The document discusses weaknesses with password authentication and proposes alternative authentication methods. It notes that many users reuse passwords or use weak passwords that are susceptible to hacking. It then explores options like passwordless authentication, two-factor authentication, OAuth, OpenID, and biometric authentication as more secure replacements for passwords. The presentation argues that authentication and authorization are different, and that user experience should not be impaired by security measures.
7. ... And it doesn’t even stop here
14% have a password from the top 10
passwords
40% have a password from the top 100
passwords
79% have a password from the top 500
passwords
91% have a password from the top
1000 passwords
@SERAANDROID
10. @SERAANDROID
1. 123456 up 1
2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10.Adobe123 new
11.123123 up 5
12.Admin new
13.1234567890 new
14.Letmein down 7
15.Photoshop new
16.1234 new
17.Monkey down 11
18.Shadow
19.Sunshine down 5
20.12345 new
23. @SERAANDROID
People forget
passwords…
45% admit to leaving a website
instead of re-setting their password
or answering security questions *
* Blue Inc. 2011
39. Consumer Service Provider
@SERAANDROID
Request
Request Token
Grant
Request Token
Direct User to Service Obtain Authorization
Direct to Consumer
Request
Access Token
Grant
Access Token
Access
Resources
44. Consumer Service Provider
Direct User to Service Obtain Authorization
@SERAANDROID
Request
Access Token
Grant
Access Token
Direct to Consumer
Access
Resources / Profile
http://www.nngroup.com/articles/stop-password-masking/
Jakob Nielsen 2009
Droidcon DE talk
Passed as header in the requests
Encoded as Base64
We might be tempted to just use SharedPreferences on Android
SecurePreferences as a better alternative
On iOS it’s easier since there is the KeyChain
Android AccountManager or KeyStore since 4.3