Death to passwords - DroidCon Paris 2014
•Download as PPTX, PDF•
0 likes•864 views
The document discusses weaknesses with password authentication and proposes alternative authentication methods. It notes that many users reuse passwords or use weak passwords that are susceptible to hacking. It then explores options like passwordless authentication, two-factor authentication, OAuth, OpenID, and biometric authentication as more secure replacements for passwords. The presentation argues that authentication and authorization are different, and that user experience should not be impaired by security measures.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Death to passwords - DroidCon Paris 2014
Similar to Death to passwords - DroidCon Paris 2014 (20)
More from Paris Android User Group
More from Paris Android User Group (20)
Recently uploaded
Recently uploaded (20)
Death to passwords - DroidCon Paris 2014
- 1. DEATH TO PASSWORDS A safe new world @SERAANDROID Tim Messerschmidt Lead Developer Evangelist, EMEA Droidcon Paris ’14
- 2. DO YOU BELIEVE IN SECURITY? @SERAANDROID
- 3. A LITTLE STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASS WORDS @SERAANDROID
- 4. @SERAANDROID 4.7% OF USERS USE THE PASSWORD PASSWORD
- 5. @SERAANDROID 8.5% ARE USING PASSWORD OR 123456
- 6. @SERAANDROID 9.8% USE PASSWORD 123456 OR 12345678
- 7. ... And it doesn’t even stop here 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords @SERAANDROID
- 8. @SERAANDROID
- 9. 2013 CBSNEWS.COM/NEWS/THE-25- MOST-COMMON-PASSWORDS-OF- @SERAANDROID 2013
- 10. @SERAANDROID 1. 123456 up 1 2. Password down 1 3. 12345678 4. Qwerty up 1 5. Abc123 down 1 6. 123456789 New 7. 111111 up 2 8. 1234567 up 5 9. Iloveyou up 2 10.Adobe123 new 11.123123 up 5 12.Admin new 13.1234567890 new 14.Letmein down 7 15.Photoshop new 16.1234 new 17.Monkey down 11 18.Shadow 19.Sunshine down 5 20.12345 new
- 11. @SERAANDROID
- 13. @SERAANDROID 3 HUGE Problems - Reused - Phished - Keylogged
- 17. Favor security too much over the experience and you’ll make the website a pain to use. @SERAANDROID
- 18. @SERAANDROID vs.
- 19. @SERAANDROID
- 20. Basic Authentication username:password @SERAANDROID
- 21. @SERAANDROID Storing Passwords SQLCipher & KeyChain
- 23. @SERAANDROID People forget passwords… 45% admit to leaving a website instead of re-setting their password or answering security questions * * Blue Inc. 2011
- 26. @SERAANDROID
- 27. LET’S ADMIT IT: PASSWORDS SUCK @SERAANDROID
- 28. SO WHAT CAN WE DO INSTEAD? @SERAANDROID
- 29. PASSWORDLE SS AUTHENTICATI ON MEDIUM.COM/CYBER-SECURITY/ @SERAANDROID 9ED56D483EB
- 30. @SERAANDROID VIA EMAIL / TEXT
- 32. TWO FACTOR AUTH TWOFACTORAUTH.ORG @SERAANDROID
- 33. Authentication vs. Authorization @SERAANDROID
- 34. @SERAANDROID
- 36. @SERAANDROID
- 37. @SERAANDROID
- 38. @SERAANDROID
- 39. Consumer Service Provider @SERAANDROID Request Request Token Grant Request Token Direct User to Service Obtain Authorization Direct to Consumer Request Access Token Grant Access Token Access Resources
- 41. @SERAANDROID
- 42. @SERAANDROID Android: Signpost <3 github.com/mttkay/signpost
- 44. Consumer Service Provider Direct User to Service Obtain Authorization @SERAANDROID Request Access Token Grant Access Token Direct to Consumer Access Resources / Profile
- 45. @SERAANDROID
- 46. @SERAANDROID HTTP Header URL url = new URL(”http://url.com/”); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(); setRequestProperty(”Authorization”, ”Bearer …”); URI parameter “url.com/oauth?access_token=…”
- 47. Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib-- Rings-Twice--Android @SERAANDROID
- 49. OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road- @SERAANDROID to-hell
- 50. Identity Techniques - OpenID - OpenID Connect - Persona / BrowserID @SERAANDROID
- 51. @SERAANDROID
- 54. @SERAANDROID How to combine both?
- 55. @SERAANDROID OpenID with OAuth Hybrid Extension
- 57. Identity Providers Social vs. Concrete @SERAANDROID
- 58. @SERAANDROID Do we always use the same identity?
- 59. Should we always use the same identity? @SERAANDROID
- 60. @SERAANDROID
- 61. @SERAANDROID Name Date of Birth Email Language Locale Time Zone Address Gender Phone Number Creation Date
- 62. @SERAANDROID People hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
- 63. @SERAANDROID
- 64. @SERAANDROID
- 65. @SERAANDROID What’s Next? Bluetooth SMART and Your fingerprint
- 66. @SERAANDROID
- 67. @SERAANDROID
- 68. @SERAANDROID
- 69. @SERAANDROID
- 70. @SERAANDROID
- 71. @SERAANDROID
- 72. UTILIZING A TRUSTED ENVIRONMENT @SERAANDROID
- 73. @SERAANDROID SCALING SECURITY BASED ON THE CASE
- 74. @SERAANDROID FIDO ALLIANCE UNIVERSAL AUTH
- 75. Security matters to users and developers Difference authentication and authorization User Experience should be enhanced not impaired @SERAANDROID
- 76. @SERAANDROID Questions? tmesserschmidt@paypal.com @SeraAndroid / @PayPalDev slideshare.com/paypal
Editor's Notes
- Smashing Magazine
- http://www.nngroup.com/articles/stop-password-masking/ Jakob Nielsen 2009
- Droidcon DE talk
- Passed as header in the requests Encoded as Base64
- We might be tempted to just use SharedPreferences on Android SecurePreferences as a better alternative On iOS it’s easier since there is the KeyChain Android AccountManager or KeyStore since 4.3
- Source: http://www.shop.org/sites/default/files/janrain_-_consumer_perceptions_of_online_registration_social_sign_in_0.pdf
- April 7th public Read the memory of system Compromises secret keys OpenSSL
- Use transactional messages via Email or Text SendGrid, Twilio and many more
- SMS, Email Google Auth, Authy
- Authorization first Do we always need to have site-specific passwords?
- This is about proving that it’s actually me http://www.flickr.com/photos/gaelx/5445598436
- Final draft in 2007 Google, Yahoo
- Request Token Access Token
- Putting lipstick on a pig
- Raiders of the Lost Ark
- Matthias Käppler Qype / SoundCloud
- Focus on simplicity and different scenarios Main framework published in 2012 Bearer token
- Authorization code Access token Refresh token
- Security flaws that need to be solved in the implementation Egor Homakov
- Eran Hammer discusses disadvantages of OAuth 2.0 Blueprint for an authorization protocol
- There is no way to better explain anything than using Lego and Ninjas Pic: http://www.flickr.com/photos/mac_filko/5471023503/
- Developed in 2005 2012 Authentication bug hijacking MyOpenID.com to shut down in 2014 (JanRain)
- Launched 2011 Pushed via Mozilla Identity Bridging in 2013 (via Gmail, ..)
- Provides identity and grants access to resources Draft in 2009 Uses OAuth 1.0
- Identity layer on top of OAuth 2.0 Access profile information in a REST-friendly way Currently still a draft Session management
- Social connects to my friends and shows interests Concrete pulls real data
- To name just a few interesting pieces of information Definition via scopes which can be static or dynamic
- Don‘t use identity as barrier Don‘t force users into it Picture: http://www.flickr.com/photos/pagedooley/5313215496
- Should biometry replace passwords or identity?
- Nymi
- Nymi
- Nymi
- Use connected BLE devices, WiFi Android L release
- Fast Identity Online Use a physical device for online auth Passwords are being rendered useless Universal Auth Framework