1 of 30

2 of 30

The Cutting Edge: Standards at work in Google's mobile focused future

Eric Sachs, Google, Director of Product Management, Identity

Pam Dingle, Senior Technical Architect, Ping Identity

3 of 30

4 of 30

5 of 30

6 of 30

7 of 30

8 of 30

We sent a verification code to (415) 114-0090

(555) 867-5309

Enter Google Account PIN

Forgot PIN?

Finding your Google �Account with MobileCo

9 of 30

10 of 30

E

Sign in & registration on mobile is too painful

11 of 30

Save Eventbrite password securely with Smart Lock?

12 of 30

mlaaker@gmail.com

13 of 30

Don’t overthink

14 of 30

15 of 30

Registered

Not registered

16 of 30

returning user

with password?

YOUR �APP

eric@gmail.com

NEXT

Email address

Choose an account

Eric Sachs

eric@playthesachs.biz

Eric Sachs

esachs@google.com

Eric Sachs

eric@gmail.com

CANCEL

Select authentication method

Input existing password

Authentication at Identity Provider

new user?

returning federated �login user?

17 of 30

New UX, New Signals - backed by Standards

  • You can have the same UX as Google
  • http://accountchooser.com
    • Simple Login Hints protected by consent, standards
    • Overseen by OpenID Foundation http://ac.openid.net
  • Two added features
    • Identifier-first form
    • Protocol support for OpenID Connect login_hints
  • Cast:
    • The IDP: Integral Curve
    • The RP: Hipstabank
    • The User: Alice

Try it:

http://hipstabank.com/business demonstrates Federated Flows

18 of 30

What you Saw in the Demo

  • Login Hint
    • Hipstabank signalled Integral Curve to help initiate a login
  • Identifier First Login Flow
    • Integral Curve took the hint, only prompted for password
  • Account Record Stored
    • Hipstabank pushed an identifier and provider id into Account Chooser
  • AccountChooser Record Selected
    • Alice can click once to discover IDP, identify user, initiate SSO

19 of 30

What you Saw in the Demo

  • Account Event Detect & Publish
  • Signal Generation
  • Downstream Security Decisions
    • Session invalidation
    • Token Revocation

20 of 30

YOUR �APP

eric@gmail.com

NEXT

Email address

Choose an account

Eric Sachs

eric@playthesachs.biz

Eric Sachs

esachs@google.com

Eric Sachs

eric@gmail.com

CANCEL

YOUR �APP

eric@gmail.com

NEXT

Email address

Choose a method

CANCEL

Create a password

@

YOUR �APP

eric@gmail.com

NEXT

Email address

Choose an account

Eric Sachs

esachs@google.com

Eric Sachs

eric@gmail.com

CANCEL

Thank you for �registering, Eric

Eric Sachs

eric@gmail.com

21 of 30

YOUR �APP

eric@gmail.com

NEXT

Email address

Choose an account

Eric Sachs

eric@playthesachs.biz

Eric Sachs

esachs@google.com

Eric Sachs

eric@gmail.com

CANCEL

Thank you for �registering, Eric

Eric Sachs

eric@gmail.com

Yep!

eric@

gmail.com?

Google

Fast IDV

22 of 30

23 of 30

24 of 30

All you need to do is build this…

25 of 30

Google Identity Toolkit

26 of 30

For your employees...

  • Pick an IDaaS provider from the many vendors in the market
  • Or combine them as Netflix did (Google Apps + Ping “Identity Bridge”)

27 of 30

Search for “Google Internet Identity Research” to find these slides and others from Google

28 of 30

NEW YORK

29 of 30

SAN FRANCISCO

30 of 30

LONDON