Every day we hear news of data breaches and passwords being stolen or compromised. At eBay, as part of the Identity platform, we work diligently to remove such risk factors. As a part of that diligence, we introduced single-use code-based login last year. Being a mobile first company, we take pride in providing capabilities for seamlessly utilizing the underlying platform, but ensuring high standards of security at the same time.
Using Google Sign-In for eBay Android application is a logical evolution of utilizing Google’s verified identity to ensure that the user is provided a secure, but a simpler, login method in their eBay mobile app.
The integration steps to integrate the “Sign-in with Google” functionality are pretty simple and well laid out by Google documentation. However, eBay users already have existing credentials they use to login to eBay.com, which raises an interesting problem of managing their identity profiles. The login components should seamlessly enable the users to login to the eBay app with their login credentials and also perform Google-based sign-in as well.
We created a user experience that orchestrates an eBay user login flow and allows the user to sign up for Google Sign-In. This login flow helps users establish their identity and also ensures that their future login attempts are simple and just a click away.
Google Identity Enrollment
Once the user ascertains their identity via their password (after risk evaluations), they will be provided the opportunity to use their Google account for future logins.
The prescriptive architecture of the Identity system that orchestrates this flow and persists the identity for future resolution is shown in the following diagram.
Google Identity-based Login
Once the user has successfully enrolled, they can use the Google Identity to login for their future attempts. The user experiences a more streamlined and secure mechanism of logging into the eBay app, as shown in the following screenshots. The user is signed in successfully to the app with the enrolled eBay credentials.
A representation of the application flow and the system that orchestrates this flow is illustrated below:
Architecture and ID Token Authentication
To help match the identity profiles (eBay and Google users), the id_token generated as a result of the user signing into the app is sent to the eBay Identity servers. The id_token is validated and the linkage created between the eBay and Google Identifiers, enabling simpler future logins. The steps for validating are clearly documented.
The id_token follows JWT structure and needs to be verified for the following characteristics:
- The ID token is signed by Google, helping verify its authenticity.
- The JWT token claim “aud” (audience) identifies the id_token as issued for eBay Mobile application.
- The claim “exp” (expiration time) identifies the expiration of the id_token.
- The claim “iss” (issuer) is recognized as Google via the values “accounts.google.com” or “https://accounts.google.com.”
Google also provides an open source library that performs these checks. The GooglePublicKeysManager was customized to get the Google public certificates in an eager fashion and is cached for faster authentication.
Security and Fraud Detection
Similar to all the other detection and remediation actions performed as part of risk analysis, login attempts and Identity resolution for users utilizing Google Sign-in are analyzed diligently. In case of risk detection, the Identity resolution system is notified and appropriate actions are performed to ensure safety of the user’s account. The users will also be provided the capability to disable Google Sign-In from Google App permissions and from eBay settings as well.
In eBay Identity team, we strive every day to improve a user’s interaction on eBay without compromising the security aspects and, at the same time, provide seamless and non-intrusive authentication mechanisms using state of the art technologies, ranging such as fingerprint recognition to well-established industry standards such as Google Sign-In. These capabilities provide the user with a myriad of authentication and Identity mechanisms, each capable of helping the user shop on eBay with seamless integration with their own device-specific capabilities.
The next steps will be expanding the role of Google Sign-In for other devices and soon on the web, too.