SlideShare a Scribd company logo

Authentication for Apps and Services: Keymaster

Lookout
Lookout

Authentication for Apps and Services: Keymaster was originally presented at Lookout's Scaling for Mobile event on July 25, 2013. Ariel Salomon is a Principal Software Engineer at Lookout, Inc. Ariel's talk focused on setting up authentication between mobile apps and services. He gives a great overview of Keymaster. Lookout has grown immensely in the last year. We've doubled the size of the company—added more than 80 engineers to the team, support 45+ million users, have over 1000 machines in production, see over 125,000 QPS and more than 2.6 billion requests/month. Our analysts use Hadoop, Hive, and MySQL to interactively manipulate multibillion row tables. With that, there are bound to be some growing pains and lessons learned.

TechnologyBusiness
1 of 18
Download to read offline
AUTHENTICATION FOR APPS AND SERVICES: KEYMASTER ARIEL SALOMON, LOOKOUT, INC.
SO YOU’RE BUILDING AN APP
SO YOU’RE BUILDING AN APP WITH A BACK-END IN THE CLOUD
HOW DO YOU AUTHENTICATE REQUESTS?
AUTH(ENTICATION) VS. AUTH(ORIZATION) • Authentication is about validating that you are who you say you are • Verify that a credential is correct • Authorization is about what you are allowed to do • In general, Authorization is closely tied to your application
SIMPLE AUTHENTICATION SCHEME • App knows some username and password • Every time you need to do anything, include that in the request
WHY NOT?
PROBLEMS W/ SIMPLE AUTH • The app needs to keep it’s credentials secure • Every request embeds the credentials; can they be snooped? • What happens as we scale up the system
• Your system is getting more complicated • More than one service providing functionality • They all need to share authentication • AUTHORIZATION will vary SCALING UP App Service B Service A
• Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A
• Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A Service B Service B Service B Service B Service B Service B Service B Service Z
• Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A • Create yet another service, ask it.. • Do some caching? SCALING UP App Service B Service A Auth Service
A BETTER WAY • Signed tokens verify that authentication has happened • One service knows how to authenticate for apps, and provides tokens • Any service can receive the tokens and verify a client without any other network traffic
• App gets a long-lasting token • Services don’t take a network hit to handle authentication SCALING UP WITH TOKENS App Service B Service A Auth Service
KEYMASTER TOKENS • Signed tokens based on Java Web Token (JWT) standard [in process at IETF] • Each token contains claims: • sub: Subject, the device or account being identified • iss: The token Issuer • exp: Expiration date-time • From the device (app) perspective, they are opaque
KEYMASTER • To validate tokens, a service must know public keys for other services • Keymaster service can provide this: • Use the issuer embedded in the token to identify the key • Ask Keymaster for a public key • cache this for a long time
KEYMASTER BETWEEN SERVICES • Any service can generate tokens • Can include information in the tokens that should be signed, encrypted
Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/scaling-for-mobile

Recommended

Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigital
Aleyda Solís
 
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
Lookout
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Lookout
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security
Lookout
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or not
Lookout
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
Lookout
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
Lookout
 

Recommended

Mobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigitalMobile-First SEO - The Marketers Edition #3XEDigital
Mobile-First SEO - The Marketers Edition #3XEDigital
Aleyda Solís
 
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
Lookout
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Lookout
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security
Lookout
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or not
Lookout
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
Lookout
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
Lookout
 
The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatible
Lookout
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to Avoid
Lookout
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go Evil
Lookout
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile Development
Lookout
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing Privacy
Lookout
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring Hackers
Lookout
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhone
Lookout
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account
Lookout
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account
Lookout
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone Guide
Lookout
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World Cup
Lookout
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your Smartphone
Lookout
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
Lookout
 
Security & Privacy at the Olympics
Security & Privacy at the OlympicsSecurity & Privacy at the Olympics
Security & Privacy at the Olympics
Lookout
 
5 Types of Shady Apps
5 Types of Shady Apps5 Types of Shady Apps
5 Types of Shady Apps
Lookout
 
10 Beautiful Enterprise Products
10 Beautiful Enterprise Products10 Beautiful Enterprise Products
10 Beautiful Enterprise Products
Lookout
 
Hacking the Internet of Things for Good
Hacking the Internet of Things for GoodHacking the Internet of Things for Good
Hacking the Internet of Things for Good
Lookout
 
What is a Mobile Threat?
What is a Mobile Threat?What is a Mobile Threat?
What is a Mobile Threat?
Lookout
 
Dragon lady
Dragon ladyDragon lady
Dragon lady
Lookout
 
Dragon Lady
Dragon LadyDragon Lady
Dragon Lady
Lookout
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
 

More Related Content

More from Lookout

Dragon lady
Dragon ladyDragon lady
Dragon lady
Lookout
 

More from Lookout (20)

The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatible
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to Avoid
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go Evil
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile Development
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing Privacy
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring Hackers
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhone
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone Guide
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World Cup
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your Smartphone
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
 
Security & Privacy at the Olympics
Security & Privacy at the OlympicsSecurity & Privacy at the Olympics
Security & Privacy at the Olympics
 
5 Types of Shady Apps
5 Types of Shady Apps5 Types of Shady Apps
5 Types of Shady Apps
 
10 Beautiful Enterprise Products
10 Beautiful Enterprise Products10 Beautiful Enterprise Products
10 Beautiful Enterprise Products
 
Hacking the Internet of Things for Good
Hacking the Internet of Things for GoodHacking the Internet of Things for Good
Hacking the Internet of Things for Good
 
What is a Mobile Threat?
What is a Mobile Threat?What is a Mobile Threat?
What is a Mobile Threat?
 
Dragon lady
Dragon ladyDragon lady
Dragon lady
 
Dragon Lady
Dragon LadyDragon Lady
Dragon Lady
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Authentication for Apps and Services: Keymaster

  • 1. AUTHENTICATION FOR APPS AND SERVICES: KEYMASTER ARIEL SALOMON, LOOKOUT, INC.
  • 3. SO YOU’RE BUILDING AN APP WITH A BACK-END IN THE CLOUD
  • 5. AUTH(ENTICATION) VS. AUTH(ORIZATION) • Authentication is about validating that you are who you say you are • Verify that a credential is correct • Authorization is about what you are allowed to do • In general, Authorization is closely tied to your application
  • 6. SIMPLE AUTHENTICATION SCHEME • App knows some username and password • Every time you need to do anything, include that in the request
  • 8. PROBLEMS W/ SIMPLE AUTH • The app needs to keep it’s credentials secure • Every request embeds the credentials; can they be snooped? • What happens as we scale up the system
  • 9. • Your system is getting more complicated • More than one service providing functionality • They all need to share authentication • AUTHORIZATION will vary SCALING UP App Service B Service A
  • 10. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A
  • 11. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A SCALING UP App Service B Service A Service B Service B Service B Service B Service B Service B Service B Service Z
  • 12. • Now we scale up our back-end: apps talks to multiple services • How does Service B verify credentials? • Options • Ask Service A • Create yet another service, ask it.. • Do some caching? SCALING UP App Service B Service A Auth Service
  • 13. A BETTER WAY • Signed tokens verify that authentication has happened • One service knows how to authenticate for apps, and provides tokens • Any service can receive the tokens and verify a client without any other network traffic
  • 14. • App gets a long-lasting token • Services don’t take a network hit to handle authentication SCALING UP WITH TOKENS App Service B Service A Auth Service
  • 15. KEYMASTER TOKENS • Signed tokens based on Java Web Token (JWT) standard [in process at IETF] • Each token contains claims: • sub: Subject, the device or account being identified • iss: The token Issuer • exp: Expiration date-time • From the device (app) perspective, they are opaque
  • 16. KEYMASTER • To validate tokens, a service must know public keys for other services • Keymaster service can provide this: • Use the issuer embedded in the token to identify the key • Ask Keymaster for a public key • cache this for a long time
  • 17. KEYMASTER BETWEEN SERVICES • Any service can generate tokens • Can include information in the tokens that should be signed, encrypted
  • 18. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/scaling-for-mobile