Passwords are so 1990
- 1. @sambego Passwords are so 1990
- 2. @sambego Developer evangelist Auth0 Google developer Expert I&S Meetup London Fronteers Sam Bellen
- 4. @sambego
- 5. @sambego Summary A bit of history on passwords Types of passwords Passwordless authentication Web authentication API
- 6. @sambego Passwords date back to the Romans! Somewhere BC
- 8. @sambego
- 11. @sambego Hacking became more an issue 1990s
- 15. @sambego hotdog* A string * This was my first password, true story!
- 17. @sambego Pro Can be hard to guess (by others) if complex
- 18. @sambego Con Can be hard to remember if complex (a passwordmanager can help)
- 19. @sambego 1 2 3 4 A pincode
- 20. @sambego Pro Fairly easy to remember
- 21. @sambego Pro Usually used only with access to a physical thing (card, phone, keypad, …)
- 22. @sambego Con Not so hard to guess (Often combined with a maximum allowed number of guesses)
- 26. @sambego A pattern 1 2 3 6 5 4 7 8 9
- 28. @sambego Con Touchscreens often reveal the pattern as “dirty” spots.
- 29. @sambego Con People often use their initial letter, lucky number, …
- 30. @sambego Anything that’s a shared secret
- 31. @sambego So what’s the problem with passwords?
- 32. @sambego
- 34. @sambego Use a password manager to help you remember!
- 35. @sambego User data can get stolen
- 41. @sambego Auth0 Breached password detection
- 42. @sambego Google Chrome Password Checkup
- 43. @sambego Tips Use a complex password Don’t use personal data Don’t reuse passwords Change passwords frequently
- 44. @sambego
- 47. @sambego OTP
- 48. @sambego One time password Valid for one time use Often expire after a certain time Sent directly to the user
- 49. @sambego One time password Sent in an SMS
- 50. @sambego Pro iOS let’s your easily fill the OTP from the messages app
- 52. @sambego Con Not all telecom operators take security serious, SMS messages can be intercepted.
- 53. @sambego Con You need your cellphone on hand
- 54. @sambego One time password Sent in an email
- 55. @sambego One time password Magic link
- 56. @sambego
- 57. @sambego Pro You don’t need a second device
- 58. @sambego Con Emails can be intercepted
- 62. @sambego Other authenticator apps DUO Lastpass Authenticator Authy Microsoft Authenticator
- 67. @sambego Con Needs a shared secret between the app and authentication service
- 69. @sambego
- 70. @sambego Pro One less password to remember
- 71. @sambego Pro Only give a password to a service you trust
- 72. @sambego Con You rely on another service for authentication
- 74. @sambego One time password Often used as second factor
- 78. @sambego Yubikey
- 83. @sambego What if we could use these on the web?
- 94. @sambego Web Authentication Your authenticator device can register a private and public key pair for each website.
- 95. @sambego Web Authentication The private key is stored only on the authenticator device.
- 96. @sambego Web Authentication The private key can sign future challenges.
- 97. @sambego Web Authentication The public key is stored on the authentication device and on the relying party’s server.
- 98. @sambego Web Authentication The public key is used to verify future challenges.
- 99. @sambego Web Authentication The signed challenge is send back to the relying party for security.
- 101. @sambego Some issues User credential management
- 102. @sambego Some issues Cross devices credentials
- 103. @sambego Web Authentication Chrome 67 Firefox 60 Edge 17723 Safari Tech Preview (behind a flag)
- 104. @sambego Disclaimer The spec is not yet fully integrated in all browsers.
- 106. @sambego 🤯
- 107. @sambego Summary Remembering passwords is annoying. Use a password manager.
- 108. @sambego Summary One time passwords are easier, but currently mostly used as second factor.
- 109. @sambego Summary The future of authentication might be hardware authenticator devices.
- 110. @sambego Summary You can use TouchID on the web!
- 111. @sambego Read more https: //webauthn.me https: //auth0.com/blog https: // www.w3.org/TR/webauthn
- 113. @sambego Tack!
- 114. @sambego Thanks!