Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Kill all Passwords
Jonathan LeBlanc (@jcleblanc)
Head of Global Developer
Advocacy at PayPal + Braintree
Why do we need this?
Passwords are awesome!
twitter: @jcleblanc | hashtag: #ConvergeSE
1.  123456
2.  password
3.  12345678
4.  qwerty
5.  abc123
6.  123456789
7.  111111
8.  1234567
9.  iloveyou
10. adobe123
...
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 12...
twitter: @jcleblanc | hashtag: #ConvergeSE
The Weakest Link
The Key Issues
twitter: @jcleblanc | hashtag: #ConvergeSE
People Forget Passwords
twitter: @jcleblanc | hashtag: #ConvergeSE
Security over Usability
twitter: @jcleblanc | hashtag: #ConvergeSE
Replacing the Concept of
a Username and Password
Securing Current Methods
twitter: @jcleblanc | hashtag: #ConvergeSE
Bad Security Algorithms
MD5, SHA-1, SHA-2, SHA-3
twitter: @jcleblanc | hashtag: #ConvergeSE
Good Security Algorithms
PBKDF2, BCRYPT, SCRYPT
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
Key Stretching
Scaling Authentication
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
Establishing Trust Zones
Location Awareness
Habit Awareness
Browser Uniqueness
Device Fingerprinting
There’s more to it
twitter: @jcleblanc | hasht...
twitter: @jcleblanc | hashtag: #ConvergeSE
Variable Authentication
twitter: @jcleblanc | hashtag: #ConvergeSE
Usability vs Security
Use Another Site Login
Mixed OAuth 2 / OpenID
Connect for auth
Roll Your Own
Username / Password
Fingerprint Scanning
Stat...
twitter: @jcleblanc | hashtag: #ConvergeSE
What Happened to OAuth 1.0a?
twitter: @jcleblanc | hashtag: #ConvergeSE
Security Concerns with
OAuth 2 / OpenID Connect
Identity Biometrics
twitter: @jcleblanc | hashtag: #ConvergeSE
False negative: Valid
user can’t log in
False positive: Invalid
user can log in
False Positive /
Negative Rates
twitter: @...
The FIDO Alliance
http://fidoalliance.org/
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
The Future of Secure
Identity & Data Encryption
Thank You!
slideshare.net/jcleblanc
Jonathan LeBlanc (@jcleblanc)
Head of Global Developer
Advocacy at PayPal + Braintree
Upcoming SlideShare
Loading in …5
×

Kill All Passwords

51,329 views

Published on

You have a solid security infrastructure, all user data is encrypted, your users are protected right? As long as passwords remain the standard methods for identifying your users on the web, people will still continue to use "letmein" or "password123" for their secure login, and will continue to be shocked when their accounts become compromised.

Passwords are not secure, they need to be replaced. In this talk we're going to explore the pitfalls of a system designed around a username and password, then dive into the ways that technology is giving us a slew of new ways to build a secure user identity system. From biometrics to wearables, hardware to tokens, we'll explore a multitude of ways that we can finally kill all passwords.

Published in: Technology
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Each person has a unique DNA sequence. User authentication can be performed without implanted devices. Does PayPal research in the field of DNA sequence recognizers?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • The following prototype, based on identifying a location in a map/image, demonstrates an alternative to passwords: http://tildexe.appspot.com/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Kill All Passwords

  1. Kill all Passwords Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree
  2. Why do we need this? Passwords are awesome! twitter: @jcleblanc | hashtag: #ConvergeSE
  3. 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345 Top Passwords of 2014 twitter: @jcleblanc | hashtag: #ConvergeSE
  4. 4.7% of users have the password password; 8.5% have the passwords password or 123456; 9.8% have the passwords password, 123456 or 12345678; 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords Poor Password Choices twitter: @jcleblanc | hashtag: #ConvergeSE
  5. twitter: @jcleblanc | hashtag: #ConvergeSE The Weakest Link
  6. The Key Issues twitter: @jcleblanc | hashtag: #ConvergeSE
  7. People Forget Passwords
  8. twitter: @jcleblanc | hashtag: #ConvergeSE Security over Usability
  9. twitter: @jcleblanc | hashtag: #ConvergeSE Replacing the Concept of a Username and Password
  10. Securing Current Methods twitter: @jcleblanc | hashtag: #ConvergeSE
  11. Bad Security Algorithms MD5, SHA-1, SHA-2, SHA-3 twitter: @jcleblanc | hashtag: #ConvergeSE
  12. Good Security Algorithms PBKDF2, BCRYPT, SCRYPT twitter: @jcleblanc | hashtag: #ConvergeSE
  13. twitter: @jcleblanc | hashtag: #ConvergeSE Key Stretching
  14. Scaling Authentication twitter: @jcleblanc | hashtag: #ConvergeSE
  15. twitter: @jcleblanc | hashtag: #ConvergeSE Establishing Trust Zones
  16. Location Awareness Habit Awareness Browser Uniqueness Device Fingerprinting There’s more to it twitter: @jcleblanc | hashtag: #ConvergeSE
  17. twitter: @jcleblanc | hashtag: #ConvergeSE Variable Authentication
  18. twitter: @jcleblanc | hashtag: #ConvergeSE Usability vs Security
  19. Use Another Site Login Mixed OAuth 2 / OpenID Connect for auth Roll Your Own Username / Password Fingerprint Scanning State of Developer Auth twitter: @jcleblanc | hashtag: #ConvergeSE
  20. twitter: @jcleblanc | hashtag: #ConvergeSE What Happened to OAuth 1.0a?
  21. twitter: @jcleblanc | hashtag: #ConvergeSE Security Concerns with OAuth 2 / OpenID Connect
  22. Identity Biometrics twitter: @jcleblanc | hashtag: #ConvergeSE
  23. False negative: Valid user can’t log in False positive: Invalid user can log in False Positive / Negative Rates twitter: @jcleblanc | hashtag: #ConvergeSE
  24. The FIDO Alliance http://fidoalliance.org/ twitter: @jcleblanc | hashtag: #ConvergeSE
  25. twitter: @jcleblanc | hashtag: #ConvergeSE The Future of Secure Identity & Data Encryption
  26. Thank You! slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree

×