death to passwords
DESCRIPTION
Talk given at DroidCon NLTRANSCRIPT
Death to Passwords
Death to Passwords
Cristiano Betta Developer Advocate
Death to Passwords
Cristiano Betta Developer Advocate
Death to Passwords
Cristiano Betta Developer Advocate @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
WHERE I LIVE
Braintree_Dev. @cbetta | @braintree_dev
WHERE I USED TO LIVE
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
That’s me
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
>Death to Passwords_
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
>The 3 key problems_
Braintree_Dev. @cbetta | @braintree_dev
The top 1000 most used passwords of 2012
wiki.skullsecurity.org/Passwords
Braintree_Dev. @cbetta | @braintree_dev
The top 1000 most leaked passwords of 2012
wiki.skullsecurity.org/Passwords
Braintree_Dev. @cbetta | @braintree_dev
4.7% OF ALL LEAKED PASSWORDS ARE
Braintree_Dev. @cbetta | @braintree_dev
4.7% OF ALL LEAKED PASSWORDS ARE PASSWORD
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
8.5% OF ALL LEAKED PASSWORDS ARE
Braintree_Dev. @cbetta | @braintree_dev
8.5% OF ALL LEAKED PASSWORDS ARE PASSWORD or 123456
Braintree_Dev. @cbetta | @braintree_dev
4.7% OF ALL LEAKED PASSWORDS ARE
Braintree_Dev. @cbetta | @braintree_dev
4.7% OF ALL LEAKED PASSWORDS ARE PASSWORD or 123456 or 12345678
Braintree_Dev. @cbetta | @braintree_dev
... and it doesn’t even stop there 14% have a password from the top 10 40% have a password from the top 100 79% have a password from the top 500 91% have a password from the top 1000
Braintree_Dev. @cbetta | @braintree_devabstrusegoose.com/296
Braintree_Dev. @cbetta | @braintree_dev
A brief analysis of the situation in 2013cbsn.ws/1siTPGH
Braintree_Dev. @cbetta | @braintree_dev
1. 123456 2. password 3. 12345678 4. qwerty 5. abc123 6. 123456789 7. 111111 8. 1234567 9. iloveyou 10. adobe123
11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345
Braintree_Dev. @cbetta | @braintree_dev
1. 123456 up 1 2. password down 1 3. 12345678 4. qwerty up 1 5. abc123 down 1 6. 123456789 new 7. 111111 up 2 8. 1234567 up 5 9. iloveyou up 2 10. adobe123 new
11. 123123 up 5 12. admin new 13. 1234567890 new 14. letmein down 7 15. photoshop new 16. 1234 new 17. monkey down 11 18. shadow 19. sunshine down 5 20. 12345 new
Braintree_Dev. @cbetta | @braintree_dev
11. 123123 up 5 12. admin new 13. 1234567890 new 14. letmein down 7 15. photoshop new 16. 1234 new 17. monkey down 11 18. shadow 19. sunshine down 5 20. 12345 new
1. 123456 up 1 2. password down 1 3. 12345678 4. qwerty up 1 5. abc123 down 1 6. 123456789 new 7. 111111 up 2 8. 1234567 up 5 9. iloveyou up 2 10. adobe123 new
Braintree_Dev. @cbetta | @braintree_dev
11. 123123 up 5 12. admin new 13. 1234567890 new 14. letmein down 7 15. photoshop new 16. 1234 new 17. monkey down 11 18. shadow 19. sunshine down 5 20. 12345 new
1. 123456 up 1 2. password down 1 3. 12345678 4. qwerty up 1 5. abc123 down 1 6. 123456789 new 7. 111111 up 2 8. 1234567 up 5 9. iloveyou up 2 10. adobe123 new
Braintree_Dev. @cbetta | @braintree_dev
11. 123123 up 5 12. admin new 13. 1234567890 new 14. letmein down 7 15. photoshop new 16. 1234 new 17. monkey down 11 18. shadow 19. sunshine down 5 20. 12345 new
1. 123456 up 1 2. password down 1 3. 12345678 4. qwerty up 1 5. abc123 down 1 6. 123456789 new 7. 111111 up 2 8. 1234567 up 5 9. iloveyou up 2 10. adobe123 new
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
“FAVOR SECURITY TOO MUCH OVER THE EXPERIENCE AND YOU’LL MAKE THE WEBSITE A PAIN TO USE.”smashingmagazine.com /2012/10/26/password-masking-hurt-signup-form
Braintree_Dev. @cbetta | @braintree_dev
vs
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @SeraAndroid / @PayPalDev
People forget passwords…
45% admit to leaving a website instead of re-setting their password or answering security questions
- Blue Inc. 2011
Braintree_Dev. @cbetta | @braintree_dev
Let’s admit it... Passwords really suck!
Braintree_Dev. @SeraAndroid / @PayPalDev
People hate to register
Out of 657 surveyed users 66% think that social sign-in is a desirable alternative.
- Blue Inc. 2011
Braintree_Dev. @cbetta | @braintree_dev
Let’s admit it...Passwords really, really suck!
Braintree_Dev. @cbetta | @braintree_dev
“Braintree Says Goodbye to Passwords With One Touch Payments for PayPal and Venmo, and Hello to Bitcoin”
braintreepayments.com /blog/goodbye-passwords-one-touch-hello-bitcoin
Braintree_Dev. @cbetta | @braintree_dev
Merchant app
PayPal app
Merchant app

Braintree_Dev. @cbetta | @braintree_dev

Merchant app
PayPal app
Merchant app
Braintree_Dev. @cbetta | @braintree_dev

Merchant app
PayPal app
Merchant app
Braintree_Dev. @cbetta | @braintree_dev

Merchant app
PayPal app
Merchant app
Braintree_Dev. @cbetta | @braintree_dev
> Continue? (Y/n) _
Braintree_Dev. @cbetta | @braintree_dev
Multi-Factor Authenticationen.wikipedia.org /wiki/Multi-factor_authentication
Braintree_Dev. @cbetta | @braintree_dev
KNOWLEDGE FACTOR
Braintree_Dev. @cbetta | @braintree_dev
INHERENCE FACTOR
Braintree_Dev. @cbetta | @braintree_dev
POSSESSION FACTOR
Braintree_Dev. @cbetta | @braintree_dev
2-Factor Authenticationtwofactorauth.org
Braintree_Dev. @cbetta | @braintree_dev
twofactorauth.org
Braintree_Dev. @cbetta | @braintree_dev
Passwordless Authenticationmedium.com /@ninjudd/passwords-are-obsolete-9ed56d483eb
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
fidoalliance.org
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
> Exit? (Y/n) _
Braintree_Dev. @cbetta | @braintree_dev
Authorization & Authenticationstackoverflow.com /questions/6367865/is-there-a-difference-between-authentication-and-authorization
Braintree_Dev. @cbetta | @braintree_dev
Google Facebook Twitter
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome• But people+passwords suck
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome• But people+passwords suck• We need something you have, know and/or are
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome• But people+passwords suck• We need something you have, know and/or are
• Wearable tech opens up a new world of possibilities
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome• But people+passwords suck• We need something you have, know and/or are
• Wearable tech opens up a new world of possibilities
• Don’t re-invent the wheel
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome• But people+passwords suck• We need something you have, know and/or are
• Wearable tech opens up a new world of possibilities
• Don’t re-invent the wheel• FIDO
Braintree_Dev. @cbetta | @braintree_dev
• Passwords are awesome• But people+passwords suck• We need something you have, know and/or are
• Wearable tech opens up a new world of possibilities
• Don’t re-invent the wheel• FIDO• Third party auth
Braintree_Dev. @cbetta | @braintree_dev