codemotion es 2014: love always takes care & humility
DESCRIPTION
Talk delivered by Chema Alonso in Codemotion 2014 ES {Madrid}. It is about passwords, second factor authentication and Second Factor Authorization using Latch... with a Breaking Bad touch.TRANSCRIPT
Hacker & Developer
Worried About Security
She thinks security is “do the things
right”Creating a Strong Password:
Variety – Don’t use the same password on all the sites you visit. Don’t use a word
from the dictionary.
Length – Select strong passwords that can’t easily be guessed with 10 or more
characters.
Think of a meaningful phrase, song or quote and turn it into a complex password
using the first letter of each word.
Complexity – Randomly add capital letters, punctuation or symbols. Substitute
numbers for letters that look similar (for example, substitute “0” for “o” or “3″ for “E”.
Never give your password to others or write it down.
He doesn´t
Working “common way” is
useless• WireTyping
• Trojans & malware
• Phishing
• Shoulder Surfing
• Insiders
• Server-Side bugs
– Heartbleed, ShellShock, Schannel, PHP CGI, ….
• Client-Side bugs
• Enemies everywhere...
P@sswords, P@sswords,
Dam’t!!
P@sswords, P@sswords,
Dam’t!!
P@sswords, P@sswords,
Dam’t!!
We need to apply Science on “new”
way• 99 % of purity
• Good for all users
• Not past errors
• Second Factor Auth
• Side-Channel
• Stealth
She doesn´t like “new” ways to
security
• 2FA with OTP on
SMS
• RSA Hardware
Tokens
• Matrix of numbers
• G Authenticator-
Likes
• Biometry
• Etc….
She Complaints
G-Authenticator-likesNot stolen-passwords adviseUser needs to type OTP
BiometryLost once / Lost foreverWho has my biometry?iOS Case
RSA Hardware TokensExpensiveUnconfortableUser needs to type OTP
SMS way:Not anonymousTied to SIMSIM Swapping attacksGSM AttacksUser needs to type OTPRoaming services
MatrixFiniteTrojans ask for itUsually on walletUser needs to type OTP
What a hacker does?
A hacker provides because…
{Love Always Takes Care & Humility}
L A T C H
LatchServer
1.- Generate pairing code
2.- TemporaryPariring token
User Settings:Login: XXXXPass: YYYYLatch:
4.-AppID+Temp pairing Token
5.- OK+Unique Latch
6.-ID Latchappears in app
ULatch
Latch Security “Way”
LatchServer
Users DB:Login: XXXXPass: YYYY
Latch: Latch1
Login Page:
Login:AAAAPass:BBBB
1.- Client sendsLogin/password
3.- asks about Latch1 status
4.- Latch 1 is OFF
5.- Login Error
6.- Someone try to getAccess to Latch 1 id.
2.- Check user/pass
Latch Security “Way”
Cares & Humility
• No users. No passwords. No personal data. No trace.
• If anyone try to get access -> Can´t + Warning
• if anyone access when open -> Warning
• if anyone try to unpair -> Latch + Warning
Latch Periodic Table
Cooking
A PHP Recipe
User1Pass1
Login: User2Pass: Pass2
Latch: Latch2
Login: User1Pass: Pass1
Latch: Latch1
4-eyes verification
AssetLatch: Latch1
Latch: Latch 2
2 Keys Activation
User1Pass1
UserPass
Login: UserPass: Pass
Latch: Latch
Access Control
Why?
Answer
OTP
Double Supervision
Login: User
Pass: Pass
Latch: Latch
Op1:Unlock
Op2: OTP
User
Pass
Latch Plugin Contest
Mooooney
Latch Talks
See you in Codemotion 2015:
The end of the Trilogy
“Love After Death”