Kill All Passwords


Published on

You have a solid security infrastructure, all user data is encrypted, your users are protected right? As long as passwords remain the standard methods for identifying your users on the web, people will still continue to use "letmein" or "password123" for their secure login, and will continue to be shocked when their accounts become compromised.

Passwords are not secure, they need to be replaced. In this talk we're going to explore the pitfalls of a system designed around a username and password, then dive into the ways that technology is giving us a slew of new ways to build a secure user identity system. From biometrics to wearables, hardware to tokens, we'll explore a multitude of ways that we can finally kill all passwords.

Published in: Technology
  • Each person has a unique DNA sequence. User authentication can be performed without implanted devices. Does PayPal research in the field of DNA sequence recognizers?
    Are you sure you want to  Yes  No
    Your message goes here
  • The following prototype, based on identifying a location in a map/image, demonstrates an alternative to passwords:
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kill All Passwords

  1. Kill all Passwords Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree
  2. Why do we need this? Passwords are awesome! twitter: @jcleblanc | hashtag: #ConvergeSE
  3. 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345 Top Passwords of 2014 twitter: @jcleblanc | hashtag: #ConvergeSE
  4. 4.7% of users have the password password; 8.5% have the passwords password or 123456; 9.8% have the passwords password, 123456 or 12345678; 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords Poor Password Choices twitter: @jcleblanc | hashtag: #ConvergeSE
  5. twitter: @jcleblanc | hashtag: #ConvergeSE The Weakest Link
  6. The Key Issues twitter: @jcleblanc | hashtag: #ConvergeSE
  7. People Forget Passwords
  8. twitter: @jcleblanc | hashtag: #ConvergeSE Security over Usability
  9. twitter: @jcleblanc | hashtag: #ConvergeSE Replacing the Concept of a Username and Password
  10. Securing Current Methods twitter: @jcleblanc | hashtag: #ConvergeSE
  11. Bad Security Algorithms MD5, SHA-1, SHA-2, SHA-3 twitter: @jcleblanc | hashtag: #ConvergeSE
  12. Good Security Algorithms PBKDF2, BCRYPT, SCRYPT twitter: @jcleblanc | hashtag: #ConvergeSE
  13. twitter: @jcleblanc | hashtag: #ConvergeSE Key Stretching
  14. Scaling Authentication twitter: @jcleblanc | hashtag: #ConvergeSE
  15. twitter: @jcleblanc | hashtag: #ConvergeSE Establishing Trust Zones
  16. Location Awareness Habit Awareness Browser Uniqueness Device Fingerprinting There’s more to it twitter: @jcleblanc | hashtag: #ConvergeSE
  17. twitter: @jcleblanc | hashtag: #ConvergeSE Variable Authentication
  18. twitter: @jcleblanc | hashtag: #ConvergeSE Usability vs Security
  19. Use Another Site Login Mixed OAuth 2 / OpenID Connect for auth Roll Your Own Username / Password Fingerprint Scanning State of Developer Auth twitter: @jcleblanc | hashtag: #ConvergeSE
  20. twitter: @jcleblanc | hashtag: #ConvergeSE What Happened to OAuth 1.0a?
  21. twitter: @jcleblanc | hashtag: #ConvergeSE Security Concerns with OAuth 2 / OpenID Connect
  22. Identity Biometrics twitter: @jcleblanc | hashtag: #ConvergeSE
  23. False negative: Valid user can’t log in False positive: Invalid user can log in False Positive / Negative Rates twitter: @jcleblanc | hashtag: #ConvergeSE
  24. The FIDO Alliance twitter: @jcleblanc | hashtag: #ConvergeSE
  25. twitter: @jcleblanc | hashtag: #ConvergeSE The Future of Secure Identity & Data Encryption
  26. Thank You! Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree