-
Be the first to like this
Upcoming SlideShare
sthlm.js - Passwords are so 1990
- 1. @sambego Passwords are so 1990
- 2. @sambego Developer evangelist Auth0 Google developer Expert I&S Meetup London Fronteers Sam Bellen
- 3. @sambego First, something important!
- 4. @sambego
- 5. @sambego Summary A bit of history on passwords Types of passwords Passwordless authentication Web authentication API
- 6. @sambego Passwords date back to the Romans! Somewhere BC
- 7. @sambego Open sesame 10th century
- 8. @sambego
- 9. @sambego Fernando Corbató - Time-Sharing System 1961
- 10. @sambego Robert Morris Sr - Hashing 1970s
- 11. @sambego Hacking became more an issue 1990s
- 12. @sambego Types of passwords
- 13. @sambego Password123 A string
- 14. @sambego NameOfMyPet1988 A string
- 15. @sambego hotdog* A string * This was my first password, true story!
- 16. @sambego Zbety6FZiH6XNn3ds ziGRB6+MBGDYU A string
- 17. @sambego Pro Can be hard to guess (by others) if complex
- 18. @sambego Con Can be hard to remember if complex (a passwordmanager can help)
- 19. @sambego 1 2 3 4 A pincode
- 20. @sambego Pro Fairly easy to remember
- 21. @sambego Pro Usually used only with access to a physical thing (card, phone, keypad, …)
- 22. @sambego Con Not so hard to guess (Often combined with a maximum allowed number of guesses)
- 23. @sambego A pattern
- 24. @sambego A pattern
- 25. @sambego A pattern
- 26. @sambego A pattern 1 2 3 6 5 4 7 8 9
- 27. @sambego Pro Easy to remember
- 28. @sambego Con Touchscreens often reveal the pattern as “dirty” spots.
- 29. @sambego Con People often use their initial letter, lucky number, …
- 30. @sambego Anything that’s a shared secret
- 31. @sambego So what’s the problem with passwords?
- 32. @sambego
- 33. @sambego Passwords can be annoying!
- 34. @sambego Use a password manager to help you remember!
- 35. @sambego User data can get stolen
- 36. @sambego Google+ - 52.5 million
- 37. @sambego Cambridge Analytica (Facebook) - 87 million
- 38. @sambego Quora - 100 million
- 39. @sambego MyFitnessPal - 150 million
- 40. @sambego Marriott Hotels - 500 million
- 41. @sambego Auth0 Breached password detection
- 42. @sambego Tips Use a complex password Don’t use personal data Don’t reuse passwords Change passwords frequently
- 43. @sambego
- 44. @sambego Passwordless
- 45. @sambego One time password
- 46. @sambego OTP
- 47. @sambego One time password Valid for one time use Often expire after a certain time Sent directly to the user
- 48. @sambego One time password Sent in an SMS
- 49. @sambego Pro iOS let’s your easily fill the OTP from the messages app
- 50. @sambego Con Not all telecom operators take security serious, SMS messages can be intercepted.
- 51. @sambego Con You need your cellphone on hand
- 52. @sambego One time password Sent in an email
- 53. @sambego One time password Magic link
- 54. @sambego
- 55. @sambego Pro You don’t need a second device
- 56. @sambego Con Emails can be intercepted
- 57. @sambego One time password Authenticator app
- 58. @sambego Other authenticator apps DUO Lastpass Authenticator Authy Microsoft Authenticator
- 59. @sambego Pro Time based
- 60. @sambego Pro Push based OTP
- 61. @sambego Con Needs a shared secret between the app and authentication service
- 62. @sambego Social login
- 63. @sambego
- 64. @sambego Pro One less password to remember
- 65. @sambego Pro Only give a password to a service you trust
- 66. @sambego Con You rely on another service for authentication
- 67. @sambego Other solutions It’s me Yoti Voiceit
- 68. @sambego One time password Often used as second factor
- 69. @sambego Hardware authenticator
- 70. @sambego External Hardware authenticator
- 71. @sambego USB Hardware authenticator
- 72. @sambego Yubikey
- 73. @sambego Bluetooth (BLE) Hardware authenticator
- 74. @sambego NFC Hardware authenticator
- 75. @sambego Internal Hardware authenticator
- 76. @sambego TouchID Hardware authenticator
- 77. @sambego What if we could use these on the web?
- 78. @sambego Web Authentication API
- 79. @sambego Web AuthN
- 80. @sambego Web Authentication
- 81. @sambego Web Authentication Challenge
- 82. @sambego Web Authentication Challenge
- 83. @sambego Web Authentication Challenge User interaction
- 84. @sambego Web Authentication Signed challenge Public key
- 85. @sambego Web Authentication Signed challenge Public key
- 86. @sambego Web Authentication navigator.credentials.create
- 87. @sambego Web Authentication navigator.credentials.get
- 88. @sambego Web Authentication Your authenticator device can register a private and public key pair for each website.
- 89. @sambego Web Authentication The private key is stored only on the authenticator device.
- 90. @sambego Web Authentication The private key can sign future challenges.
- 91. @sambego Web Authentication The public key is stored on the authentication device and on the relying party’s server.
- 92. @sambego Web Authentication The public key is used to verify future challenges.
- 93. @sambego Web Authentication The signed challenge is send back to the relying party for security.
- 94. @sambego https: //webauthn.me
- 95. @sambego Some issues User credential management
- 96. @sambego Some issues Cross devices credentials
- 97. @sambego Web Authentication Chrome 67 Firefox 60 Edge 17723 Safari Tech Preview (behind a flag)
- 98. @sambego Disclaimer The spec is not yet fully integrated in all browsers.
- 99. @sambego Disclaimer But still
- 100. @sambego 🤯
- 101. @sambego Summary Remembering passwords is annoying. Use a password manager.
- 102. @sambego Summary One time passwords are easier, but currently mostly used as second factor.
- 103. @sambego Summary The future of authentication might be hardware authenticator devices.
- 104. @sambego Summary You can use TouchID on the web!
- 105. @sambego Read more https: //webauthn.me https: //auth0.com/blog https: // www.w3.org/TR/webauthn
- 106. @sambego Tack!
- 107. @sambego Thanks!
Be the first to comment