    • Access tokens should be short-lived
    • It is unencrypted, therefore it must be transmitted over TLS (https)
  • Refresh tokens
    • Never expires unless revoked
    • Works on behalf of the user 24/7
  • An ID token
    • structured, with three sections (first and last are crypto details)
    • Payload inbetween is signed
    • Can obtain the public key from Google (they are refreshed every 24 hours), removing need to hit Google service
    • gem install google-id-token for a Ruby library to do it
    • signed by an issuer (“iss”)
    • asserts that the user (“sub) is authenticated by that issuer
    • is meant for a particular recipient (“aud”) and
    • may have been issued to a particular authorized party (“azp”)
    • It is unencrypted, therefore must be transmitted over TLS (https)
    • https://www.tbray.org/ongoing/When/201x/2013/04/04/ID-Tokens
  • Demonstrated Ruby quickstart demo for Google+ OpenID/OAuth2 integration: https://developers.google.com/+/quickstart/ruby
  • Plenty of libraries for all languages/platforms to integrate with OAuth2 services
  • Tim’s message: Start using OAuth2 and OpenID, stop using passwords
  • Cross-client identity
    • Provides a holistic view of identities across clients/devices
    • All apps within Google are registered, so all apps (mobile, web, etc) should allow for sharing of identity tokens across devices
    • One unicorn and rainbow: Shared Access-Token grant
    • Two unicorns and rainbows: Shared sign-in with ID tokens
    • Three unicorns and rainbows: Mobile app gets offline Web-app access
  • Study how OAuth works – it is a frozen RFC, crypto and security stories are good and accepted (and Google is OK with it)
  • Be kind to our users – stop making them type in passwords (esp on mobile devices)
  • Do what you can – use the existing libraries, don’t reinvent the flows
  • Get out of the password business – put up a brick wall for the bad guys, even if it will be hard to do – do it