1 / 26

Kill All Passwords

You have a solid security infrastructure, all user data is encrypted, your users are protected right? As long as passwords remain the standard methods for identifying your users on the web, people will still continue to use "letmein" or "password123" for their secure login, and will continue to be shocked when their accounts become compromised. Passwords are not secure, they need to be replaced. In this talk we're going to explore the pitfalls of a system designed around a username and password, then dive into the ways that technology is giving us a slew of new ways to build a secure user identity system. From biometrics to wearables, hardware to tokens, we'll explore a multitude of ways that we can finally kill all passwords.

jcleblanc
Download Presentation

Kill All Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kill all Passwords Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree

  2. Why do we need this? Passwords are awesome! twitter: @jcleblanc | hashtag: #ConvergeSE

  3. Top Passwords of 2014 1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123 twitter: @jcleblanc | hashtag: #ConvergeSE 11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345

  4. Poor Password Choices 4.7% of users have the password password; 8.5% have the passwords password or 123456; 9.8% have the passwords password, 123456 or 12345678; 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords twitter: @jcleblanc | hashtag: #ConvergeSE

  5. The Weakest Link twitter: @jcleblanc | hashtag: #ConvergeSE

  6. The Key Issues twitter: @jcleblanc | hashtag: #ConvergeSE

  7. People Forget Passwords

  8. Security over Usability twitter: @jcleblanc | hashtag: #ConvergeSE

  9. Replacing the Concept of a Username and Password twitter: @jcleblanc | hashtag: #ConvergeSE

  10. Securing Current Methods twitter: @jcleblanc | hashtag: #ConvergeSE

  11. Bad Security Algorithms MD5, SHA-1, SHA-2, SHA-3 twitter: @jcleblanc | hashtag: #ConvergeSE

  12. Good Security Algorithms PBKDF2, BCRYPT, SCRYPT twitter: @jcleblanc | hashtag: #ConvergeSE

  13. Key Stretching twitter: @jcleblanc | hashtag: #ConvergeSE

  14. Scaling Authentication twitter: @jcleblanc | hashtag: #ConvergeSE

  15. Establishing Trust Zones twitter: @jcleblanc | hashtag: #ConvergeSE

  16. There’s more to it Location Awareness Habit Awareness Browser Uniqueness Device Fingerprinting twitter: @jcleblanc | hashtag: #ConvergeSE

  17. Variable Authentication twitter: @jcleblanc | hashtag: #ConvergeSE

  18. Usability vs Security twitter: @jcleblanc | hashtag: #ConvergeSE

  19. State of Developer Auth Use Another Site Login Mixed OAuth 2 / OpenID Connect for auth Roll Your Own Username / Password Fingerprint Scanning twitter: @jcleblanc | hashtag: #ConvergeSE

  20. What Happened to OAuth 1.0a? twitter: @jcleblanc | hashtag: #ConvergeSE

  21. Security Concerns with OAuth 2 / OpenID Connect twitter: @jcleblanc | hashtag: #ConvergeSE

  22. Identity Biometrics twitter: @jcleblanc | hashtag: #ConvergeSE

  23. False Positive / Negative Rates False negative: Valid user can’t log in False positive: Invalid user can log in twitter: @jcleblanc | hashtag: #ConvergeSE

  24. The FIDO Alliance http://fidoalliance.org/ twitter: @jcleblanc | hashtag: #ConvergeSE

  25. The Future of Secure Identity & Data Encryption twitter: @jcleblanc | hashtag: #ConvergeSE

  26. Thank You! slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree

More Related