Upload
jonathan-leblanc
View
32.211
Download
2
Embed Size (px)
Citation preview
Kill all Passwords
Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree
Why do we need this?
Passwords are awesome!
twitter: @jcleblanc | hashtag: #ConvergeSE
1. 123456 2. password 3. 12345678 4. qwerty 5. abc123 6. 123456789 7. 111111 8. 1234567 9. iloveyou 10. adobe123
11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345
Top Passwords of 2014
twitter: @jcleblanc | hashtag: #ConvergeSE
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
Poor Password Choices
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
The Weakest Link
The Key Issues
twitter: @jcleblanc | hashtag: #ConvergeSE
People Forget Passwords
twitter: @jcleblanc | hashtag: #ConvergeSE
Security over Usability
twitter: @jcleblanc | hashtag: #ConvergeSE
Replacing the Concept of a Username and Password
Securing Current Methods
twitter: @jcleblanc | hashtag: #ConvergeSE
Bad Security Algorithms
MD5, SHA-1, SHA-2, SHA-3
twitter: @jcleblanc | hashtag: #ConvergeSE
Good Security Algorithms
PBKDF2, BCRYPT, SCRYPT
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
Key Stretching
Scaling Authentication
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
Establishing Trust Zones
Location Awareness
Habit Awareness
Browser Uniqueness
Device Fingerprinting
There’s more to it
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
Variable Authentication
twitter: @jcleblanc | hashtag: #ConvergeSE
Usability vs Security
Use Another Site Login Mixed OAuth 2 / OpenID Connect for auth Roll Your Own Username / Password Fingerprint Scanning
State of Developer Auth
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
What Happened to OAuth 1.0a?
twitter: @jcleblanc | hashtag: #ConvergeSE
Security Concerns with OAuth 2 / OpenID Connect
Identity Biometrics
twitter: @jcleblanc | hashtag: #ConvergeSE
False negative: Valid user can’t log in False positive: Invalid user can log in
False Positive /
Negative Rates
twitter: @jcleblanc | hashtag: #ConvergeSE
The FIDO Alliance http://fidoalliance.org/
twitter: @jcleblanc | hashtag: #ConvergeSE
twitter: @jcleblanc | hashtag: #ConvergeSE
The Future of Secure Identity & Data Encryption
Thank You! slideshare.net/jcleblanc
Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree