beyond passwords: time for a change

24
Beyond password: Time for a change Olivier Potonniée Octobre 2013

Upload: olivier-potonniee

Post on 14-Jan-2015

893 views

Category:

Technology


3 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Beyond passwords: time for a change

Beyond password:

Time for a change

Olivier Potonniée

Octobre 2013

Page 2: Beyond passwords: time for a change

How can web applications authenticate their

online users?

Beyond password: Time for a change 2

Page 3: Beyond passwords: time for a change

Often…

Beyond password: Time for a change 3

Page 4: Beyond passwords: time for a change

Passwords?

Beyond password: Time for a change 4

RockYou social network, Dec 2009: 30,000,000 passwords

10,000 (0.03%)

24%

40% uniques

1,000

12% 100 : 5%

290,729 (1%)

Page 5: Beyond passwords: time for a change

Attacks

Beyond password: Time for a change 5

Compromised passwords

in 2013:

Living Social: 50 millions

EverNote: 50 millions

Drupal: 1 million

Twitter: 250,000

Email

Social

75%

(BitDefender)

Page 6: Beyond passwords: time for a change

Strong Authentication

Beyond password: Time for a change 6

At least 2 of:

Something you know (password, pin, etc.)

Something you have (card, mobile, etc.)

Something you are (biometrics)

Independents, protected

Page 7: Beyond passwords: time for a change

Beyond password: Time for a change 7

Protiva

Cloud Confirm

Page 8: Beyond passwords: time for a change

Beyond password: Time for a change 8

Page 9: Beyond passwords: time for a change

Beyond password: Time for a change 9

I have an issue with smart cards

Page 10: Beyond passwords: time for a change

Beyond password: Time for a change 10

Page 11: Beyond passwords: time for a change

Need to define YOUR solution

Beyond password: Time for a change 11

Secure

Cheap Convenient

Page 12: Beyond passwords: time for a change

Social Login

Beyond password: Time for a change 12

Identity reuse

Simpler for users (no new identifier to remember)

Single-Sign-On (SSO)

Alleviate the application

Privacy risks

Traceability

Disclosure of personal data

Page 13: Beyond passwords: time for a change

Authentication delegation

Beyond password: Time for a change 13

Page 14: Beyond passwords: time for a change

Delegation protocols

Beyond password: Time for a change 14

SAML

OAuth

Page 15: Beyond passwords: time for a change

A simple URL

Beyond password: Time for a change 15

Page 17: Beyond passwords: time for a change

Authentication via email

Beyond password: Time for a change 17

Who are you?

Here’s my email,

give him a

certificate

Alice

email

Verifier

Identity

Provider

Does this email

belong to her?

Page 18: Beyond passwords: time for a change

Assertions

Beyond password: Time for a change 18

SAML

Who are you? Give him a

certificate

Alice

email

SAML

Identity

Provider

Page 19: Beyond passwords: time for a change

Authorization to access personal data

Beyond password: Time for a change 19

OAuth

Page 20: Beyond passwords: time for a change

Alice

Beyond password: Time for a change 20

Authorization OAuth

Who are you?

Give him an

access key

OAuth

Server

Page 21: Beyond passwords: time for a change

Authorization to access identity

Beyond password: Time for a change 21

Alice Who are you?

OpenID Connect

Server Give him an

access key

Page 22: Beyond passwords: time for a change

Define YOUR solution

Beyond password: Time for a change 22

Confidentiality / Personal data sharing?

Pre-registration of web application?

Dependency to an identity provider?

Authentication methods?

Page 23: Beyond passwords: time for a change

THE Message

Beyond password: Time for a change 23

Passwords are bad

Strong Authentication

Too many identities is inconvenient

Reuse identities (emails, social networks…)

Authentication is a sensitive and potentially complex task

Delegation, SSO

Privacy needs to be protected

Don’t ask for more data or access rights than needed

Page 24: Beyond passwords: time for a change

Thanks

Beyond password: Time for a change 24