User authentication in mobile apps is a very common and integral use case. Implementing regular passwords is an easy solution but comes with several pitfalls that impair user experience. In this talk the security flaws and UX implications of passwords will be discussed and highlighted which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who’s facing a situation where creating and storing user accounts matters.
As presented in DroidCon Tel Aviv 2014 by:
Tim Messerschmidt, PayPal
http://il.droidcon.com
8. ... And it doesn’t even stop here
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
11. 1. 123456 up 1
2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10. Adobe123 new
11. 123123 up 5
12. Admin new
13. 1234567890 new
14. Letmein down 7
15. Photoshop new
16. 1234 new
17. Monkey down 11
18. Shadow
19. Sunshine down 5
20. 12345 new
12. My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular
37. Request
Request
Token
Grant
Request
Token
Direct
User
to
Service
Obtain
AuthorizaEon
Direct
to
Consumer
Request
Access
Token
Grant
Access
Token
Access
Resources
Consumer Service Provider
42. Direct
User
to
Service
Obtain
AuthorizaEon
Request
Access
Token
Grant
Access
Token
Direct
to
Consumer
Access
Resources
/
Profile
Consumer Service Provider
53. Yeah, nice.. but why?
People forget passwords…
45% admit to leaving a website instead of re-setting their
password or answering security questions *
* Blue Inc. 2011
54. Also they hate to register
Out of 657 surveyed users 66% think that social sign-in is
a desirable alternative. *
* Blue Inc. 2011