Death to passwords - DroidCon Paris 2014
-
Upload
paris-android-user-group -
Category
Technology
-
view
394 -
download
2
description
Transcript of Death to passwords - DroidCon Paris 2014
@SERAANDROID
DEATH TO PASSWORDSA safe new world
Tim MesserschmidtLead Developer Evangelist, EMEADroidcon Paris ’14
@SERAANDROID
DO YOU BELIEVEIN SECURITY?
@SERAANDROID
A LITTLE STORY ABOUTPASSWORDSWIKI.SCULLSECURITY.ORG/PASSWORDS
@SERAANDROID
4.7% OF USERS USE THE PASSWORD PASSWORD
@SERAANDROID
8.5% ARE USINGPASSWORD OR 123456
@SERAANDROID
9.8% USE PASSWORD 123456 OR 12345678
@SERAANDROID
... And it doesn’t even stop here
14% have a password from the top 10 passwords40% have a password from the top 100 passwords79% have a password from the top 500 passwords91% have a password from the top 1000 passwords
@SERAANDROID
@SERAANDROID
2013CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-PASSWORDS-OF-2013
@SERAANDROID
1. 123456 up 12. Password down 13. 123456784. Qwerty up 15. Abc123 down 16. 123456789 New7. 111111 up 28. 1234567 up 59. Iloveyou up 210.Adobe123 new
11.123123 up 512.Admin new13.1234567890 new14.Letmein down 715.Photoshop new16.1234 new17.Monkey down 1118.Shadow19.Sunshine down 520.12345 new
@SERAANDROID
@SERAANDROID
haveibeenpwned.com
@SERAANDROID
3 HUGE Problems- Reused- Phished- Keylogged
@SERAANDROID
abstrusegoose.com/296
abstrusegoose.com/262
@SERAANDROID
xkcd.com/936
@SERAANDROID
Favor security too much over the experience and you’ll make the website a pain to use.
@SERAANDROID
vs.
@SERAANDROID
@SERAANDROID
Basic Authenticationusername:password
@SERAANDROID
Storing PasswordsSQLCipher & KeyChain
@SERAANDROID
SO WHAT?
@SERAANDROID
People forget passwords…
45% admit to leaving a website instead of re-setting their password or answering security questions ** Blue Inc. 2011
@SERAANDROID
heartbleed.com
@SERAANDROIDheartbleed.agilebits.com
@SERAANDROID
@SERAANDROID
LET’S ADMIT IT:PASSWORDS SUCK
@SERAANDROID
SO WHAT CAN WE DO INSTEAD?
@SERAANDROID
PASSWORDLESS AUTHENTICATIONMEDIUM.COM/CYBER-SECURITY/9ED56D483EB
@SERAANDROID
VIA EMAIL / TEXT
@SERAANDROID
braintreepayments.com/blog/goodbye-passwords-one-touch-hello-bitcoin
@SERAANDROID
TWO FACTOR AUTHTWOFACTORAUTH.ORG
@SERAANDROID
Authentication vs.Authorization
@SERAANDROID
@SERAANDROID
OAUTH 1.0
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
RequestRequest Token
GrantRequest Token
Direct User to Service Obtain Authorization
Direct to ConsumerRequestAccess Token
GrantAccess Token
AccessResources
Consumer Service Provider
@SERAANDROID
OAUTH 1.0A
@SERAANDROID
@SERAANDROID
Android: Signpost <3github.com/mttkay/signpost
@SERAANDROID
OAUTH 2.0
@SERAANDROID
Direct User to Service Obtain Authorization
RequestAccess Token
GrantAccess Token
Direct to ConsumerAccessResources / Profile
Consumer Service Provider
@SERAANDROID
@SERAANDROID
URL url = new URL(”http://url.com/”);HttpURLConnection urlConnection =
(HttpURLConnection) url.openConnection();
setRequestProperty(”Authorization”, ”Bearer …”);
HTTP Header
“url.com/oauth?access_token=…”
URI parameter
@SERAANDROID
Scribegithub.com/fernandezpablo85/scribe
PostmanLibgithub.com/fedepaol/PostmanLib--Rings-Twice--Android
@SERAANDROID
homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
@SERAANDROID
OAuth 2.0 and the Road to Hellhueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
@SERAANDROID
Identity Techniques- OpenID- OpenID Connect- Persona / BrowserID
@SERAANDROID
@SERAANDROID
OpenID
@SERAANDROID
BrowserIDPersona
@SERAANDROID
How to combine both?
@SERAANDROID
OpenID with OAuth Hybrid Extension
@SERAANDROID
OpenID Connect
@SERAANDROID
Identity ProvidersSocial vs. Concrete
@SERAANDROID
Do we always use the same identity?
@SERAANDROID
Should we always use the same identity?
@SERAANDROID
@SERAANDROID
Name
Date of Birth
LocaleTime Zone
Address
Gender
Language
Phone Number
Creation Date
@SERAANDROID
People hate to register
Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. ** Blue Inc. 2011
@SERAANDROID
@SERAANDROIDBe aware
@SERAANDROID
What’s Next?Bluetooth SMART and Your fingerprint
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
UTILIZING A TRUSTED ENVIRONMENT
@SERAANDROID
SCALING SECURITY BASED ON THE CASE
@SERAANDROID
FIDO ALLIANCEUNIVERSAL AUTH
@SERAANDROID
Securitymatters to users and developers
Difference authentication and authorization
User Experienceshould be enhanced not impaired
@SERAANDROID
[email protected]@SeraAndroid / @PayPalDevslideshare.com/paypal