How to Make a Good Auth: Practical Tips for Mobile Authorization скачать в хорошем качестве

How to Make a Good Auth: Practical Tips for Mobile Authorization

Join Nikita Kulikov, Head of Mobile at Flip Your Devices (Flipper), as he shares insights on building effective and secure authorization flows in mobile applications. Drawing on experience working at both huge companies, such as Snapchat, and the largest companies in his regional country, Nikita realized the pitfalls of authorization implemented in some of the most popular apps in the Google Play and App Stores. He covers the typical mistakes and problems he encountered and explains how to implement better solutions. This session covers why good authorization is often overlooked and why companies should prioritize it: • Motivation (Why it Matters): Good authorization is crucial because it directly impacts money and conversion rates. Using social login buttons can boost the conversion rate on the authorization scenario by up to 20%, while utilizing biometrics can make customers 46% more likely to log in (based on Visa surveys). • Defining Good Authorization: The best authorization is no authorization. Since that is often impossible in real life, good authorization must be as short as possible and secure. • Implementation Tips: Nikita reviews modern techniques and shares practical advice, including: ◦ The importance of social login (OAuth), advising the use of embedded browser solutions like AndroidX browser and PKCE for security, and strongly advising against using web view. ◦ Ensuring support for independent authorization methods like login and password, and leveraging the autofill framework (as 30% of internet users use third-party password managers, not including embedded OS managers). ◦ A strong warning against using magic links, which increase average login time to approximately one minute for millions of users. ◦ Highlighting Passkeys as the most modern and ideal solution because they are platform-agnostic, eliminate passwords (and related issues like hashing and salting), and offer a seamless, secure user experience using public and private keys. ◦ Essential security reminders, such as implementing rate limits on endpoints (like the "forgot password" flow) and ensuring you reset sessions upon password change. Nikita encourages developers to prioritize making good apps, especially since authorization is something every user interacts with.