Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Death to Passwords SXSW 15

12,972 views

Published on

User authentication in mobile and web applications is a very common and integral use case. Implementing basic authentication is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account.

In this talk the security flaws and UX implications of passwords will be discussed and Tim will highlight which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters.

  • Nice !! Download 100 % Free Ebooks, PPts, Study Notes, Novels, etc @ https://www.ThesisScientist.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! High Quality And Affordable Essays For You. Starting at $4.99 per page - Check our website! https://vk.cc/82gJD2
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • wefr2
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Death to Passwords SXSW 15

  1. @SeraAndroid#DeathToPW Death to Passwords Tim Messerschmidt Head of Developer Advocacy, International PayPal / Braintree SXSW 2015
  2. @SeraAndroid#DeathToPW Death to Passwords Tim Messerschmidt Head of Developer Advocacy, International PayPal / Braintree SXSW 2015
  3. @SeraAndroid#DeathToPW >Death to Passwords_
  4. @SeraAndroid#DeathToPW
  5. @SeraAndroid#DeathToPW The 1000 most used passwords of 2012 wiki.skullsecurity.org/Passwords
  6. @SeraAndroid#DeathToPW 4.7% use password
  7. @SeraAndroid#DeathToPW
  8. @SeraAndroid#DeathToPW 8.5% use password or 123456
  9. @SeraAndroid#DeathToPW 9.8% use password, 123456 or 12345678
  10. @SeraAndroid#DeathToPW Top 10 14%
  11. @SeraAndroid#DeathToPW Top 100 40%
  12. @SeraAndroid#DeathToPW Top 500 79%
  13. @SeraAndroid#DeathToPW Top 1000 91%
  14. @SeraAndroid#DeathToPW 2013cbsn.ws/1siTPGH
  15. @SeraAndroid#DeathToPW 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345
  16. @SeraAndroid#DeathToPW 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345
  17. @SeraAndroid#DeathToPW 2014bit.ly/1xYHjdp
  18. @SeraAndroid#DeathToPW 1.  123456 2.  password 3.  12345 4.  12345678 5.  qwerty 6.  1234567890 7.  1234 8.  baseball 9.  dragon 10. football 11. 1234567 12. monkey 13. letmein 14. abc123 15. 111111 16. mustang 17. access 18. shadow 19. master 20. michael
  19. @SeraAndroid#DeathToPW 1.  123456 2.  password 3.  12345 up 17 4.  12345678 down 1 5.  qwerty down 1 6.  1234567890 7.  1234 up 9 8.  baseball new 9.  dragon new 10. football new 11. 1234567 down 4 12. monkey up 5 13. letmein up 1 14. abc123 down 9 15. 111111 down 8 16. mustang new 17. access new 18. shadow 19. master new 20. michael new
  20. @SeraAndroid#DeathToPW >Honorary mention_
  21. @SeraAndroid#DeathToPW >Honorary mention 21. superman 24. batman _
  22. @SeraAndroid#DeathToPW _
  23. @SeraAndroid#DeathToPW >The 3 key problems_
  24. @SeraAndroid#DeathToPWabstrusegoose.com/296
  25. @SeraAndroid#DeathToPW
  26. @SeraAndroid#DeathToPW
  27. @SeraAndroid#DeathToPW
  28. @SeraAndroid#DeathToPW
  29. @SeraAndroid#DeathToPW
  30. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW Favor security too much over the experience and you’ll make the website a pain to use. smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form
  31. @SeraAndroid#DeathToPW vs.
  32. @SeraAndroid#DeathToPW
  33. @SeraAndroid#DeathToPW People forget passwords… 45% admit to leaving a website instead of re- setting their password or answering security questions - Blue Inc. 2011
  34. @SeraAndroid#DeathToPW Let’s admit it: Passwords really suck!
  35. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW Hashing hash(password + salt)
  36. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW Bad hashing algorithms MD5, SHA-1, SHA-2, SHA-3 bit.ly/1DOfzy7
  37. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW Awesome hashing algorithms PBKDF2, BCRYPT, SCRYPT bit.ly/1DOfzy7
  38. @SeraAndroid#DeathToPW 2 Factor Authentication twofactorauth.org
  39. @SeraAndroid#DeathToPW Passwordless Authentication medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb
  40. @SeraAndroid#DeathToPW
  41. @SeraAndroid#DeathToPW
  42. @SeraAndroid#DeathToPW
  43. @SeraAndroid#DeathToPW braintreepayments.com/blog/goodbye-passwords-one-touch-hello-bitcoin > Braintree Says Goodbye to Passwords With One Touch Payments for PayPal and Venmo, and Hello to Bitcoin_
  44. @SeraAndroid#DeathToPW
  45. @SeraAndroid#DeathToPW Merchant app PayPal app Merchant app
  46. @SeraAndroid#DeathToPW Merchant app PayPal app Merchant app
  47. @SeraAndroid#DeathToPW Merchant app PayPal app Merchant app
  48. @SeraAndroid#DeathToPW Merchant app PayPal app Merchant app
  49. @SeraAndroid#DeathToPW People hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. - Blue Inc. 2011
  50. @SeraAndroid#DeathToPW Person Social Identity Concrete Identity No Identity
  51. @SeraAndroid#DeathToPW Authorization & Authentication stackoverflow.com/questions/6367865/is-there-a-difference- between-authentication-and-authorization
  52. @SeraAndroid#DeathToPW One person's data is another person's noise. - K.C. Cole
  53. @SeraAndroid#DeathToPW >Social vs. Concrete Identities_
  54. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW OAuth 1.0 2007
  55. @SeraAndroid#DeathToPW Request Request Token Grant Request Token Direct User to Service Obtain Authorization Direct to Consumer Request Access Token Grant Access Token Access Resources The Consumer Service Provider
  56. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW OAuth 1.0a 2009
  57. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW OAuth 2.0 2012
  58. @SeraAndroid#DeathToPW Direct User to Service Obtain Authorization Request Access Token Grant Access Token Direct to Consumer Access Resources The Consumer Service Provider @SeraAndroid / @Braintree_Dev
  59. @SeraAndroid#DeathToPW OAuth 2.0 Token via Header URL url = new URL("http://url.com/"); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(); setRequestProperty("Authorization", "Bearer …");
  60. @SeraAndroid#DeathToPW OAuth 2.0 Token via URI "url.com/oauth?access_token=…"
  61. @SeraAndroid#DeathToPW OAuth libraries oauth.net/code
  62. @SeraAndroid#DeathToPW OAuth libraries for Android github.com/mttkay/signpost github.com/pakerfeldt/signpost-retrofit
  63. @SeraAndroid#DeathToPW OAuth libraries for iOS github.com/nxtbgthng/OAuth2Client github.com/AFNetworking/AFOAuth2Manager
  64. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW OpenID 2005
  65. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW
  66. @SeraAndroid#DeathToPW /$d+/ @SeraAndroid#DeathToPW The Hybrids OpenID OAuth Extension & OpenID Connect
  67. @SeraAndroid#DeathToPW
  68. @SeraAndroid#DeathToPW Upcoming
  69. @SeraAndroid#DeathToPW
  70. @SeraAndroid#DeathToPW A Trusted Environment
  71. @SeraAndroid#DeathToPW
  72. @SeraAndroid#DeathToPW
  73. @SeraAndroid#DeathToPW
  74. @SeraAndroid#DeathToPW >The Realm of Creepy_
  75. @SeraAndroid#DeathToPW
  76. @SeraAndroid#DeathToPW
  77. @SeraAndroid#DeathToPW
  78. @SeraAndroid#DeathToPW Scaling Security
  79. @SeraAndroid#DeathToPW FIDO Alliancefidoalliance.org
  80. @SeraAndroid#DeathToPW Security Needs an accessible standard
  81. @SeraAndroid#DeathToPW Difference Between Authentication and Authorization
  82. @SeraAndroid#DeathToPW User Experience Should be enhanced - not impaired
  83. @SeraAndroid#DeathToPW Thanks tim@getbraintree.com braintreepayments.com/developers slideshare.com/PayPal

×