OAuth 2 is the latest version of the OAuth standard– unlocking authorized access to user data from dozens of different APIs like YouTube, Google Apps and Facebook in a way that’s easier than ever for developers. OAuth 2 can now be used via OpenID Connect to allow users to easily login and sign up with apps faster, with less developer effort.
This session will cover how web and mobile applications can take advantage of this technology to improve the experience and security of user accounts.
More and more, SSO “out in the wild Internet” is seen as signing into a service with your credentials that are managed by some other company (identity provider). The less information you require to create an account (using data users have already filled out), the less drop-off you have for sign-up numbers. Building your own level of security well is difficult. Focus on what the user is expecting you to need/ask, and work with the data transparently.
Single sign-on was a great promise: let the big identity providers handle authentication/identity, and your website gets all the benefits of a streamlined registration process for free! Anyone who has ever tried to implement it however, knows it never really works that way. In the real world, it’s a lot more messy: especially when you add in mobile, multiple providers and mixing it up with an existing account system. We’ll discuss best practices for making it work, handling the gnarly edge cases with security and identity issues, and how to make sure the user experience is as painless as possible. Panel will include platform representatives from Facebook, Twitter, and Google.
Continue reading “sso—why does it suck so often?”