Outsourcing Auth and Auth (with Web Services)
Outsourcing auth/auth
DaveBurchell
2006-08-10
2006HeroicMarkup.com
What are <quote>Outsourcing,</quote> <quote>Auth,</quote> & <quote>Auth?</quote>
The talk is about Outsourcing Auth & Auth (with Web Services).
What does this mean?
Authentication
Proving you are who you say you are
Authentication may be based on:
Something you know (e.g., a password)
Something you have (e.g., a house key)
Something you are (e.g., your fingerprint)
If you have a Website and want to know who is asking for accessing it (or requesting access), then you need a way to authenticate.
Authorization
Proving you should have access to a resource you request
If you have a Website where you want to restrict access to only certain people, you need to authorize them.
Outsourcing
Transferring an ancillary function to another entity
Not to be confused with offshoring
Can contribute to creation of virtual
companies
Web Services
Application-to-application programmatic interfaces using Web protocols
Think of them as Web browsing for computer programs.
Nearly always use HTTP, XML
Often use SOAP and REST
Commercially available
Facilitate outsourcing
Why Outsource?
Web Services facilitate outsourcing. But why outsource?
The internal group lacks expertise (Barcode Reader)
The system or resource is burdensome to maintain (tax rates)
Special equipment is required (phone verification)
Need access to a controlled information resource (D-U-N-S)
The resources cannot be spared to develop the feature or subsystem at the moment (CAPTCHA)
A Simple Real-World Scenario
A family reunion is coming up. You are helping to plan and organize it.
Scenario
Relatives in Nebraska are hosting the reunion
Relatives in other places are planning to attend
You want to divide the universe into three groups:
Nebraska relatives (hosts)
Non-Nebraska relatives (attendees)
Others (non-family)
Stand-Alone Authentication
If you wish to build stand-alone authentication, you could:
Gather a list of each relative's email address
Prepare a list of usernames (email addresses?) and generate a random password for each
Email the passwords to each relative
Put the user list on your system (e.g., .htpasswd file)
Stand-Alone Authorization
You could:
Sort the relatives usernames by Nebraska/Non-Nebraska
Protect the entire reunion site by requiring users to be authorized (e.g., .htaccess file, Unix username established).
Protect the reunion host section of the site with an access control list (ACL), Unix group, etc. to allow only Nebraska relatives to access the Nebraska section
QUICK QUIZ
Q: When Great Uncle Hollis forgets his password, who will he ask for help?
QUICK QUIZ
A: You
QUICK QUIZ
(Bonus question: Who will he call if he's been placed in the wrong group?)
Outsourcing Auth & Auth
You can avoid your uncle's phone calls if you let him contact someone else for help. If you outsource the functions of auth & auth, you can outsource the support of your users (relatives).
Authentication with PayPal
PayPal's Web Services are designed to allow merchants to interact behind-the-scenes with PayPal. A PayPal feature called Express Checkout can be used to authenticate that a user has the email address he or she claims to have.
The process (from an API Sourcebook page on Express Checkout):
Call SetExpressCheckout
Send the buyer to the PayPal site with the token. Example:
https://www.sandbox.paypal.com/
cgi-bin/webscr?
cmd=_express-checkout&token=EC-29879344RH8987624
Call GetExpressCheckoutDetails
Call DoExpressCheckoutPayment
By using the first three of the four steps only, you can verify that the user was able to log in to PayPal with the email address they claimed. From the GetExpressCheckoutDetails call:
dave_buyer@fake.com
RRJPLTMFCREJQ
verified
Dave
Burchell
]]>
For details, see .
Authentication with StrikeIron
StrikeIron's Real Time Telephone Verification lets you verify that a person is calling from the phone number they claim. It is implemented as a Web Service using SOAP and HTTP.
Once you know a user's phone number, you can uniquely identify that user by phone number. If you have a list of authorized users's phone numbers on your Website you can compare against it.
(See Resources slide for a demo of another StrikeIron service.)
Auth/Auth Using Flickr and StrikeIron
Q: "Who is this dog?"
Auth/Auth Using Flickr and StrikeIron
A:
m/r[ie]{1,2}ll?[ie]{0,2}y?[ie]{0,2}/i
(Use a regular expression to check for the name Rilley
and all for its likely misspellings.)
Only relatives will know this dog's name (we assume). Use this to grant authorization.
Authenticate the user's phone number using StrikeIron
Quiz the user on the dog's name (only allow a few tries per phone number)
Check the area code to see if it is a Nebraskan or non-Nebraskan
We now know who it is (what phone number) and if they are a Nebraska relative or non-Nebraska relative. Our auth & auth is complete.
Conclusion
Outsourcing Advantages
Fast
Easy
Cheap*
Outsourcing Drawbacks
New skills may be required
Expensive
What if the service goes away?
Other services to use in outsourcing?
eBay?
Facebook?
Friendster?
Google?
LinkedIn?
Microsoft/MSN?
Monster?
MySpace?
Tru?
VeriSign?
Yahoo!?
YouTube?
Who lets us store data? Google Base? (Encrypt it, a la Unix passwords.) PayPal? (yes!)
And while we are thinking about it: Why don't people have to pay you to get authorization send you email? (Monetize your inbox!
)
Resources
StrikeIron
Demo of StrikeIron's Web Services
Reverse Phone Lookup:
Look up a residential phone number and get associated phone book information, such as name and address.
Real Time Telephone Verification:
Verify a site's visitor is really at the phone number she claims by placing a phone call to the number.
Text Disguise CAPTCHA-Image Service: make sure you are dealing with a human, not a computer program.
Google Base: post information publicly
PayPal: send and receive money
Simple PayPal Web Services example code in the API Sourcebook.
PayPal Integration Center.
Flickr: share photos
Q & A
Questions?
burchell@heroicmarkup.com
Skype me! User ID: evaddnomaid
Search me out on gmail, Yahoo!, MySpace, eBay, etc.