Download - Death to passwords - DroidCon Paris 2014

Transcript
Page 1: Death to passwords - DroidCon Paris 2014

@SERAANDROID

DEATH TO PASSWORDSA safe new world

Tim MesserschmidtLead Developer Evangelist, EMEADroidcon Paris ’14

Page 2: Death to passwords - DroidCon Paris 2014

@SERAANDROID

DO YOU BELIEVEIN SECURITY?

Page 3: Death to passwords - DroidCon Paris 2014

@SERAANDROID

A LITTLE STORY ABOUTPASSWORDSWIKI.SCULLSECURITY.ORG/PASSWORDS

Page 4: Death to passwords - DroidCon Paris 2014

@SERAANDROID

4.7% OF USERS USE THE PASSWORD PASSWORD

Page 5: Death to passwords - DroidCon Paris 2014

@SERAANDROID

8.5% ARE USINGPASSWORD OR 123456

Page 6: Death to passwords - DroidCon Paris 2014

@SERAANDROID

9.8% USE PASSWORD 123456 OR 12345678

Page 7: Death to passwords - DroidCon Paris 2014

@SERAANDROID

... And it doesn’t even stop here

14% have a password from the top 10 passwords40% have a password from the top 100 passwords79% have a password from the top 500 passwords91% have a password from the top 1000 passwords

Page 8: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 9: Death to passwords - DroidCon Paris 2014

@SERAANDROID

2013CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-PASSWORDS-OF-2013

Page 10: Death to passwords - DroidCon Paris 2014

@SERAANDROID

1. 123456 up 12. Password down 13. 123456784. Qwerty up 15. Abc123 down 16. 123456789 New7. 111111 up 28. 1234567 up 59. Iloveyou up 210.Adobe123 new

11.123123 up 512.Admin new13.1234567890 new14.Letmein down 715.Photoshop new16.1234 new17.Monkey down 1118.Shadow19.Sunshine down 520.12345 new

Page 11: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 12: Death to passwords - DroidCon Paris 2014

@SERAANDROID

haveibeenpwned.com

Page 13: Death to passwords - DroidCon Paris 2014

@SERAANDROID

3 HUGE Problems- Reused- Phished- Keylogged

Page 14: Death to passwords - DroidCon Paris 2014

@SERAANDROID

abstrusegoose.com/296

Page 15: Death to passwords - DroidCon Paris 2014

abstrusegoose.com/262

Page 16: Death to passwords - DroidCon Paris 2014

@SERAANDROID

xkcd.com/936

Page 17: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Favor security too much over the experience and you’ll make the website a pain to use.

Page 18: Death to passwords - DroidCon Paris 2014

@SERAANDROID

vs.

Page 19: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 20: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Basic Authenticationusername:password

Page 21: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Storing PasswordsSQLCipher & KeyChain

Page 22: Death to passwords - DroidCon Paris 2014

@SERAANDROID

SO WHAT?

Page 23: Death to passwords - DroidCon Paris 2014

@SERAANDROID

People forget passwords…

45% admit to leaving a website instead of re-setting their password or answering security questions ** Blue Inc. 2011

Page 24: Death to passwords - DroidCon Paris 2014

@SERAANDROID

heartbleed.com

Page 25: Death to passwords - DroidCon Paris 2014

@SERAANDROIDheartbleed.agilebits.com

Page 26: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 27: Death to passwords - DroidCon Paris 2014

@SERAANDROID

LET’S ADMIT IT:PASSWORDS SUCK

Page 28: Death to passwords - DroidCon Paris 2014

@SERAANDROID

SO WHAT CAN WE DO INSTEAD?

Page 29: Death to passwords - DroidCon Paris 2014

@SERAANDROID

PASSWORDLESS AUTHENTICATIONMEDIUM.COM/CYBER-SECURITY/9ED56D483EB

Page 30: Death to passwords - DroidCon Paris 2014

@SERAANDROID

VIA EMAIL / TEXT

Page 31: Death to passwords - DroidCon Paris 2014

@SERAANDROID

braintreepayments.com/blog/goodbye-passwords-one-touch-hello-bitcoin

Page 32: Death to passwords - DroidCon Paris 2014

@SERAANDROID

TWO FACTOR AUTHTWOFACTORAUTH.ORG

Page 33: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Authentication vs.Authorization

Page 34: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 35: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OAUTH 1.0

Page 36: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 37: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 38: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 39: Death to passwords - DroidCon Paris 2014

@SERAANDROID

RequestRequest Token

GrantRequest Token

Direct User to Service Obtain Authorization

Direct to ConsumerRequestAccess Token

GrantAccess Token

AccessResources

Consumer Service Provider

Page 40: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OAUTH 1.0A

Page 41: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 42: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Android: Signpost <3github.com/mttkay/signpost

Page 43: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OAUTH 2.0

Page 44: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Direct User to Service Obtain Authorization

RequestAccess Token

GrantAccess Token

Direct to ConsumerAccessResources / Profile

Consumer Service Provider

Page 45: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 46: Death to passwords - DroidCon Paris 2014

@SERAANDROID

URL url = new URL(”http://url.com/”);HttpURLConnection urlConnection =

(HttpURLConnection) url.openConnection();

setRequestProperty(”Authorization”, ”Bearer …”);

HTTP Header

“url.com/oauth?access_token=…”

URI parameter

Page 47: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Scribegithub.com/fernandezpablo85/scribe

PostmanLibgithub.com/fedepaol/PostmanLib--Rings-Twice--Android

Page 48: Death to passwords - DroidCon Paris 2014

@SERAANDROID

homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html

Page 49: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OAuth 2.0 and the Road to Hellhueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell

Page 50: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Identity Techniques- OpenID- OpenID Connect- Persona / BrowserID

Page 51: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 52: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OpenID

Page 53: Death to passwords - DroidCon Paris 2014

@SERAANDROID

BrowserIDPersona

Page 54: Death to passwords - DroidCon Paris 2014

@SERAANDROID

How to combine both?

Page 55: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OpenID with OAuth Hybrid Extension

Page 56: Death to passwords - DroidCon Paris 2014

@SERAANDROID

OpenID Connect

Page 57: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Identity ProvidersSocial vs. Concrete

Page 58: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Do we always use the same identity?

Page 59: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Should we always use the same identity?

Page 60: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 61: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Name

Email

Date of Birth

LocaleTime Zone

Address

Gender

Language

Phone Number

Creation Date

Page 62: Death to passwords - DroidCon Paris 2014

@SERAANDROID

People hate to register

Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. ** Blue Inc. 2011

Page 63: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 64: Death to passwords - DroidCon Paris 2014

@SERAANDROIDBe aware

Page 65: Death to passwords - DroidCon Paris 2014

@SERAANDROID

What’s Next?Bluetooth SMART and Your fingerprint

Page 66: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 67: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 68: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 69: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 70: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 71: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Page 72: Death to passwords - DroidCon Paris 2014

@SERAANDROID

UTILIZING A TRUSTED ENVIRONMENT

Page 73: Death to passwords - DroidCon Paris 2014

@SERAANDROID

SCALING SECURITY BASED ON THE CASE

Page 74: Death to passwords - DroidCon Paris 2014

@SERAANDROID

FIDO ALLIANCEUNIVERSAL AUTH

Page 75: Death to passwords - DroidCon Paris 2014

@SERAANDROID

Securitymatters to users and developers

Difference authentication and authorization

User Experienceshould be enhanced not impaired

Page 76: Death to passwords - DroidCon Paris 2014

@SERAANDROID

[email protected]@SeraAndroid / @PayPalDevslideshare.com/paypal


Top Related

Robotium vs Espresso: Get ready to rumble ! - DroidCon Paris 2014

Robotium vs Espresso: Get ready to rumble ! - DroidCon Paris 2014

Matchinguu droidcon presentation

Matchinguu droidcon presentation

Crittercism Droidcon Berlin 2012

Crittercism Droidcon Berlin 2012

Framing the canvas - DroidCon Paris 2014

Framing the canvas - DroidCon Paris 2014

Making it fit - DroidCon Paris 18 june 2013

Making it fit - DroidCon Paris 18 june 2013

Report Droidcon Italy 2014

Report Droidcon Italy 2014

Droidcon 2013 multidevice nightmare

Droidcon 2013 multidevice nightmare

Extending your apps to wearables - DroidCon Paris 2014

Extending your apps to wearables - DroidCon Paris 2014

Languages
Pages
Legal

Copyright © 2022 FDOCUMENTS