kill all passwords

Kill all Passwords

Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree

Why do we need this?

Passwords are awesome!

twitter: @jcleblanc | hashtag: #ConvergeSE

1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123

11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345

Top Passwords of 2014

twitter: @jcleblanc | hashtag: #ConvergeSE

4.7% of users have the password password;

8.5% have the passwords password or 123456;

9.8% have the passwords password, 123456 or 12345678;

14% have a password from the top 10 passwords

40% have a password from the top 100 passwords

79% have a password from the top 500 passwords

91% have a password from the top 1000 passwords

Poor Password Choices

twitter: @jcleblanc | hashtag: #ConvergeSE

twitter: @jcleblanc | hashtag: #ConvergeSE

The Weakest Link

The Key Issues

twitter: @jcleblanc | hashtag: #ConvergeSE

People Forget Passwords

twitter: @jcleblanc | hashtag: #ConvergeSE

Security over Usability

twitter: @jcleblanc | hashtag: #ConvergeSE

Replacing the Concept of a Username and Password

Securing Current Methods

twitter: @jcleblanc | hashtag: #ConvergeSE

Bad Security Algorithms

MD5, SHA-1, SHA-2, SHA-3

twitter: @jcleblanc | hashtag: #ConvergeSE

Good Security Algorithms

PBKDF2, BCRYPT, SCRYPT

twitter: @jcleblanc | hashtag: #ConvergeSE

twitter: @jcleblanc | hashtag: #ConvergeSE

Key Stretching

Scaling Authentication

twitter: @jcleblanc | hashtag: #ConvergeSE

twitter: @jcleblanc | hashtag: #ConvergeSE

Establishing Trust Zones

Location Awareness

Habit Awareness

Browser Uniqueness

Device Fingerprinting

There’s more to it

twitter: @jcleblanc | hashtag: #ConvergeSE

twitter: @jcleblanc | hashtag: #ConvergeSE

Variable Authentication

twitter: @jcleblanc | hashtag: #ConvergeSE

Usability vs Security

Use Another Site Login Mixed OAuth 2 / OpenID Connect for auth Roll Your Own Username / Password Fingerprint Scanning

State of Developer Auth

twitter: @jcleblanc | hashtag: #ConvergeSE

twitter: @jcleblanc | hashtag: #ConvergeSE

What Happened to OAuth 1.0a?

twitter: @jcleblanc | hashtag: #ConvergeSE

Security Concerns with OAuth 2 / OpenID Connect

Identity Biometrics

twitter: @jcleblanc | hashtag: #ConvergeSE

False negative: Valid user can’t log in False positive: Invalid user can log in

False Positive /

Negative Rates

twitter: @jcleblanc | hashtag: #ConvergeSE

The FIDO Alliance http://fidoalliance.org/

twitter: @jcleblanc | hashtag: #ConvergeSE

twitter: @jcleblanc | hashtag: #ConvergeSE

The Future of Secure Identity & Data Encryption

Thank You! slideshare.net/jcleblanc

Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree