Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Codemotion ES 2014: Love Always Takes Care & Humility


Published on

Talk delivered by Chema Alonso in Codemotion 2014 ES {Madrid}. It is about passwords, second factor authentication and Second Factor Authorization using Latch... with a Breaking Bad touch.

Published in: Technology
  • Be the first to comment

Codemotion ES 2014: Love Always Takes Care & Humility

  1. 1. {Love Always Takes Care & Humility} Chema Alonso @chemaalonso
  2. 2. Hacker & Developer
  3. 3. Worried About Security
  4. 4. She thinks security is “do the things right” Creating a Strong Password: Variety – Don’t use the same password on all the sites you visit. Don’t use a word from the dictionary. Length – Select strong passwords that can’t easily be guessed with 10 or more characters. Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word. Complexity – Randomly add capital letters, punctuation or symbols. Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3″ for “E”. Never give your password to others or write it down.
  5. 5. He doesn´t
  6. 6. Working “common way” is useless • WireTyping • Trojans & malware • Phishing • Shoulder Surfing • Insiders • Server-Side bugs – Heartbleed, ShellShock, Schannel, PHP CGI, …. • Client-Side bugs • Enemies everywhere...
  7. 7. P@sswords, P@sswords, Dam’t!!
  8. 8. P@sswords, P@sswords, Dam’t!!
  9. 9. P@sswords, P@sswords, Dam’t!!
  10. 10. We need to apply Science on “new” way • 99 % of purity • Good for all users • Not past errors • Second Factor Auth • Side-Channel • Stealth
  11. 11. She doesn´t like “new” ways to security • 2FA with OTP on SMS • RSA Hardware Tokens • Matrix of numbers • G Authenticator- Likes • Biometry • Etc….
  12. 12. She Complaints G-Authenticator-likes Not stolen-passwords advise User needs to type OTP Biometry Lost once / Lost forever Who has my biometry? iOS Case RSA Hardware Tokens Expensive Unconfortable User needs to type OTP SMS way: Not anonymous Tied to SIM SIM Swapping attacks GSM Attacks User needs to type OTP Roaming services Matrix Finite Trojans ask for it Usually on wallet User needs to type OTP
  13. 13. What a hacker does? A hacker provides because…
  14. 14. {Love Always Takes Care & Humility} L A T C H
  15. 15. Latch Server 1.- Generate pairing code 2.- Temporary Pariring token User Settings: Login: XXXX Pass: YYYY Latch: 4.-AppID+Temp pairing Token 5.- OK+Unique Latch 6.-ID Latch appears in app ULatch Latch Security “Way”
  16. 16. Latch Server Users DB: Login: XXXX Pass: YYYY Latch: Latch1 1.- Client sends Login/password Login Page: Login:AAAA Pass:BBBB 3.- asks about Latch1 status 4.- Latch 1 is OFF 5.- Login Error 6.- Someone try to get Access to Latch 1 id. 2.- Check user/pass Latch Security “Way”
  17. 17. Cares & Humility • No users. No passwords. No personal data. No trace. • If anyone try to get access -> Can´t + Warning • if anyone access when open -> Warning • if anyone try to unpair -> Latch + Warning
  18. 18. Latch Periodic Table
  19. 19. Cooking
  20. 20. A PHP Recipe
  21. 21. User1 Pass1 4-eyes verification Login: User2 Pass: Pass2 Latch: Latch2 Login: User1 Pass: Pass1 Latch: Latch1
  22. 22. 2 Keys Activation Asset Latch: Latch1 Latch: Latch 2 User1 Pass1
  23. 23. Login: User Pass: Pass Latch: Latch User Pass Access Control
  24. 24. Double Supervision Why? Answer OTP Login: User Pass: Pass Latch: Latch Op1:Unlock Op2: OTP User Pass
  25. 25. Latch Plugin Contest
  26. 26. Mooooney
  27. 27. Latch Talks
  28. 28. See you in Codemotion 2015: The end of the Trilogy “Love After Death”