Universal LoginDaniel Wilkey

dgw2109

Cellular Networks and Mobile Computing

Spring 2014

Outline Why we hate logins

Open ID

Universal Login

Demo

Future Work

Questions

Why We Hate Logins Remembering passwords

Can I really trust this site?

How do they know it’s me?

I don’t want to enter my personal information PayPal for credit cards

What if someone hacks my account?

What if I forget to logout?

Open ID [2007] Make an account with Google/Yahoo/PayPal and use it everywhere

Same protocols can be used to verify an account with any identity provider

No identifying info needed to create an account (just an email)

Little-implemented extension for exchanging attributes (OpenID Attribute Exchange) Google does local password / account info save instead

Heterogeneous implementations of user profile

Does not address the trust issue No banks used Open ID

Universal Login Single, secure* site for user authentication

Client app runs on each device and manages security for that device

Safe, approval-driven method for exchanging private user data

Easy, push-notification-based protocol for managing logged in devices Apps can log out of private screens without refresh and without battery drain

Web authentication protocol is proprietary and unpublished, consumer apps only know how to communicate with the local client

Security standard can be published for all users to review

Would not be used for social networking

Universal Login - Architecture Server written with AppEngine

Maintains session info, user data

Android App client Allows user to sign up, login, logout, and update profile

Receives requests from other apps to login / retrieve data

Allows user to logout all other devices

• Listens to push notifications to know when to log out

• Rebroadcasts server log out notifications so that local apps are aware

Universal Login - Architecture Resource optimized

Recipient apps do not need a connection to the remote server (no chance of being sloppy)

App login and data fetch are handled with a single request to limit traffic

Secure No user data other than session info is saved locally

All private data is delivered on demand

Demo- Create Account

Welcome email sent to subscriber

Demo- Sign In

Demo- User Profile

Demo- Sign In / Data Exchange

Demo- Multi-Device Logout

Future Work Fix minor* security flaws

Introduce means of user identity establishment

2-factor authentication

MacOS/iOS, Windows OS/Phone, and Linux clients Potentially a web-based client as well

Personal data exchange audit log

Questions?