1. DEATH TO PASSWORDS
LONG LIVE SECURITY
Tim Messerschmidt / @SeraAndroiD
Droidcon Berlin ‘14

2. DO YOU BELIEVE
IN SECURITY?

3. DO YOU BELIEVE
IN SECURITY?

4. A STORY ABOUT
PASSWORDS
WIKI.SCULLSECURITY.ORG/PASSWORDS

5. 4.7% OF USERS USE THE
PASSWORD PASSWORD

6. 8.5% ARE USING
PASSWORD OR 123456

7. 9.8% USE PASSWORD
123456 OR 12345678

8. ... And it doesn’t even stop here
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords

10. 2013
CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-
PASSWORDS-OF-2013/

11. 1. 123456 up 1
2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10. Adobe123 new
11. 123123 up 5
12. Admin new
13. 1234567890 new
14. Letmein down 7
15. Photoshop new
16. 1234 new
17. Monkey down 11
18. Shadow
19. Sunshine down 5
20. 12345 new

13. My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular

14. 3 Password Problems
- Reused
- Phished
- Keylogged

15. abstrusegoose.com/296

16. abstrusegoose.com/262

17. xkcd.com/936

18. Favor security too much over
the experience and you’ll make
the website a pain to use.

20. Basic Authentication
username:password

21. Storing Passwords
SQLCipher & KeyChain

22. SO WHAT?

23. People forget passwords…
45% admit to leaving a website instead of re-
setting their password or answering security
questions *
* Blue Inc. 2011

24. Also they hate to register
Out of 657 surveyed users 66% think that
social sign-in is a desirable alternative. *
* Blue Inc. 2011

25. heartbleed.com

26. heartbleed.agilebits.com

27. SO WHAT CAN WE DO
INSTEAD?

28. PASSWORDLESS
AUTHENTICATION
MEDIUM.COM/CYBER-SECURITY/9ED56D483EB

29. TWO FACTOR AUTH
TWOFACTORAUTH.ORG

30. Authentication vs.
Authorization

32. OAUTH 1.0

36. Request
Request
Token
Grant
Request
Token
Direct
User
to
Service
Obtain
AuthorizaEon
Direct
to
Consumer
Request
Access
Token
Grant
Access
Token
Access
Resources
Consumer Service Provider

37. OAUTH 1.0A

39. Android: Signpost <3
github.com/mttkay/signpost

40. OAUTH 2.0

41. Direct
User
to
Service
Obtain
AuthorizaEon
Request
Access
Token
Grant
Access
Token
Direct
to
Consumer
Access
Resources
/
Profile
Consumer Service Provider

42. URL url = new URL(”http://url.com/”);!
HttpURLConnection urlConnection =!
!(HttpURLConnection) url.openConnection();!
!
!
setRequestProperty(”Authorization”, ”Bearer …”);!
HTTP Header
“url.com/oauth?access_token=…”!
URI parameter

43. Android
Scribe
github.com/fernandezpablo85/scribe
PostmanLib
github.com/fedepaol/PostmanLib--Rings-Twice--
Android

44. OAuth 2.0 and the
Road to Hell
hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell

45. Identity Techniques
- OpenID
- OpenID Connect
- Persona

46. Identity Providers
Social vs. Concrete

48. Do we always use the same
identity?

49. Should we always use the
same identity?

51. Name
Email
Date of Birth
Locale
Time Zone
Address
Gender
Language
Phone Number
Creation Date

53. What’s Next?
Bluetooth Smart and Co.

59. Security
matters to users and developers
Difference
authentication and authorization
User Experience
should be enhanced not impaired

61. BATTLEHACK ’14
BERLIN: JUNE 21ST & 22ND
WARSAW: JULY 12TH & 13TH
LONDON: OCTOBER 11TH & 12TH
MOSCOW: OCTOBER 25TH & 26TH
BATTLEHACK.ORG

62. Questions?
tmesserschmidt@paypal.com
@SeraAndroid
slideshare.com/paypal