Download - 474 Password Not Found
![Page 1: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/1.jpg)
474 Password Not FoundGiuseppe Galli [email protected] Saverio Caminiti [email protected]
ROME 18-19 MARCH 2016
![Page 2: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/2.jpg)
Giuseppe Galli
Mr. Giuseppe Galli, Master in Electronic Engineering [email protected]
• Partner and CTO in K-Tech s.r.l. • Experienced in JEE Architecture • Expert in Web, mobile and SOA solutions • Several years spent working as APM Specialist • Class Instructor
![Page 3: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/3.jpg)
Saverio Caminiti
Saverio Caminiti, Ph.D. [email protected]
• Analyst and Senior Dev at K-Tech s.r.l. • Formerly: • Researcher at: Sapienza University of Rome,
Italian National Research Council, University of Central Florida, Eötvös Loránd University. • Cofounder of a company for Augmented Reality
mobile apps.
![Page 4: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/4.jpg)
K-Tech s.r.l.
• Consultancy firm based in Rome • Founded in 1996
by enthusiast developers • Java Italian Portal
(JIP) maintainer • Web, Mobile, SOA
applications development
![Page 5: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/5.jpg)
What this talk is about
• Advocate that passwords are obsolete
• Technologies are ready to let us move forward
• Show that humans can live (even better) without passwords
![Page 6: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/6.jpg)
• Teach you how to design/code your application
• Advertise/sell a software we made
• Blame on those that still implement authentication systems based on passwords
What this talk is NOT about
![Page 7: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/7.jpg)
Purpose of this Talk
• Open a discussion about a future without passwords
• Raise awareness on this topic among developers
• Receive feedbacks and opinions from this community
![Page 8: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/8.jpg)
Background
![Page 9: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/9.jpg)
Password: old concept new use
• In the past only a few people were using passwords (and in a very limited way)
STOP! Pass phrase, please
![Page 10: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/10.jpg)
Password: old concept new use
• In the past only a few people were using passwords (and in a very limited way)
• Nowadays everybody is required to deal with tens of passwords
STOP! Pass phrase, please
![Page 11: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/11.jpg)
Humans vs passwords
• Humans don’t play well with passwords • they use easy passwords
Data from: xato.net
![Page 12: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/12.jpg)
Humans vs passwords
• Humans don’t play well with passwords • they use easy passwords
Data from: xato.net
![Page 13: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/13.jpg)
• Humans don’t play well with passwords • they use easy passwords
• they reuse the same password everywhere …and no, a birthdate is not a password at all!
Data from: xato.net
Humans vs passwords
![Page 14: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/14.jpg)
Human-Computer Interaction point of view
• HCI basically tells us that: • computers must adapt to humans • humans should be able to do thing in a way
that is as natural as possible
![Page 15: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/15.jpg)
Human-Computer Interaction point of view
• Overall proliferation of username/passwords based systems is an anti-pattern
![Page 16: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/16.jpg)
Human-Computer Interaction point of view
• Overall proliferation of username/passwords based systems is an anti-pattern
![Page 17: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/17.jpg)
User side
• “Computer Aided Password Management” • Users may mitigate the problem with
software that help them dealing with this computer-induced need
• Although helpful these software do not solve the underling problem
…
![Page 18: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/18.jpg)
User side
• “Computer Aided Password Management” • Users may mitigate the problem with
software that help them dealing with this computer-induced need
• Although helpful these software do not solve the underling problem
…
So we need computer help to do something that computers force us to do!?
Sounds weird!
![Page 19: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/19.jpg)
System side
• OAuth 2.0 • Login with Google, Facebook, Twitter, etc.
• Biometrics • Fingerprint, face, voice, iris,
movement recognition, etc.
• 2FA (two-factors authentication) • SMS, Physical Token, etc.
![Page 20: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/20.jpg)
Move away from passwords
![Page 21: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/21.jpg)
Reasons to abandon passwords
• Usability • Humans don’t need to deal with passwords • and they don't want to
• Security • Humans tend to choose poor passwords • May be stolen without physical interaction • Data collected and used later (phishing)
![Page 22: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/22.jpg)
Guidelines proposal
• Avoid username/password
• Use your own smartphone as a physical access key
• Generate a T-OTP on request
• Authenticate a browser/app session
• Secure app-to-server communication
12345678
![Page 23: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/23.jpg)
See K-Tech implementation in act
DEMO
![Page 24: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/24.jpg)
K-Tech solution details
![Page 25: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/25.jpg)
Main features
1.Easy to use (no typing of any user data) 😀🔐
2.Out of Band: T-OTP exchange 🔐
3. Requires a device pre-registered by: 🔐
A. direct request (workflow to approve) 💰 B. invitation
4.No password storage (in the whole system) 🔐
5.User secret is used to build T-OTP only 🔐
6.Multi-user/multi-account/multi-device 😀
7. Activity history and logout for active sessions 😀
8.Can use a “friend device” 😀
![Page 26: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/26.jpg)
Technicalities
• T-OTP: Time based One Time Password RFC 6238 • Mobile and Auth Server clocks are synchronised via
NTP • I18n: Internationalisation • HTOTP(s): Extension HTTP/TLS protocols • Response status codes: • Utilises the range of codes 470-474, left
unassigned by the RFC • 404 Not Found • 474 Password Not Found
![Page 27: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/27.jpg)
htotp(s) Protocol
def authorize(request): """ :param request: the HTTP response :return: a response with status codes: 400: request in a session with an invalid session key 404: request in a session without session key (or expired) 470: otp check failed (doesn't match) 471: missing otp related parameters 472: session already authorized 474: device id not found (or expired or wrong username) 500: the user cannot be authorized locally (unable to log in) """
if not backends.check_user_access(domain=domain, site=site): logger.debug("authorize - unable to grant site '%s'on the domain '%s'" % (site, domain)) return _error_page(request, message="authorize request with wrong ‘domain': %s" % domain) try: user, server_ts, sso_session_id = backends.check_otp(domain=domain, site=site, request=request) if not user: logger.debug("authorize - otp doesn't match (response status 470)") response = JsonResponse({"message": "otp is not valid"}, status=470) response['otp-server-ts'] = format_utc_datetime(apps.utc_now()) return response logger.debug("authorize - got a valid otp: authorize the session '%s' (wg_key: '%d', sso: '%s') for '%s'" % (session_id, session_key.pk, sso_session_id, user)) session_key.authorize(user, sso_session_id=sso_session_id) message = 'ok' status = 200except exceptions.UnknowRequestException as e: logger.debug('authorize - request with unknown parameters: redirecting to error page: %s' % e) return _error_page(request, message='authorize request with unknown parameters: redirecting to error page') except exceptions.BadRequestException as e: logger.debug('authorize - request without valid otp related data (response status 471)') return JsonResponse({"message": "request without valid otp related data", "error": "%s" % e}, status=471) except exceptions.DeviceNotFoundException as e: logger.debug('authorize - device id not found or expired or wrong user data (response status 474)') return JsonResponse({"message": "device id not found", "error": "%s" % e}, status=474)
![Page 28: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/28.jpg)
Envisioning the future
![Page 29: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/29.jpg)
• Main changes in widespread behaviours may be difficult to envision
• Let’s start this shift, the sooner the better
Skepticism
![Page 30: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/30.jpg)
Status quo
• Technologies are broadly available and mature • Users access Internet services increasingly
more from mobile devices • User awareness is still too low • Little or no innovation in software systems
development
![Page 31: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/31.jpg)
Future developments
• Progressive adoption of password-less solutions • Authentication (login, strong auth) • Authorization (roles, dispositive action) • Digital signature • Anonymization (privacy)
• Standardization • User Experience • Protocols • API for libraries and services
![Page 32: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/32.jpg)
Questions andFeedback
![Page 33: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/33.jpg)
References
• T-OTP: https://tools.ietf.org/html/rfc6238
• HTTP Status Code: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
• Password data from: https://xato.net
![Page 34: 474 Password Not Found](https://reader033.vdocument.in/reader033/viewer/2022051502/58739bf91a28ab85438b6a63/html5/thumbnails/34.jpg)
ROME 18-19 MARCH 2016
Thanks!
Giuseppe Galli [email protected] Saverio Caminiti [email protected]
All pictures belong to their respective authors