Beyond passwords: time for a change

Beyond password:

Time for a change

Olivier Potonniée

Octobre 2013

How can web applications authenticate their

online users?

Beyond password: Time for a change 2

Often…

Beyond password: Time for a change 3

Passwords?

Beyond password: Time for a change 4

RockYou social network, Dec 2009: 30,000,000 passwords

10,000 (0.03%)

24%

40% uniques

1,000

12% 100 : 5%

290,729 (1%)

Attacks

Beyond password: Time for a change 5

Compromised passwords

in 2013:

Living Social: 50 millions

EverNote: 50 millions

Drupal: 1 million

Twitter: 250,000

…

Email

Social

75%

(BitDefender)

Strong Authentication

Beyond password: Time for a change 6

At least 2 of:

Something you know (password, pin, etc.)

Something you have (card, mobile, etc.)

Something you are (biometrics)

Independents, protected

Beyond password: Time for a change 7

Protiva

Cloud Confirm

Beyond password: Time for a change 8

Beyond password: Time for a change 9

I have an issue with smart cards

Beyond password: Time for a change 10

Need to define YOUR solution

Beyond password: Time for a change 11

Secure

Cheap Convenient

Social Login

Beyond password: Time for a change 12

Identity reuse

Simpler for users (no new identifier to remember)

Single-Sign-On (SSO)

Alleviate the application

Privacy risks

Traceability

Disclosure of personal data

Authentication delegation

Beyond password: Time for a change 13

Delegation protocols

Beyond password: Time for a change 14

SAML

OAuth

A simple URL

Beyond password: Time for a change 15

OpenID

Identity

Provider

Beyond password: Time for a change 16

Authentication

Who are you? Give him a

certificate

Alice

email

(nat sakimura)

Authentication via email

Beyond password: Time for a change 17

Who are you?

Here’s my email,

give him a

certificate

Alice

email

Verifier

Identity

Provider

Does this email

belong to her?

Assertions

Beyond password: Time for a change 18

SAML

Who are you? Give him a

certificate

Alice

email

SAML

Identity

Provider

Authorization to access personal data

Beyond password: Time for a change 19

OAuth

Alice

Beyond password: Time for a change 20

Authorization OAuth

Who are you?

Give him an

access key

OAuth

Server

Authorization to access identity

Beyond password: Time for a change 21

Alice Who are you?

OpenID Connect

Server Give him an

access key

Define YOUR solution

Beyond password: Time for a change 22

Confidentiality / Personal data sharing?

Pre-registration of web application?

Dependency to an identity provider?

Authentication methods?

THE Message

Beyond password: Time for a change 23

Passwords are bad

Strong Authentication

Too many identities is inconvenient

Reuse identities (emails, social networks…)

Authentication is a sensitive and potentially complex task

Delegation, SSO

Privacy needs to be protected

Don’t ask for more data or access rights than needed

Thanks

Beyond password: Time for a change 24