Death To Passwords
•
1 j'aime•696 vues
User authentication in mobile apps is a very common and integral use case. Implementing regular passwords is an easy solution but comes with several pitfalls that impair user experience. In this talk the security flaws and UX implications of passwords will be discussed and highlighted which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who’s facing a situation where creating and storing user accounts matters. As presented in DroidCon Tel Aviv 2014 by: Tim Messerschmidt, PayPal http://il.droidcon.com
Recommandé
Contenu connexe
Tendances
Similaire à Death To Passwords
Similaire à Death To Passwords (20)
Plus de DroidConTLV
Plus de DroidConTLV (20)
Dernier
Dernier (20)
Death To Passwords
- 1. DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Droidcon Tel Aviv ‘14
- 2. DO YOU BELIEVE IN SECURITY?
- 3. DO YOU BELIEVE IN SECURITY?
- 5. 4.7% OF USERS USE THE PASSWORD PASSWORD
- 6. 8.5% ARE USING PASSWORD OR 123456
- 7. 9.8% USE PASSWORD 123456 OR 12345678
- 8. ... And it doesn’t even stop here 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
- 11. 1. 123456 up 1 2. Password down 1 3. 12345678 4. Qwerty up 1 5. Abc123 down 1 6. 123456789 New 7. 111111 up 2 8. 1234567 up 5 9. Iloveyou up 2 10. Adobe123 new 11. 123123 up 5 12. Admin new 13. 1234567890 new 14. Letmein down 7 15. Photoshop new 16. 1234 new 17. Monkey down 11 18. Shadow 19. Sunshine down 5 20. 12345 new
- 12. My learnings from this trend - People HATE monkeys - People are more depressed - Adobe is very popular
- 14. 3 Password Problems - Reused - Phished - Keylogged
- 17. xkcd.com/936
- 18. Favor security too much over the experience and you’ll make the website a pain to use.
- 22. Storing Passwords SQLCipher & KeyChain
- 23. SO WHAT?
- 24. People forget passwords… 45% admit to leaving a website instead of re- setting their password or answering security questions * * Blue Inc. 2011
- 25. Also they hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
- 26. heartbleed.com
- 28. SO WHAT CAN WE DO INSTEAD?
- 33. OAUTH 1.0
- 37. Request Request Token Grant Request Token Direct User to Service Obtain AuthorizaEon Direct to Consumer Request Access Token Grant Access Token Access Resources Consumer Service Provider
- 38. OAUTH 1.0A
- 40. Android: Signpost <3 github.com/mttkay/signpost
- 41. OAUTH 2.0
- 42. Direct User to Service Obtain AuthorizaEon Request Access Token Grant Access Token Direct to Consumer Access Resources / Profile Consumer Service Provider
- 43. URL url = new URL(”http://url.com/”);! HttpURLConnection urlConnection =! !(HttpURLConnection) url.openConnection();! ! ! setRequestProperty(”Authorization”, ”Bearer …”);! HTTP Header “url.com/oauth?access_token=…”! URI parameter
- 45. OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
- 46. Identity Techniques - OpenID - OpenID Connect - Persona
- 47. Identity Providers Social vs. Concrete
- 49. Do we always use the same identity?
- 50. Should we always use the same identity?
- 52. Name Email Date of Birth Locale Time Zone Address Gender Language Phone Number Creation Date
- 53. Yeah, nice.. but why? People forget passwords… 45% admit to leaving a website instead of re-setting their password or answering security questions * * Blue Inc. 2011
- 54. Also they hate to register Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
- 56. What’s Next? Bluetooth Smart and Co.
- 62. Security matters to users and developers Difference authentication and authorization User Experience should be enhanced not impaired