Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

sthlm.js - Passwords are so 1990

125 views

Published on

As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?

Published in: Internet
  • Be the first to comment

  • Be the first to like this

sthlm.js - Passwords are so 1990

  1. 1. @sambego Passwords are so 1990
  2. 2. @sambego Developer evangelist Auth0 Google developer Expert I&S Meetup London Fronteers Sam Bellen
  3. 3. @sambego First, something important!
  4. 4. @sambego
  5. 5. @sambego Summary A bit of history on passwords
 Types of passwords Passwordless authentication Web authentication API
  6. 6. @sambego Passwords date back to the Romans! Somewhere BC
  7. 7. @sambego Open sesame 10th century
  8. 8. @sambego
  9. 9. @sambego Fernando Corbató - Time-Sharing System 1961
  10. 10. @sambego Robert Morris Sr - Hashing 1970s
  11. 11. @sambego Hacking became more an issue 1990s
  12. 12. @sambego Types of passwords
  13. 13. @sambego Password123 A string
  14. 14. @sambego NameOfMyPet1988 A string
  15. 15. @sambego hotdog* A string * This was my first password, true story!
  16. 16. @sambego Zbety6FZiH6XNn3ds ziGRB6+MBGDYU A string
  17. 17. @sambego Pro Can be hard to guess (by others) if complex
  18. 18. @sambego Con Can be hard to remember if complex (a passwordmanager can help)
  19. 19. @sambego 1 2 3 4 A pincode
  20. 20. @sambego Pro Fairly easy to remember
  21. 21. @sambego Pro Usually used only with access to a physical thing (card, phone, keypad, …)
  22. 22. @sambego Con Not so hard to guess
 (Often combined with a maximum allowed number of guesses)
  23. 23. @sambego A pattern
  24. 24. @sambego A pattern
  25. 25. @sambego A pattern
  26. 26. @sambego A pattern 1 2 3 6 5 4 7 8 9
  27. 27. @sambego Pro Easy to remember
  28. 28. @sambego Con Touchscreens often reveal the pattern as “dirty” spots.
  29. 29. @sambego Con People often use their initial letter, lucky number, …
  30. 30. @sambego Anything that’s a shared secret
  31. 31. @sambego So what’s the problem with passwords?
  32. 32. @sambego
  33. 33. @sambego Passwords can be annoying!
  34. 34. @sambego Use a password manager to help you remember!
  35. 35. @sambego User data can get stolen
  36. 36. @sambego Google+ - 52.5 million
  37. 37. @sambego Cambridge Analytica (Facebook) - 87 million
  38. 38. @sambego Quora - 100 million
  39. 39. @sambego MyFitnessPal
 - 
 150 million
  40. 40. @sambego Marriott Hotels - 500 million
  41. 41. @sambego Auth0 Breached password detection
  42. 42. @sambego Tips Use a complex password Don’t use personal data Don’t reuse passwords Change passwords frequently
  43. 43. @sambego
  44. 44. @sambego Passwordless
  45. 45. @sambego One time password
  46. 46. @sambego OTP
  47. 47. @sambego One time password Valid for one time use Often expire after a certain time Sent directly to the user
  48. 48. @sambego One time password Sent in an SMS
  49. 49. @sambego Pro iOS let’s your easily fill the OTP from the messages app
  50. 50. @sambego Con Not all telecom operators take security serious, SMS messages can be intercepted.
  51. 51. @sambego Con You need your cellphone on hand
  52. 52. @sambego One time password Sent in an email
  53. 53. @sambego One time password Magic link
  54. 54. @sambego
  55. 55. @sambego Pro You don’t need a second device
  56. 56. @sambego Con Emails can be intercepted
  57. 57. @sambego One time password Authenticator app
  58. 58. @sambego Other authenticator apps DUO Lastpass Authenticator Authy Microsoft Authenticator
  59. 59. @sambego Pro Time based
  60. 60. @sambego Pro Push based OTP
  61. 61. @sambego Con Needs a shared secret between the app and authentication service
  62. 62. @sambego Social login
  63. 63. @sambego
  64. 64. @sambego Pro One less password to remember
  65. 65. @sambego Pro Only give a password to a service you trust
  66. 66. @sambego Con You rely on another service for authentication
  67. 67. @sambego Other solutions It’s me Yoti Voiceit
  68. 68. @sambego One time password Often used as second factor
  69. 69. @sambego Hardware authenticator
  70. 70. @sambego External Hardware authenticator
  71. 71. @sambego USB Hardware authenticator
  72. 72. @sambego Yubikey
  73. 73. @sambego Bluetooth
 (BLE) Hardware authenticator
  74. 74. @sambego NFC Hardware authenticator
  75. 75. @sambego Internal Hardware authenticator
  76. 76. @sambego TouchID Hardware authenticator
  77. 77. @sambego What if we could use these on the web?
  78. 78. @sambego Web Authentication API
  79. 79. @sambego Web AuthN
  80. 80. @sambego Web Authentication
  81. 81. @sambego Web Authentication Challenge
  82. 82. @sambego Web Authentication Challenge
  83. 83. @sambego Web Authentication Challenge User interaction
  84. 84. @sambego Web Authentication Signed challenge Public key
  85. 85. @sambego Web Authentication Signed challenge Public key
  86. 86. @sambego Web Authentication navigator.credentials.create
  87. 87. @sambego Web Authentication navigator.credentials.get
  88. 88. @sambego Web Authentication Your authenticator device can register a private and public key pair for each website.
  89. 89. @sambego Web Authentication The private key is stored only on the authenticator device.
  90. 90. @sambego Web Authentication The private key can sign future challenges.
  91. 91. @sambego Web Authentication The public key is stored on the authentication device and on the relying party’s server.
  92. 92. @sambego Web Authentication The public key is used to verify future challenges.
  93. 93. @sambego Web Authentication The signed challenge is send back to the relying party for security.
  94. 94. @sambego https: //webauthn.me
  95. 95. @sambego Some issues User credential management
  96. 96. @sambego Some issues Cross devices credentials
  97. 97. @sambego Web Authentication Chrome 67 Firefox 60 Edge 17723 Safari Tech Preview (behind a flag)
  98. 98. @sambego Disclaimer The spec is not yet fully integrated in all browsers.
  99. 99. @sambego Disclaimer But still
  100. 100. @sambego 🤯
  101. 101. @sambego Summary Remembering passwords is annoying. Use a password manager.
  102. 102. @sambego Summary One time passwords are easier, but currently mostly used as second factor.
  103. 103. @sambego Summary The future of authentication might be hardware authenticator devices.
  104. 104. @sambego Summary You can use TouchID on the web!
  105. 105. @sambego Read more https: //webauthn.me https: //auth0.com/blog https: // www.w3.org/TR/webauthn
  106. 106. @sambego Tack!
  107. 107. @sambego Thanks!

×