tiffany conroy - remote device sign-in – authenticating without a keyboard - codemotion milan 2017
TRANSCRIPT
![Page 1: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/1.jpg)
![Page 2: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/2.jpg)
Remote sign-inA method for signing in to a device that
doesn’t have a keyboard
![Page 3: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/3.jpg)
Hi, I’m Tiffany@theophani
![Page 4: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/4.jpg)
Remote sign-inA method for signing in to a device that
doesn’t have a keyboard
![Page 5: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/5.jpg)
SoundCloud on Xbox
![Page 6: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/6.jpg)
Signing in with a game controller is not fun
![Page 7: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/7.jpg)
![Page 8: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/8.jpg)
Secure and simpleand fast
![Page 9: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/9.jpg)
The solution, in brief
![Page 10: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/10.jpg)
![Page 11: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/11.jpg)
![Page 12: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/12.jpg)
![Page 13: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/13.jpg)
![Page 14: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/14.jpg)
How it works
![Page 15: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/15.jpg)
![Page 16: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/16.jpg)
![Page 17: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/17.jpg)
![Page 18: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/18.jpg)
![Page 19: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/19.jpg)
![Page 20: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/20.jpg)
![Page 21: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/21.jpg)
![Page 22: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/22.jpg)
![Page 23: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/23.jpg)
Voilà!Having an access token = signed in
![Page 24: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/24.jpg)
Inspiration:YouTube on TVs and
Google Sign-in for TVs and Devices
![Page 25: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/25.jpg)
![Page 26: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/26.jpg)
Using an authenticated session on Device B
![Page 27: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/27.jpg)
Using an authenticated session on Device B
i.e. take advantage of the person already being signed in on their phone or laptop
![Page 28: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/28.jpg)
Sign inwithout signing in
![Page 29: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/29.jpg)
Sign inwithout signing in
(because you were already signed in)
![Page 30: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/30.jpg)
![Page 31: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/31.jpg)
![Page 32: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/32.jpg)
![Page 33: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/33.jpg)
https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN
![Page 34: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/34.jpg)
https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN
![Page 35: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/35.jpg)
https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN
![Page 36: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/36.jpg)
![Page 37: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/37.jpg)
Choosing codes that are easy to read and type
![Page 38: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/38.jpg)
Things to consider when choosing codes:
Sparse usage
![Page 39: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/39.jpg)
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . X . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . X . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . X . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . X . . . .
. . . . . . X . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . X . . . . . . . . .
![Page 40: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/40.jpg)
1 number = 10 codes
0 1 2 3 45 6 7 8 9
![Page 41: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/41.jpg)
2 letters = 26 * 26 = 676 codesAA AB AC AD AE AF AG AH AI AJ . . .BA BB BC BD BE BF BG BH BI BJ . . .CA CB CC CD CE CF CG CH CI CJ . . .DA DB DC DD DE DF DG DH DI DJ . . .EA EB EC ED EE EF EG EH EI EJ . . .FA FB FC FD FE FF FG FH FI FJ . . .GA GB GC GD GE GF GG GH GI GJ . . .HA HB HC HD HE HF HG HH HI HJ . . .IA IB IC ID IE IF IG IH II IJ . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . ZZ
![Page 42: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/42.jpg)
6 numbers = 1 000 000 codes4 letters = 26 * 26 * 26 * 26 = 456 976 codes
![Page 43: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/43.jpg)
Numbers and letters?
![Page 44: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/44.jpg)
Avoid:letter O, number 0,letter I, number 1
![Page 45: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/45.jpg)
6 numbers or letters =32 * 32 * 32 * 32 * 32 * 32 =
1 073 741 824 codes
![Page 46: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/46.jpg)
Things to consider when choosing codes:
Don’t use special characters !?&%$
![Page 47: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/47.jpg)
Things to consider when choosing codes:
Use UPPERCASE for readability
(but verify with case insensitivity)
![Page 48: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/48.jpg)
Security considerations
![Page 49: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/49.jpg)
Risk:
Accidentally granting Device A access to the
wrong user
![Page 50: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/50.jpg)
Someone is signed in … but who?
![Page 51: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/51.jpg)
Mitigating the risk of:
Accidentally granting Device A access to the
wrong user
![Page 52: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/52.jpg)
a) Show which user is authenticated,and allow to switch
![Page 53: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/53.jpg)
a) Show which user is authenticated,and allow to switch
b) Display a selection of users,and allow them to choose
![Page 54: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/54.jpg)
Risk:
Accidentally granting access to someone
else’s device
![Page 55: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/55.jpg)
Device AN shows Nina
X X N
Device AM shows Michael
X X M
![Page 56: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/56.jpg)
Nina accidentally types X X M
![Page 57: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/57.jpg)
Michael’s Device AMwill get authenticated as Nina
![Page 58: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/58.jpg)
Mitigating the risk of:
Accidentally granting access to someone
else’s device
![Page 59: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/59.jpg)
Sparse usage of codes!
![Page 60: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/60.jpg)
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . X . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . X . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
❌
X . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . X . . . .. . . . . . X . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . X . . . . . . . . .
![Page 61: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/61.jpg)
Collect device name to show during activation
![Page 62: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/62.jpg)
![Page 63: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/63.jpg)
Risk:
An attacker using up all possible codes so no one
can sign in
![Page 64: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/64.jpg)
X X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X
!
![Page 65: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/65.jpg)
Mitigating the risk of:
An attacker using up all possible codes so no one
can sign in
![Page 66: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/66.jpg)
Rate limit ability to request codes
![Page 67: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/67.jpg)
Expire codes
![Page 68: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/68.jpg)
Expire codes … but don’t reuse too soon
![Page 69: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/69.jpg)
Risk:
An attacker guessing codes and using them to
get access tokens
![Page 70: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/70.jpg)
Brute force attack
![Page 71: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/71.jpg)
![Page 72: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/72.jpg)
Aside: why do attackers want to access random accounts?
![Page 73: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/73.jpg)
Mitigating the risk of:
An attacker guessing codes and using them to
get access tokens
![Page 74: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/74.jpg)
Very, VERY, sparse code usage?
![Page 75: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/75.jpg)
Rate limit for polling?
![Page 76: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/76.jpg)
Polling tokens
![Page 77: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/77.jpg)
e.g. AHDNFDJR-937JJ5N7HN-SNVKDHKSM2-FJSNMNDFF-93HF7H46AGMS
![Page 78: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/78.jpg)
Issue the polling token to Device Awhen issuing the easy-to-read code
![Page 79: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/79.jpg)
Require the polling token when:a) checking the status of the code
![Page 80: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/80.jpg)
Require the polling token when:a) checking the status of the code
b) exchanging the code for an access token
![Page 81: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/81.jpg)
![Page 82: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/82.jpg)
Risk:
An attacker tricking people into giving away access to their account
![Page 83: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/83.jpg)
Social engineering attack
![Page 84: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/84.jpg)
![Page 85: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/85.jpg)
![Page 86: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/86.jpg)
Mitigating the risk of:
An attacker tricking people into giving away access to their account
![Page 87: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/87.jpg)
Use text and design elementsthat make it clear
![Page 88: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/88.jpg)
![Page 89: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/89.jpg)
![Page 90: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/90.jpg)
Have short expirations
![Page 91: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/91.jpg)
Closing thoughts
![Page 92: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/92.jpg)
Using a game controller to entera password is not fun
![Page 93: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/93.jpg)
Designing and implementing a new kindof authentication flow is fun
![Page 94: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/94.jpg)
Involve your security experts early
![Page 95: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/95.jpg)
Painful → Magical
![Page 96: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/96.jpg)
Thanks :)
![Page 97: Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017](https://reader031.vdocuments.net/reader031/viewer/2022030318/5a6479b67f8b9a31568b47bf/html5/thumbnails/97.jpg)
Questions?Tiffany Conroy ~ @theophani
developers.soundcloud.com/blog/remote-device-sign-in