death to passwords - droidcon paris 2014
DESCRIPTION
http://fr.droidcon.com/2014/agenda/ http://fr.droidcon.com/2014/agenda/detail?title=Death+to+Passwords User authentication in mobile applications is a very common and integral use case. Implementing regular passwords is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account. In this talk the security flaws and UX implications of passwords will be discussed and highlighted which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters. Speaker : Tim Messerschmidt, PayPal As a long time mobile and web developer, Tim channels his knowledge and experience as PayPal's Lead Developer Evangelist in EMEA. He is passionate about startups and serves as mentor at multiple incubators and accelerators. Prior joining PayPal Tim used to work with Neofonie Mobile and Samsung focussing on several mobile projects. In his spare time, he leads and creates training classes in all sorts of developer-oriented topics, contributes to Open Source projects and is one of the authors of the Mobile Developer's Guide to the Galaxy, as well as numerous articles published in print magazines.TRANSCRIPT
@SERAANDROID
DEATH TO PASSWORDSA safe new world
Tim MesserschmidtLead Developer Evangelist, EMEADroidcon Paris ’14
@SERAANDROID
DO YOU BELIEVEIN SECURITY?
@SERAANDROID
A LITTLE STORY ABOUTPASSWORDSWIKI.SCULLSECURITY.ORG/PASSWORDS
@SERAANDROID
4.7% OF USERS USE THE PASSWORD PASSWORD
@SERAANDROID
8.5% ARE USINGPASSWORD OR 123456
@SERAANDROID
9.8% USE PASSWORD 123456 OR 12345678
@SERAANDROID
... And it doesn’t even stop here
14% have a password from the top 10 passwords40% have a password from the top 100 passwords79% have a password from the top 500 passwords91% have a password from the top 1000 passwords
@SERAANDROID
@SERAANDROID
2013CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-PASSWORDS-OF-2013
@SERAANDROID
1. 123456 up 12. Password down 13. 123456784. Qwerty up 15. Abc123 down 16. 123456789 New7. 111111 up 28. 1234567 up 59. Iloveyou up 210.Adobe123 new
11.123123 up 512.Admin new13.1234567890 new14.Letmein down 715.Photoshop new16.1234 new17.Monkey down 1118.Shadow19.Sunshine down 520.12345 new
@SERAANDROID
@SERAANDROID
haveibeenpwned.com
@SERAANDROID
3 HUGE Problems- Reused- Phished- Keylogged
@SERAANDROID
abstrusegoose.com/296
abstrusegoose.com/262
@SERAANDROID
xkcd.com/936
@SERAANDROID
Favor security too much over the experience and you’ll make the website a pain to use.
@SERAANDROID
vs.
@SERAANDROID
@SERAANDROID
Basic Authenticationusername:password
@SERAANDROID
Storing PasswordsSQLCipher & KeyChain
@SERAANDROID
SO WHAT?
@SERAANDROID
People forget passwords…
45% admit to leaving a website instead of re-setting their password or answering security questions ** Blue Inc. 2011
@SERAANDROID
heartbleed.com
@SERAANDROIDheartbleed.agilebits.com
@SERAANDROID
@SERAANDROID
LET’S ADMIT IT:PASSWORDS SUCK
@SERAANDROID
SO WHAT CAN WE DO INSTEAD?
@SERAANDROID
PASSWORDLESS AUTHENTICATIONMEDIUM.COM/CYBER-SECURITY/9ED56D483EB
@SERAANDROID
VIA EMAIL / TEXT
@SERAANDROID
braintreepayments.com/blog/goodbye-passwords-one-touch-hello-bitcoin
@SERAANDROID
TWO FACTOR AUTHTWOFACTORAUTH.ORG
@SERAANDROID
Authentication vs.Authorization
@SERAANDROID
@SERAANDROID
OAUTH 1.0
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
RequestRequest Token
GrantRequest Token
Direct User to Service Obtain Authorization
Direct to ConsumerRequestAccess Token
GrantAccess Token
AccessResources
Consumer Service Provider
@SERAANDROID
OAUTH 1.0A
@SERAANDROID
@SERAANDROID
Android: Signpost <3github.com/mttkay/signpost
@SERAANDROID
OAUTH 2.0
@SERAANDROID
Direct User to Service Obtain Authorization
RequestAccess Token
GrantAccess Token
Direct to ConsumerAccessResources / Profile
Consumer Service Provider
@SERAANDROID
@SERAANDROID
URL url = new URL(”http://url.com/”);HttpURLConnection urlConnection =
(HttpURLConnection) url.openConnection();
setRequestProperty(”Authorization”, ”Bearer …”);
HTTP Header
“url.com/oauth?access_token=…”
URI parameter
@SERAANDROID
Scribegithub.com/fernandezpablo85/scribe
PostmanLibgithub.com/fedepaol/PostmanLib--Rings-Twice--Android
@SERAANDROID
homakov.blogspot.de/2013/03/oauth1-oauth2-oauth.html
@SERAANDROID
OAuth 2.0 and the Road to Hellhueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
@SERAANDROID
Identity Techniques- OpenID- OpenID Connect- Persona / BrowserID
@SERAANDROID
@SERAANDROID
OpenID
@SERAANDROID
BrowserIDPersona
@SERAANDROID
How to combine both?
@SERAANDROID
OpenID with OAuth Hybrid Extension
@SERAANDROID
OpenID Connect
@SERAANDROID
Identity ProvidersSocial vs. Concrete
@SERAANDROID
Do we always use the same identity?
@SERAANDROID
Should we always use the same identity?
@SERAANDROID
@SERAANDROID
Name
Date of Birth
LocaleTime Zone
Address
Gender
Language
Phone Number
Creation Date
@SERAANDROID
People hate to register
Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. ** Blue Inc. 2011
@SERAANDROID
@SERAANDROIDBe aware
@SERAANDROID
What’s Next?Bluetooth SMART and Your fingerprint
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
@SERAANDROID
UTILIZING A TRUSTED ENVIRONMENT
@SERAANDROID
SCALING SECURITY BASED ON THE CASE
@SERAANDROID
FIDO ALLIANCEUNIVERSAL AUTH
@SERAANDROID
Securitymatters to users and developers
Difference authentication and authorization
User Experienceshould be enhanced not impaired
@SERAANDROID
[email protected]@SeraAndroid / @PayPalDevslideshare.com/paypal