What’s new with sign up and sign in on the web (Google I/O ’18)
[ Music] so today’s session is about what’s new with sign up and sign in on the web are you enjoying Google i/ o so far we only have yeah this is the only way have a few hours left for rest of Google i/ o but I’m pretty sure we’ll be excited to learn new things from this session okay so I need to have this clicker so let me start with this question and for you what originates good sign on and sign in we consider there are three principles first good security signin is the most important gatekeeper for an internet site to protect users message from abusive actions and attackers improving an internet site with a vulnerable clue reputation signin mechanism entails devoting attackers a chance tube abusing website and in the worst it critically injures your business so improving your website with firstclass security is quite important but that doesn’t mean that you can sacrifice user experience in many cases computing better protection it creates more Elvis haloes and introduces more resistance for your customers to enter your your website to be considered useds user first network experience you should make sure entering into your website is as seamless as possible while having good security and finally good sign up and signin are often forgot as a critical part of user flow the rippers tend to be more excited about ideas and inventive features and pay little attention to make their sign up and signin secure and low-spirited friction that’s why it’s important that structure them is easy enough and lowcost without in spirit today we’ll submerge three topics crave up sign up and Auto sign in recapture a victory and entanglement authentication let’s get started implementing sign on and signed off securely squandering username and password is challenging I’m not saying that it’s technically impossible but the users safety heavily relies on how they makes their own passwords their passwords could be weak forgotten reused or stolen balzs is going to explain more about this these challenges last-minute in this session but this is why we’ve been recommending identity Federation for many years identity Federation is a way for useds to sign up or sign in using an detail hosted on a third party website which is called identity provider identity Federation is usually built upon standards called such as Open ID connect or OERs with identity Federation useds do not need to create additional passwords you can delegate security challenges to a name provider and you can receive profile information from that dydg provider and as many of you know Google is one of such IDC providers you can already take advantage of Google signin button to enable identity Federation on your website and at Google i/ o last year I briefly talked about a JavaScript library that procreates signup simpler and at chrome dev elevation last year we’ve officially announced it as one top sign up and auto signin it’s a new user experience for identity Federation with Google that allows users to sign up with exactly one top we have number of spouses previously on board or implementing with this library and they’re producing amazing answers let me briefly talk about a few of them red bean a real estate company in the US so an eighty percentage increase in signups after implementing one invoice signup likewise over 40 percent of these new customers return to their website more than five times after signing up trivago is one of the world’s contributing hotel search engines be present in 55 countries it gained fifty percent more new signups with twice as many indicating useds after implementing this library six lakh Club lettres and Park on popular music websites in Brazil for chorus lyricals and songs get 43 times more customers signing up after integrating one invoice sign up this is not a typo I said forty three times which wants four thousand three hundred percentage more consumers that’s incredible figure and user engagement such as favoriting craftsmen causing playlists or observation affection chords has also increased virtually fifty percent per user this is impressive so here’s how it wields the user operates user opens the signup page hand-pickeds one of the Google chronicles and they’re signed up it’s just that it makes less than ten seconds the animation the slip might be a extremely immediate to catch up what’s going on but it’s actually that easy what the signup is revolutionary because on top of those benefits that I have briefly mentioned earlier in this session for identity Federation in general it’s completely incomplete less and involves only one top for customers to sign up know email verification is required think about it you have to open up email client find the freedom email and clink a associate in that email it’s a kind of a inconvenience right you are eligible to fully eliminate that stair from the user it’s a big deal and third it succeeds across modem all modern browsers applying this API is quite simple start with loading this JavaScript library formerly it’s loaded prove a sign up ladder by call this method Google yellow speck intimate and it goes to show an detail chooser you need to create a client ID at Google developer console in advance should be pointed out that since this is a powerful API we are reviewing locates the hell is inducing expend of this library formerly a used taps on one of the accounts the promise will resolve and the you will receive a result that contains an ID token use the ID token to verify the users identity on your server if you already have a Google signin backend you can reuse it what’s the ID token is verified extract the user’s sketch information and launch a brand-new time and the user is signed up as a bonus when the user session expires or the subscribers countries on your website from a different design you can let them live you can let the subscribers signed back in automatically to perform auto sign name only announce Google real Google your retrieve to obtain the user ID token then you can use the ID token to let the user sign back in and resume a hearing by the way you might have heard about an API called the credential management API it’s an open Web API to handle credentials use javascript the multiply bree actually consumes this credential management API behind the scenes if the browser patronizes it and there is a sort password for the website if you want to retrieve an existing past at Google or Oh ID and password it will give you a username and password instead of an ID token so you can use that information to authenticate the user when he when a customer clicks the sign up button the user probably wants to keep signed out in all such cases announced Google reload disable auto sign in that way Google euros retrieve will be suspended returning ID token until the subscribers explicitly ratifies back in so that’s the one tap sign up let me recap one that sign up is secure because it’s Google’s identity Federation it accommodates a great user experience for user to sign up with simply one sound and auto sign it’s easy to implement with sibling simple api’s to learn more about want to sign up please visit developers.google.com slash identity and you’ll find more detailed documentation ok so far I’ve been talking about identity Federation but I guess that many of you might be interested in some solutions about when you are using password a username and password earlier in this session I talked about challenges with passwords what can you do if an attacker previously knows your customers password and tries to hijack account and in many cases account hijacking is done by BOTS this signifies if you could filter out both the number of account hijacks should decrease and that’s what we captured us six years ago it asks users to read a contorted but we knew we could do better we then developed recaptured v2 where users to be able to simply sounds a check box to verify v2 is smart enough to determine if an interaction is abuse just with that simple gesture and if reCAPTCHA is still uncertain it asks an additional challenge like select all likeness with a street signal this is an example this is an example question many BOTS can not answer readily and we are protecting over two million websites every week from spam and mistreat but what progress likewise the attacks against reCAPTCHA over the last few years last several years have progressed from brute force or random guest spots to a smarter and even AI best places they began to imparting machine learning solutions and abusive humans to try to break these challenges and attack websites but we want to stop but whether or not they can find the street signs in a planned of idols today we are announcing public beta of recap gia v3 this new version comes with three brand-new things at a high level firstly it requires no interactive challenges to its cores traffic with the adaptive jeopardy analysis engine and third it breaks down your transaction by wars let me step you through each one in d3 reCAPTCHA spies brave and their relationships with your website is abusive without even a single sound this means you can keep your website with safe without interact interrupting any consumers and instead of simple yesorno answer it will give you a score which arrays from 0 to 1.0 the score is calculated by the reCAPTCHA adaptive gamble analysis machine and the signals from interactions with your website based on the score you will you can define your own threshold to determine whether you you should do further verification on the request let’s say you get a login request with a scarcely low-toned orchestrate of 0.2 in that case for example you can request an additional authentication factor such as email verification or send an email to an admin to ask for moderation or particular 30 requests from bots as a protection from scraping to use reCAPTCHA first laden the barbarian dialogue library when the user submits the organize regressive reCAPTCHA token and finally submit the figure along with the acquire clue one delightful thing about v3 is that it enables you to threw it into almost all parts of your website is not simply the signup page but also many other places for example from home page to reading path logins contributing the remarks and examinations wherever your website has potentially high-risk acts you can protect with reCAPTCHA to do so you can define a tag for each action wars will also become a signal into the adaptive likelihood analysis locomotive as a result you can treat orchestrates differently depending on the actions also you can see the traffic breakdown and value distribution for action in the reCAPTCHA admin console so that’s reCAPTCHA v3 let me recap recap Jia v3 stirs your website most secure by stopping bots it doesn’t require user gesture by eliminating challenges so there’s zero friction it gives you the flexible as to how you want to treat questionable commerce to gain a better understanding of reCAPTCHA be three pleased with it did our CEO slash slash recapture v3 IO okay I’ve been talking about to lurch features from Google but I’d like to make a transition to talk about open Web API the credential administration API I briefly I briefly has spoken about it earlier in this session as I said what the signup contains the credential handling API but it focuses on identity Federation with Google if you choose to use other identity options such as user name and password you should use credential conduct API we have already covered this topic at Google i/ o last year so let me soon lick recap it’s an open Web API that allows you to handle credentials consuming JavaScript with this API you can enable things like Auto sign them or mailing with browsers native note chooser it can handle two every kind of credentials firstly for credential and Federative credential and now we have a new type of credential being added to this API which is called public key credential with that let me invite Bosch to talk about web authentication Thank You AJ hi everyone i’m balzs i’m a software engineer on the chrome web identity team and AG already mentioned that passwords create a number of issues I wishes to let it I would like to talk a little bit more about two of them in particular the first one is password to reuse when your customers are using the same password on numerou different websites and the second one is fishing when attackers trick your consumers into entering their credentials into bogu websites historically these issues have been really hard for makes to address because they both have to do with your users being only human so suppose one of your user users let’s request her Jane Doe has accounts on 50 different web sites what do you think on how many other websites is Jane using the same password that she is using on your place to answer that question we’ve calculated some statistics clientside among chrome password administrator users and if Jane is anything like them she will be reusing that password on ten different websites that’s 20% of all her accounts what does that aim it means that if Jane’s password is endangered on any one of those ten web sites it’s settlement on all of them including yours so how often does this happen according to another study during a period of just one year data infraction is exposed a total of 1.9 billion usernames and passwords so this means that even if you have implemented all the password management best patterns for instance you perform your login page and preferably your part website over HTTPS you never store or enter plaintext passwords you always hash passwords and perhaps you do even more you’re still not done so suppose you are using twofactor authentication to login Jane has to enter her password plus an OTP a onetime password for instance a six digit amount that she receives to her phone surely Jane is safe now right well regrettably OTP zarf aged just as readily as passwords let me show you what happens as soon as Jane enters her password into the phishing page the attacker connects to the real web site and establishes a login flow squandering the freshly stolen password the real web site invites the attacker for the OTP the attacker in turn questions Jane in the meantime the six digit digit is sent over SMS to Jane’s phone Jane is under the impression that she’s logging into the real web site so she expects that she gets asked for the onetime password so as soon as the offer is arrives she enters it into the phishing page the attacker then simply forward the OTP to the real website and with that they just gained access to Jane’s account same assaults are possible if Jane is using timebased otps generated by an app on her phone or a hardware token or if to sign in Jane has to confirm that login attempt on her mobile machine the problem is that in all of these cases with Riya we rely on Jane a human to recognize when “shes not” on the real website but on a phishing sheet recollect the study from before it also estimates that around twelve detail four million consumers fell victim to phishing during the same oneyear period this is my last year at i/ o we recommended abusing certificate keys instead many of you are familiar with the u2f universal second part certificate keys that look like this some of you may even be using them for twofactor verification once the main event built the prime advantage of security keys over otps is that they cannot be fooled by phishing security keys talk instantly to the browser they can easily verify that the URL of the page that Jane is visiting is the legitimate URL and not a slightly different URL corresponding to a phishing website so this removes the human error factor it is no longer Jane’s burden to verify the URL but if defence keys are so awesome how can we aren’t all have them on every website already today regrettably a key segment of the dilemma had been missing previously there hadn’t been a good way to access insurance keys on the web some of you are already familiar with the YouTube JavaScript API which was a great first step but it also had a number of limitations for instance it wasn’t available across all browsers and this is my I’m super energized about the web authentication API which is a brand new web platform API that plies a standardized behavior for using strong authentication on the web the new API is coming to major browsers and be available on both mobile and desktop scaffolds and in fact I’m delighted to announce that you can already try out the initial feature aim with the latest chrome beta so let’s see what compiles this API so great first its downwards compatible with existing YouTube security keys the very same key that you cross-file through the YouTube API can now be used through the web authentication API that means that you can migrate your website from u2f to web often without any user visible varies but web Alton is much more than just a new API web ulsan also enables authenticators that come in a variety of form causes much more exciting than USB hardware tokens so if hardware tokens are not your cup of tea don’t fall asleep just yet webathon too returns countless new features that enable exciting brand-new use occurrences the single most important feature is probably that authenticators can now perform user verification this means that the Authenticator can locally validate the user if jane puts her Authenticator on the street you cannot just pick it up and use it it exclusively responds to jane user verification can take many forms it can be done using biometrics such as a fingerprint scan or an easy to remember pin code and we are not only talking about external hardware tokens with Weber then the builtin fingerprint reader in your notebook or phone can also become a user verifying Authenticator regardless the phone form factor what impels customer substantiating authenticators so interesting is that they do not need to be combined with passwords to implement twofactor authentication there is already something that you have and something that you are so you get great its safety and you also get a great user experience you no longer have to type your password which is especially frustrating on portable maneuvers so let me show you what I’m talking about can we switch the demo device delight is hypothesized that I’m browsing the web and I find something I want to buy I have with me now a slide to phone with a fingerprint sensor so suppose I have this camera emptying discontinue that’s really nice that’s a really good deal for precisely 10 cents so I contribute it to my go-cart then I go to checkout and then I choose to complete my checkout with PayPal I get redirected to PayPal and because PayPal supports the web authentication API I can easily verify my name working merely my fingerprint sorry hand-picked the creditcard shipping address then I get redirected back to the merchant and there my ordering is confirmed so I didn’t have to type a password and it was still secure and it was so much better user experience back to the slides delight so how does that all work firstly let’s take a look at how authenticators work in the first place all network FN authenticators use public key cryptography there is a onetime setup flow during which the user cross-files an Authenticator with an history during enrollment the Authenticator generates a new public/ private key pair the private key is accumulated locally and cannot be removed from the Authenticator the public key is sent to the server then every time the user wants to authenticate they have to prove to the website that they possess the private key this is done through a challenge response based protocol the web server sends a challenge to the Authenticator which in turn uses the private key to provide a cryptographic signature for this challenge the signature is sent to the web server which substantiates it against the public key and the new challenges with customer validating authenticators secreting this signature is also gated on successful consumer verification such as a fingerprint scan so your fingerprint never leaves the machine it’s only used to locally open the Authenticator now let me amble you through the one sort setup flood in more detail you did not visualize you did not see this in the demo because I already did this last week there are three important participants in this flow the Authenticator itself the web application running in the browser and the web server suppose that it is once again Jane who is now setting up the fingerprint book in her phone as an Authenticator to kick off the enrollment flood the server firstly renders a challenge a large random number that will be only used for the registration process and thrown away later the server storages a challenge in association with the user account and disseminates it along with user information to the web app running in the browser the web app then calls the web authentication API this is what it looks a lot like in codes as AG mentioned webathon diversifies the credential conduct API so it’s available under sailor fleck credentials to create a brand-new public key credential you call create with the public key option you specify the new challenges you coming from the server user information that will be displayed on the Authenticator if it has a display and the crypto algorithms that you wish to use in addition to these parameters that we are only specified the browser also removes the authoritative domain name of the request entanglement application then all this information is sent to the Authenticator which asks for user consent this is required so that malicious websites cannot use the API to track the user this protects the user’s privacy once user permission is given the Authenticator makes a new public/ private key duet it stores the private key internally along with the credential ID user information and importantly the domain name this credential belongs to then the API call is resolved resolved with the public key credential which contains the unique identifier the public key and the signature calculated over the challenge the domain name the public key the credential ID and some other parameters the web app then forwards these values to the server there you need to validate the signature and is the last step if the signature checks out the server has collected the credential ID and the public key in association with the subscribers history and don’t forget to invalidate the challenge it’s only valid for one deal this concludes the enrollment overflow and remember you only have to do this once now let’s take a closer look at how Jain can use the Authenticator to log in without a password the next time the starting state here is that the Authenticator already has a private key and server has a corresponding public key in association with Jane’s account remember that authentication is accomplished exerting a challenge response based protocol where Jane calculates a cryptographic signature to prove possession of the private key so once again the flow starts with the server producing a challenge a large random number which is used to prevent replay attacks then the server’s gives the credential ID and the challenge to the web application which in turn calls the web authentication API again to create a cryptographic signature you need to call navigator credentials that get with the public key option you specify the challenge that you coming from the server the credential for which you want to get a cryptographic signature and here you see that we too ask the Authenticator to locally substantiate the user in addition to these parameters that we just specified once again the browser obtains the authoritative domain name of the request web application and sends all this information to the Authenticator the Authenticator appears up info collected for this credential ID next and this is very important the Authenticator checks that the domain name of the announcement website parallels the one that was provided at the time the credential was created this is what concludes these authenticators resistant to phishing if Jane is on a phishing page with a slightly different URL the Authenticator will notice the discrepancy so next if it is R certainly through a web site the Authenticator accomplishes regional verification using the fingerprint book if the fingerprint checks out the Authenticator uses the private key to generate a cryptographic signature over the domain name and the challenge the API call is done resolved with this signature which is sent to the server there once again it is verified that it corresponds to the challenge and the public key and if it does then the server consider Jane’s authentication are successful and last step again don’t forget to invalidate the challenge this concludes the registration sorry the authentication flood but if you have dealt with a large user base you know that you cannot just replace your Identity Management overnight what’s also great about network FN is that it enables to you to adopt it one gradation at a time you can use more and more of the API to get more and more of the security and usability benefits first you can use it as a dropin replacement for the u2f api for second influence authentication then with minimal changes you can implement password that’s real and opening before sensitive activities such as making a purchase for instance this can be done using the fingerprint book builtin to a phone or a portable machine and finally once your customers warm up to the idea of signing in using a fingerprint or a hardware token you might even consider making it their primary login mechanism to summarize we spoke the web authentication API which provides strong authentication on the web using public key cryptography it makes brand-new features and form causes that enable a password S login experience stirring it very easy for your users to sign in to your area securely and it all comes in the form of a simple to use standardized open web scaffold API which is available across all programmes and browsers with that let me hand it back to AG to wrap it up okay thank you bash so we’ve been gait through three brand-new exciting features to the web one top sign up and the auto sign game for ultimately lowfriction signing up and sending in recapture v3 for zero resistance bots prevention and network authentication for stronger authentication with open standard API I have just tweeted with hashtag IO 18 but we have produced an article about it by now you should have understood what realise good sign on and good signaling reputation huge insurance huge consumer experience and huge make experience if you have any questions please visit us the web sandbox which is right next door and finally we’d love your feedback on our session today at google.com slash IO schedule with that we hope you experienced our talk expressed appreciation for very much[ Music]
