Death to passwords - DroidCon Paris 2014

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

description User authentication in mobile applications is a very common and integral use case. Implementing regular passwords is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account. In this talk the security flaws and UX implications of passwords will be discussed and highlighted which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters. Speaker : Tim Messerschmidt, PayPal As a long time mobile and web developer, Tim channels his knowledge and experience as PayPal's Lead Developer Evangelist in EMEA. He is passionate about startups and serves as mentor at multiple incubators and accelerators. Prior joining PayPal Tim used to work with Neofonie Mobile and Samsung focussing on several mobile projects. In his spare time, he leads and creates training classes in all sorts of developer-oriented topics, contributes to Open Source projects and is one of the authors of the Mobile Developer's Guide to the Galaxy, as well as numerous articles published in print magazines.

Transcript of Death to passwords - DroidCon Paris 2014

  • 1. DEATH TO PASSWORDSA safe new [email protected] MesserschmidtLead Developer Evangelist, EMEADroidcon Paris 14

2. DO YOUBELIEVEIN [email protected] 3. A LITTLESTORY ABOUTPASSWORDSWIKI.SCULLSECURITY.ORG/[email protected] 4. @SERAANDROID4.7% OFUSERS USETHEPASSWORDPASSWORD 5. @SERAANDROID8.5% AREUSINGPASSWORDOR 123456 6. @SERAANDROID9.8% USEPASSWORD123456 OR12345678 7. ... And it doesnt even stop here14% have a password from the top 10passwords40% have a password from the top 100passwords79% have a password from the top 500passwords91% have a password from the top1000 [email protected] 8. @SERAANDROID 9. 2013CBSNEWS.COM/NEWS/[email protected] 10. @SERAANDROID1. 123456 up 12. Password down 13. 123456784. Qwerty up 15. Abc123 down 16. 123456789 New7. 111111 up 28. 1234567 up 59. Iloveyou up 210.Adobe123 new11.123123 up 512.Admin new13.1234567890 new14.Letmein down 715.Photoshop new16.1234 new17.Monkey down 1118.Shadow19.Sunshine down 520.12345 new 11. @SERAANDROID 12. 13. @SERAANDROID3 HUGE Problems- Reused- Phished- Keylogged 14. 15. 16. 17. Favor security too muchover the experience andyoull make the websitea pain to [email protected] 18. @SERAANDROIDvs. 19. @SERAANDROID 20. BasicAuthenticationusername:[email protected] 21. @SERAANDROIDStoringPasswordsSQLCipher &KeyChain 22. @SERAANDROIDSO WHAT? 23. @SERAANDROIDPeople forgetpasswords45% admit to leaving a websiteinstead of re-setting their passwordor answering security questions ** Blue Inc. 2011 24. 25. 26. @SERAANDROID 27. LETS ADMITIT:[email protected] 28. SO WHAT CANWE [email protected] 29. PASSWORDLESSAUTHENTICATIONMEDIUM.COM/CYBER-SECURITY/@SERAANDROID9ED56D483EB 30. @SERAANDROIDVIA EMAIL /TEXT 31. 32. TWO [email protected] 33. Auth[email protected] 34. @SERAANDROID 35. @SERAANDROIDOAUTH 1.0 36. @SERAANDROID 37. @SERAANDROID 38. @SERAANDROID 39. Consumer Service [email protected] TokenGrantRequest TokenDirect User to Service Obtain AuthorizationDirect to ConsumerRequestAccess TokenGrantAccess TokenAccessResources 40. @SERAANDROIDOAUTH 1.0A 41. @SERAANDROID 42. @SERAANDROIDAndroid: Signpost