beyond passwords: time for a change
DESCRIPTION
TRANSCRIPT
Beyond password:
Time for a change
Olivier Potonniée
Octobre 2013
How can web applications authenticate their
online users?
Beyond password: Time for a change 2
Often…
Beyond password: Time for a change 3
Passwords?
Beyond password: Time for a change 4
RockYou social network, Dec 2009: 30,000,000 passwords
10,000 (0.03%)
24%
40% uniques
1,000
12% 100 : 5%
290,729 (1%)
Attacks
Beyond password: Time for a change 5
Compromised passwords
in 2013:
Living Social: 50 millions
EverNote: 50 millions
Drupal: 1 million
Twitter: 250,000
…
Social
75%
(BitDefender)
Strong Authentication
Beyond password: Time for a change 6
At least 2 of:
Something you know (password, pin, etc.)
Something you have (card, mobile, etc.)
Something you are (biometrics)
Independents, protected
Beyond password: Time for a change 7
Protiva
Cloud Confirm
Beyond password: Time for a change 8
Beyond password: Time for a change 9
I have an issue with smart cards
Beyond password: Time for a change 10
Need to define YOUR solution
Beyond password: Time for a change 11
Secure
Cheap Convenient
Social Login
Beyond password: Time for a change 12
Identity reuse
Simpler for users (no new identifier to remember)
Single-Sign-On (SSO)
Alleviate the application
Privacy risks
Traceability
Disclosure of personal data
Authentication delegation
Beyond password: Time for a change 13
Delegation protocols
Beyond password: Time for a change 14
SAML
OAuth
OpenID
Identity
Provider
Beyond password: Time for a change 16
Authentication
Who are you? Give him a
certificate
Alice
(nat sakimura)
Authentication via email
Beyond password: Time for a change 17
Who are you?
Here’s my email,
give him a
certificate
Alice
Verifier
Identity
Provider
Does this email
belong to her?
Assertions
Beyond password: Time for a change 18
SAML
Who are you? Give him a
certificate
Alice
SAML
Identity
Provider
Authorization to access personal data
Beyond password: Time for a change 19
OAuth
Alice
Beyond password: Time for a change 20
Authorization OAuth
Who are you?
Give him an
access key
OAuth
Server
Authorization to access identity
Beyond password: Time for a change 21
Alice Who are you?
OpenID Connect
Server Give him an
access key
Define YOUR solution
Beyond password: Time for a change 22
Confidentiality / Personal data sharing?
Pre-registration of web application?
Dependency to an identity provider?
Authentication methods?
THE Message
Beyond password: Time for a change 23
Passwords are bad
Strong Authentication
Too many identities is inconvenient
Reuse identities (emails, social networks…)
Authentication is a sensitive and potentially complex task
Delegation, SSO
Privacy needs to be protected
Don’t ask for more data or access rights than needed
Thanks
Beyond password: Time for a change 24