Duration 41:26
16+
Play
Video

Leverage Google Identity to reduce sign in friction and abuse

Naveen Agarwal
Federated Identity Team at Google
+ 3 speakers
  • Video
  • Table of contents
  • Video
2018 Google I/O
May 8, 2018, Mountain View, USA
2018 Google I/O
Request Q&A
Video
Leverage Google Identity to reduce sign in friction and abuse
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
3.11 K
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

Naveen Agarwal
Federated Identity Team at Google
Luke Camery
Product Manager at Google
Treffyn Koreshoff
User experience researcher at Google
Steven Soneff
Product Manager at Google

Naveen Agarwal is also the lead for the Federated Identity team at Google. In this role he is responsible for Sign-in with Google (Android, iOS and web), SmartLock for passwords, Firebase Authentication, SSO on Android, iOS for Google apps and on Google's various devices. He architects technical solutions to deal with security and fraud, as well as enhances user experience while contributing to the industry standards around OpenID Connect and OAuth2. Prior to his work at Google, Mr. Agarwal served as the di

View the profile

Luke is the product manager for OAuth abuse and developer experience. In his role, he works to make sure that OAuth remains easy to use for third party developers, but that bad actors can't take advantage of our users. His coverage includes OAuth developer registration, app reviews, developer communications, and counter abuse. Luke started his career at Google after graduating phi beta kappa and magna cum laude from Brown University with a concurrent bachelor's degree in Computer Science and Economics and m

View the profile

Treffyn is a user experience researcher on the Federated Identity team. In this role he focuses on how end users understand and use Identity Providers like Google. He identifies pain points, best practices, and opportunities to improve the user experience of signing in with Google. Originally from Sydney, Australia, Treffyn has a background in Human Computer Interaction (HCI) and before that, Documentary film.

View the profile

Steven is product manager for Google's developer APIs for authentication and account security. He previously worked as an engineer on Android apps at Google, did development at several start-up companies, and wrote the original Facebook Android SDK launched in 2010.

View the profile

About the talk

Account hacking makes headlines everyday, and building usable, secure systems is hard - what are developers to do? Learn how to leverage the ease and security of Google Accounts to improve sign in experiences and reduce abuse across your web and mobile apps, and Actions on Google. Best of all, these technologies are free and easy to implement.

Share

My name is truck and car shop on Google and that means that I get to talk to end-users about how they use different cool things online. But before I can talk to people about how they use the great things they are building a nest and that's what this is really about. It's about making those sign in and account Creation Moments a little less painful and a bit more magical. So if you use a username and a password sign in or account Creation Moments in what your building then you are in the best possible place you could be at Ajo right now. No matter whether you work more on the product

development side of things in which case we got some great you asked to show you which will help increase conversion the valuable uses get the smiley. What do you on the development side where we got some cool code Snippets at libraries that will help make Google identity integration to what you're building extremely simple. Or whether you are like hopefully we all do care about the security and privacy of what you'll building will take you behind-the-scenes and show you some of the Securities that goes into Google identity. And what date is Jed? Even if you have no registration flow at

all, but actually encourage you to stick around because we think that you'll see some cool things today that you may want to add to your site anyway. So I'm just here for an introduction and it's part of that. I'd like to share with you the helpful things that annoy me about sign in an account Creation Moments. Now do not see the punchline away. But these are all four things that Google identity can help you with. Set the tone of friction. Let's imagine that your user has just got a new phone new device and it's signing back into everything at this point. They probably thinking you may

have had this experience a password again, or they wouldn't be alone in Hawaii's governor. Maybe you decide to add this sign in with Google button or something similar to help you use has not have to remember that username and password. Will this is great. But what happens if we can get rid of this whole sign in screen all together. Am I look a little something like this do user arrives on your site or app for the first time new phone and I just signed immediately straight back in I know it could be a hostage on the bottom is to his people drive on your size

and it just automatically signs straight back in let's just skip the whole sign in screen all together. Because it isn't just about sign-in. It's also about account creation and account creation has huge drop off sometimes and it can be for a variety of reasons. But even for a short. Sign up form like this one we see drop off at 40% or more. Now you might be hoping that your losses have some sort of password autofill and that's great if they do but even if they do you still taking them out of the flow out of what they were doing to a separate sign up page not ideal

see what happens. We could take this whole sign-up process and move it into one click. And they're into the size. So I can't hear I'm showing it to you on the first page the first time somebody opens your app for the magic of this if you can take this and place it wherever it makes most sense and you'll float doesn't have to be the beginning when they can be worried about they have most intent to create an account. So it is one tap contextual account creation where it makes most sense for you. The second thing well actually just briefly am an

example from somebody who is integrated. This is Redfin who had an 80% increase in the number of New Uses. Once I introduced this one tap seamless the contextual account creation. Second thing is security if you look at the passwords that people use online these days don't really have a week there often reused and it's acceptable to fishing. Now we're going to be driving to the security behind. It's like a mansion song. I'm not going to go into it too much here devices say that Google identity can help with this and it's the same again. Give away the punchline

bridge the same security that we use for Google accounts on google.com. The third thing that can annoy me about sign into account creation is quality. You spend a lot of time and money getting people to a site or app and maybe they can vote. Maybe they change into a Yusuf, but how many of your accounts look like this? Maybe this is an extreme example, even if a real person with a real email address comes to your side, they may not be as engaged as you'd like them to be and we hit time and time again from people who used Google use used like that say that Google uses. I don't really

more engaged on a platform, but they create less fan. So at this point you might be thinking. Okay, great. This this sounds great. I've got some point for in my sight comes with great security and you're telling me it helps keep the quality of the account. I think I don't have time for this which I would say that we have worked really hard to get everything. You've just seen and more available to you in just a few lines of code again will take you through that the second half of this. So just a really quick recap sign up an account create sign in at

account Creation Moments can be some of the most valuable for your account fuel sites, but they're often the most friction full. When we replace that with one tap account creation and automatic sign in. Security is in the news a lot lately. Feel free to use Google's. You spend a lot of time and money getting people to your site Victor give yourself an advantage and get engaged active uses and I'll sleep do away with all of the maintenance for these screens to just a few lines of code that you implement once. So these are just a few of the things the Google identity can help you with that.

It's all I'm going to talk you through today, but I'd like to invite three people up on state who going to talk you through how you can get this yourself some other examples of places that this is what and also how it works. I like to invite Luke Luke Naveen and Steven up on safe. Thank you for finding my name is no vinegar while I'm the Angels Lead at Google Federated team and I've been in the face from the beginning when you couldn't use all this magic and Tiaras. Look who's the new product manager and Steven who's being in the space for a long time?

Salute you were telling me that you're not convinced about all this magic about this whole Federated identity thing with what the user experience is. Like how does magic really work? I think let's start from the basic. Lots of people say what's what's this magic within the Earth you actually use all these identity providers every day. If you have any ID card in your pocket, that means you use an identity provider a driver's license your employee ID or passport and what happened to his dick head is some information about you

and you go to a place where they want to verify some information. What do you do you take out the ID card which they accept you show it to them. They verify that it has the right attributes. It's the right ID card you have been tampered with it and then they let you in. And what happens in the online word nowadays the state is pretty different you go to the brand new size letter here. We need to create a new ID card for you. And then we are going to verify who you are and look at what it would look like in the real word.

So you go to a bar. They say wait. You need to create a new ID card before we let you in. What would it look like you'll be carrying a stack of ID card on a daily basis probably thousand and the burden on each and every show would be that they have to set up a system to create ID cards for everybody who walks in if they forgot ID card, it's a huge cost. But that's what everybody does right now on the online when they create their own authentication system. Do you sign up for my side and remember a password and that's essentially getting a separate ID card for

each of the site. And if you just replaced it with a very basic identity provider you get a token from Google and then they just accept it and it's that simple in the experience is fairly straightforward you go to the site you see one of the identity provider day except in this case. If you click on login with Google you go to your identity provider. They generate a card for the ID one and essentially send it back through the magic which will talk more about and you are in and it's much more convenient for the user

and for everybody and what what happens inside ID cards many people wonder we have created what we call an ID token and it's very similar to your ID card with you carry. It has some information about you and some cryptographic information for them to verify that it is authentic. And essentially this is the ID card which died in a provider generate in a sense. It makes it so much easier using the identity which you already have in the digital world. Does that help? Thanks meme that gives me really good overview, but I'm still really

curious what it's like for our users going through this. I know when I come to the sign-in screen, there's all these buttons and I'm not sure which one to click or what happens if I click one last time and I try and pick a different one or if I already have a password on the account. I'll probably like most people just end up hitting forgot password and going to the email reset slow cuz that way I really know that I'm getting back into the right account Stephen. I know you spent a lot of time thinking about what are user experience should look like is there a better way than this? Well, you're

completely right Luke that this user experience confusion is one of the top reasons why sites apps and end users are still using username and passwords today. And we thought a lot about them. I'm really excited to talk about the Innovations were making in this space. We're thinking about new ways get user signed in and signed up what it like to focus on today is an experience. We call a One Tap account creation is a NuWave for end users of Google's identity systems to share their basic information with a site or an app that they're using with a single click.

Justin be shown in line on the page without the user even having to navigate to a full login screen or find the Google sign in button. Once we use our staff this information is conveyed to the side or the app that they're using and they're able to log into an existing account or helped create a new one. Really? It was straight this what we're going to do is switch over to a demo and show you this in real life. Okay. So what I got here is a version of Chrome running in the Young mobile at emulation mode. You can see where emulating an iPhone device this works across all

platforms including iOS and I have a user so I didn't hear her name is Elisa. Elisa is preparing for a trip and wants to visit that site that she heard about call chipmunk chipmunk has this really cool user interface and imagined as he loads up the Hitman site. She'd like to identify herself to keep track of the travel that she's planning across devices. Now that you are that I just mentioned shows up at the bottom here. Eliza is able to say that it's okay for this site to know who she is without having to go and find the login screen figure out sign in sign up or determine

which button she needs to press or which one she press last time. So let's try it out. with one click Lucy Vitale says account is active here on hipmunk. And this is a live site. You can actually go and try it out yourself in your phone to see how it works. Let's go back to the Flies. Now how does this perform? Well hit bug has actually come back to us and told us that this has dramatically increased the rate at which users are creating accounts with their service and internet unlocking this opportunity to personalize their experience

across devices, but it's not just here on the mobile web. We've had this opportunity to streamline and assist in account creation on Android for some time. If you've been to our talks in the past, you might have seen some of the stats and numbers like this by incorporating a 1-tap identity experience creating an account with just a single guest year apps like hotel tonight have been able to improve their book out and conversion rate by things like 20 to 30% That's pretty phenomenal for just a simple ux change and Improvement to the users experience. We appreciate

of course that it's not just about acquiring these new users who might be visiting for the first time. You have a lot of existing users and it would be really a shame if all those existing users had to identify themselves again, and again across devices after all today. People are using multiple phones. They're using tablets and their desktop computer. That's what we offer here is the ability for people who have used a site or a nap before coming back to that same service across platforms to be signed in without having to find the login screen. So let's take a look at an example of how

that works with six packs of the demo device. Now to simulate a new device. What I'm going to do is actually switch over to an incognito tab. Now, you'll notice that in his incognito tab. We're in the full desktop version. So imagine this is Elisa coming back on a desktop machine where she'd like to perhaps complete a booking that she was searching for from mobile earlier. As you can see if we have a link to the Chipmunks site. And what I'd like to do here is draw your attention to the top right that as imagine. Elisa comes back on the desktop site. You'll see that her

information is being retrieved by the web property and used to sign her in without having to navigate or even remember to go through a login flow at this point. You can see that things like her previous search history are immediately available right across devices. So it's really this opportunity to have people come back to your site not have to repopulate their shopping cart redo all the searches they can continue where they left off of the shopping cart ready. So let's meet back to the slides and see how this one performs. To protect nuggets also been

equally impressive the proportion of users are using their site in a signed in state and getting that personalized experience has gone way up. We have other numbers from folks like AliExpress really even saying that their conversion rates go out for these users who are signed in automatically and to call it one more stat that we've seen from Android over the years we've had big ass like Netflix using an automatic sign-in experience with data saved in their Google account, whether that's the Google account itself or things like saved passwords and it resolved being a dramatic reduction in the

supported inquiry volume. So quick people who are signed in automatically don't have to call up a help desk to ask for information about their subscription or get back into their account if they get stuck if you put all these pieces together, I think we really are opening the door for a much better user experience across the web and apps there's this one tap sharing of identity that streamlines the experience to say Who You Are There's an automatic sign in for people who are coming back and want to stay signed in you don't even have to go to the login screen anymore. And

finally gets the opportunity to unlock this personalized experience that continues across devices. I'll add one more thing here that is that we still have the traditional button based flows. That's the Baseline that you'll have to implement across all platforms handle edge cases like when the user is not signed in but really the hope is the D technology can optimize and improve the common cases for users who are visiting your site or app, but they never even have to see the login screen it all and hopefully that will address a lot of those problems and questions that you brought up Luke

thinks even that honestly looks like a far better future than what I was seeing on that complicated ButtonBass screen, but the same time I think a lot of people still have questions when it comes to using an identity provider about data-sharing when you traditionally go in through an identity provider you of this consent moment where it's unclear, you know, will your friends get spam? Will they be able to send emails to your contacts? It's kind of scary and confusing, you know, but I sign up with an email in a password all I know that the site only It was my email is not a lot safer.

It was an important topic these days we've had so let's go back to that one tap. You are that we saw earlier the thing I'd like to emphasize here is it it's a very limited set of information that's being shared with a side of the app users interacting with its only exactly what shown their name their picture and their verified e-mail address is the same essentially as if a user type in this information, but it doesn't have any of the problems of typos or mistakes and it didn't require the work of a user having to manually verify that they own an email address by opening up their mail app

and clicking on a link the developer knows that their actual account specially in the case of Gmail addresses is active on this device and they own it. What we've done here is really thought about separating out the basic information that shared to take who you are in a login flow from request for additional data as we saw some the social sign and days that. Luke just pointed out. We do appreciate though that there are a lot of apps and services out there that you need and depend on this additional data. So for example, you can imagine experience where after you booked a flight or some travel

plans you need to synchronize this with your calendar and it would be great if you could have this on an ongoing basis, so you didn't have to manually keep your calendar up-to-date. In an example like this a developer can still ask for that type of access but it comes to the point where the user best understand why and how this data will be used. So can be asked for contextually just like you've seen on Android and iOS where things like access for contacts or photos can be presented at the right time when people understand why they're needed and when you do go through the experience as an

end-user, you can see that we're doing a lot here to make it really clear who you're interacting with what data will be shared and how you might see the terms and conditions. The data will be used under or even revoke or control access in the future. Can you put all these pieces together? I think we're really trying to improve the ecosystem here for a long time. We've had an app review process and we're expanding that to verify who these apps are. What day did they're using and making sure that we have contact information and the ability to shut them down if things go wrong. We'll be

expanding that two things like R1 Top sign up to ensure that these powerful apis and services are only used by the by the developers who have good intentions. The last big concern and question that comes up in his category about data is users control both as a developer and an end-user people. Wonder if I use the Google identity Technologies. Am I becoming dependent on Google can the data that I provide to the service is only the access by using Google services dual identity apis. This information is conveyed to the

developer. It's as I described earlier a shortcut helping to process information over to developer and bootstrap the experience, but at the end of the day, you're still in control as an end-user in a developer, you can offer other mechanisms to login as we discussed you have to use your email address. You can send them an email with a recovery link or another way to login. You could even accept other identity providers perhaps having things like a phone number where you can send a recovery SMS or even accept an entirely different identity provider login to those existing account. They're

still users in the developers database and under their control. I hope that if you put all of these pieces together Luke, you'll have a better understanding what we're doing to make it streamlined and clear to the user that when they share only identity information. It's just that limited piece of information is being conveyed. On top of that when additional data is requested. It's done in a process where things are bedded it clearer and the user has better control. And finally users can still log in at the end of the day with other mechanisms. There's no need for them to be

dependent on Google. I hope that addresses some of your concerns Saint Stephen. I love how transparent it is. It's this what-you-see-is-what-you-get model that makes it really clear to me what I'm giving over to the third party but I think something that goes hand-in-hand with privacy is security there's you know, this protocol going back and forth between the site and Google and when I sign up for an account, I can create a really big password that will really protect me to me and I know your team spends a lot of time thinking about security. Can you explain why this is safer than my

password to this question you get asked quite often. Is this less secure. Is it going to make my account system less secure In order to understand just think about every site has a forgot password flow. What happens when you the click on forgot password you send an email the user then goes science into their email account and then find the email click on the link and they get back into your account. Now if you'd look like fine with Google button what happens you still go back sign into your Google account Google generates a cryptographic token

says, yes, this user owns this email address and then you accept that and you get back into the account. The difference is they are really close. I'm a security perspective. I would argue that are some flaws in the forgot password case where somebody could have forwarded that email to somebody else and people can get back into the account in this kind of Google, you know that they actually on the email address, but this is just the security equivalent, but there is much more to the account security how many Nearest on your side are working on securing the com-system. Think

about that part on the Google side. We actually have hundreds of Engineers working on just you know, protecting Google account and we put every login attempt we go through a risk-based analisis based on many of the signals traditional signals IT addresses location, but a lot of them, but you don't see me trying to understand whether there's a board who's trying to sign in based on the cursor movement and so on and they sounded we figure out whether the risk of that attempt. Is it low or high and if it is physically rescue attempt, we would ask the user to verify

through secondary channels. In cases the user Got Hijacked they got first we try to reach out to the user in different ways. Even if you if they hadn't had it right password to the account and we think the risk is high. We will not let Gentle Leader user or the hacker in and keep the bad guys out. endorse cases You would basically we are protecting a lot of accounts and we are spending a lot of time and energy on doing it but that's just right. Now the bigger parties continued investment. We were the

first one to launch two-factor authorization see her side and that is still fixable even though you have a SMS recovery and we recently launched what we call Advanced protection. If you go search for it, which is based on the security key. If your account needs much higher level of protection, that's not official because you know, you cannot give away a code to the third party that we are also working with internet standards and other companies to protect your other account on other side and in the future, we want to share some data about the account so you can actually

use it to make better security decisions during the purchases and so on and the last is as the new Surface is become available. Assistant we are making it easier for people to sign in using the Google account. So by using that you are actually making Google identity. The security of Google identity is closer to what you'll get the security of your account system. So sophisticated security we are doing a lot to prevent hijacking and then again the new Advanced feature does it make you feel better look a lot

safer as a user that I can rely on all these security measures Google's working on but what about for the developers, you know, there's all these spam and Robo accounts out there a lot of fraudulent actors trying to take advantage of services. How do I know that taking sign in with Google doesn't create just another route for sammer's to get in that's actually good question in this is something most of the people don't think about when they create their account system. What happened to his if I am actually a haircut? I can't read my mail server and create probably millions of hacking

accounts on your side. Very easily Google actually does a lot of work to prevent creating math accounts and what that's happened to his if you just use the Google Identity On Your Side you are going to get a lot of those benefits. We were talking to one of the large Bank just recently and I asked him to separate out the accounts based on the Gmail addresses and non Gmail address and they were surprised they saw eight times less fraudulent activity based on the Gmail addresses. Then the non Gmail addresses and it's because all the security we are adding

on the Gmail account which is less family and then not letting those accounts get hijacked. And not just keeping them secure. We find the Deez users. You are acquiring through the Google sign in are generally real users and they are more engaged. So we talked about Direction having a 80% increase in the sign of more than that. We saw more than 40% of the users came back five times in the next few weeks and that is much much better stats than you can find within your own database. So you are not just you know,

using Google identity to keep the bad guys out. But you are also acquiring much much better users and most of the users who have an Android phone. They have a Google account. So does that make sex better? That sounds really great at start of a side benefit of using using Google identity. But everything that you guys have talked about so complex is all these security features. There's all that slick UI on different properties. You know, how complicated must be really difficult for everyone in the audience to build this into their site. I know you work

on this even do you know, Ya Ass Over the years. I've talked to literally hundreds of different developers about Integrations like this and when it comes down to it, there's two major pieces to be aware of there's the front end worked a DUI to your app or your side or whatever else you're building may be an action and then there's some work on the server side. Do you take that information from the app for the site look up the user and provide that information to the user to personalize their experience? So let's dive a little bit into this on the front and side of things you end up having

to show the user either a traditional Google sign in button or as we've discussed today trying to optimize that was some of the one tap or automatic sign-in UI the first time the user will I give their consent to share this information? And at that point Google is able to provide you the app developer a a token representing this user the digital passport that we've been talking about afterwards. There's the back and work and we'll dive into that in a second. Play illustrate how this front-end work Works. Let's actually switch over to a demo.

Okay, so I'm back on my machine here. And what I'll do is I'll take that code that we just saw on the previous slide and this is the API calls that you're going to need to incorporate to add one top UI to your site or app. So let's suppose you already have a Google sign in button and Yuri want to optimize this experience by turning it into the one click UI. So what we're going to do here if we're going to take this a little snippet of code and actually show it running on a real site. So there's a few parameters to this API call asking to show the Google accounts and requesting a token as

a developer. I mentioned that there is a registration process. Do you have to go through to get access to the apis? And when doing here is showing the configuration for a real site? This is actually one from B&H video. They might even be here at IO today and we certainly talk to them in the past. They have their traditional Google sign in button, but they haven't included the one tap you are so I'll show them how easy it is to add the 1-tap experience to their existing site. No, B&H Photo Video has this really cool store in New York where they have all kinds of electronic gadgets. They

even gave me a tour of the last time I was there and if you can't make it in person, you can definitely check out their app for their site and wouldn't it be so much better experience if visiting for the very first time or I coming back across devices when you try to see the information in your cart instead of seeing this little Tumbleweed go through the empty card because it doesn't know who I am. There was an easy way for the user to get signed in signed up or perhaps as you see further down the page subscribe for a newsletter. This really feels like the perfect opportunity to show

that one tap UI that we've been talking about today. To determine how easy this is. What we're going to do is load a script onto the page that makes this Library available at this point. I'm just going to paste in the code from the slide. And run it here. Now. You see that in line on the page that UI has appeared. View the developer the key thing for you to think about where and when to show this information to the user. What's the right time to ask somebody to sign up as you see it's really easy to add Sticky Thing to think about is showing it at the right time for

the people want to click. Now what else is here again? I have a Lisa's account active. I'll click in through and you'll see that the promise resolve I get some information back about who she is and it includes this thing. We've been talking about today the identity token now, it's a big long string here and that's because it's based 64 in coated. So what we're going to do is go back to the slides and talk a little bit more about what you do with this information and how B&H could actually take this and sign the user into perhaps their existing account. Before we get there, let's just finish up

a few points here on the front and side of things. So as I discussed you need to register and create a client ID for your application. So agree to things like the terms of service and then not only do you need to show the UI at the right point. You probably want to check if those existing users already have an account. So perhaps before you even show The One Tap UI on page load. You probably want to call a corresponding API to sign an existing users. That's the retrieve message here. Now we talked a little bit about this in the past if you similar apis are available for Android and

since we're a bit short on time today, I'm just going to skip over here, but go to developers. Google.com / identity to see how to do similar things in your native apps on Android. One Tap email selection including phone numbers and automatic sign-in. All right. So what do we need to do with this information? Once we got it, we have this token representing the user what we need to send it up to you the app developers server validate information in the token and then apply some business logic so seems like determining whether this is an existing user or helping a user create a new account.

Do for that. Let's take a closer. Look at the token. Now. I took the token here and decoded it. So you can see the content is a Json web token. So Json dictionary the contains some information about the use you noticed that same configuration. The audience parameter here is in line in the token saying who this was issued for and that's the thing. You have to check to make sure that this isn't a stolen piece of data just like a passport in real life have to make sure that someone hasn't taken this and used it where they shouldn't have. There's other information here about when is token

was issues. You can make sure it's still valid and make sure that it hasn't been replayed. There's the user data that we just arrived and finally there's some information about who issued the token and how it's been cryptographically sign so that you can check the signature and ensure that it came from Google and hasn't been tampered with Now you can imagine it starts to get a little bit complicated about knowing all these details. And so what I'll show you next is libraries that you can use to do all of the checks and ballet Chien without having to know the internals of tokens or how

they work. So the first thing we need to do is send the token up to the server important thing to call out here is to make sure to do this number secure Channel. This is a user's credential that will give them access to their data. Do you need to use https? Once it's on the server as I described, we really strongly recommend using a library to validate this token. It is a standard. Json web token. So you could use any library that allows you to validate. I'm such tokens but we recommend that you actually use an identity specific one that checks the identity specific claims will

have some libraries from Google specifically designed for these Google token coming soon on developers. Google.com identity. The ones that tokens been validated just like the passport in real life. You can use the information that's available there an essay describe. The key things are checking whether this user has an existing account. So maybe you'll take the email address or the Google user ID lookup that user and see if there's a matching one as you've described, you know, that in the case of Gmail users. Their email address is actually active on this device or browser. They can reset

their password if they had a traditional password base account and you should let them into that existing account. That's the first step. Now once you check for existing users the key thing to do is help onboard new users. Now, you know who these users are you have their identity information their name their photo and their email address so you can really bootstrap the experience but depending on the nature of your application, you might need to ask for additional data. So things like their location or their age or maybe have them agree to terms of service and that stuff that you have to do in

the front end of the office. We have to spend some response back to finish the account creation process. At the end of the day I hope is that you can build an experience like this at the beginning coming to an app either selecting with one tap or automatically signing into an existing account with that token Pina seems replacing manual authentication and a traditional sign in. The takeaway here is that you can really focus on building your service adding this front end pieces of you. I have been simplified you apply the back end logic that's intended for your application and you can use

the library to make this a lot easier. Where we live on a lot of flack for one more important tool here and that is Firebase off. So if you're building for the Firebase platform your new developer or able to migrate in we having a complete off system that you can use instead of taking these libraries in adding to them to your existing off system. We can make it a lot easier if I using Firebase. Okay, so Luke any last questions I can help you with? Yeah, that seems great that you can Outsource all the works to Google by using those libraries and add the developer. I'm totally convinced

but at the end of the day we're trying to help out companies. How does it make Financial sense to integrate into your site? That's the one that we always have to address is that as developers? You come to places like Google IO and you're probably no really convinced that there's opportunities for your awesome things to be done better. But we also have to convince people who are decision-makers and business stakeholders about identity being worth investing in so we have great stories from folks like HomeAway hear the Google identity platform to better know who their users are

to be able to personalize experiences across devices and get the right content in front of them. Whenever they come back to their site or app top of that. It really introduces this opportunity that once you just found a trace piece of content, they can transact and engage with it. So that's things like smoothing out the check out slow. I mention some of the numbers earlier about the Improvement and the conversion rates if you can make check out easier, but we have this interesting stat recently about from pet loves just saying as a big shopping site in South America that far more of their

users are Hang up at the checkout cage already signed and they never even needed to see the login page. Did you get the best of both the streamlined experience of a guest checkout, but knowing who that user is and the opportunity to re-engage them as they come back to your service in the future. So things like sending the user email to save opted into that about upcoming sales fuel price changes, or maybe a reminder to buy flowers for your mom this weekend. If you put all these pieces together you get this smooth personalized experience that where you know your user. You can

improve takeout in conversion rate. And you can keep users engaged and secure after all in a world where they don't even have password. It won't be fished or you won't have problems with those we can reuse passwords. Don't leave it to move to wrap up today and tell you a little bit about what we covered. Thank you guys for explaining all this and don't even have to think about it transparent data-sharing, you know, exactly what you're giving away and what you're keeping Private Security benefits on the side and 4 developer quality

start. What the place to go we've mentioned a few times today is developers. Google.com / identity. That's where you'll find the documentation for all of the apis to be described and case studies and examples with many of the partners that we reference. I just sent you here at all. You there's a couple of other talks that you probably like to visit and check out we have some coming up tomorrow around building in personalizing an action leveraging the same ideas and the same underlying Google identity as well as a deep dive into this experience on the web that I've been talking

about today. If you've got time definitely check those out tomorrow and we'd love to continue the conversation so we can monitor the stack Overflow tag Google - identity. Make sure to leave your questions there. That's the best place to put them out in front of the community and our contact information is up here on the slides. You can send us an email. I'm SSO a google.com. We'd love to hear from you and will be in the web sandbox after this or around the stage if you have a question for you like to ask if that's that empty over on that side. So thank you very much for your attention

today. We would love to hear from you and be able to show your site or your app up here next year. IO, but how you made identity you more secure and easy experience for users. Thank you.

Cackle comments for the website

Buy this talk

Access to the talk “Leverage Google Identity to reduce sign in friction and abuse ”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “2018 Google I/O”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT & Technology”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
166
app store, apps, development, google play, mobile, soft

Similar talks

Michael McDonald
Product Manager at Google
+ 1 speaker
John Shriver-Blake
Product Manager at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Jenny Gove
Mobile Payments UX Lead at Google
+ 1 speaker
Brandon Herring
Software Engineer at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Hiranya Jayathilaka
Software Engineer at Google
+ 1 speaker
Jen Person
Developer Advocate at Google
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Leverage Google Identity to reduce sign in friction and abuse ”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
572 conferences
22795 speakers
8497 hours of content
Naveen Agarwal
Luke Camery
Treffyn Koreshoff
Steven Soneff