The document discusses moving beyond passwords for user authentication on websites. It notes that passwords have been compromised in many large data breaches and advocates for stronger authentication using two or more factors such as something you know, have, or are. The document explores options for strong authentication like smart cards as well as delegation protocols like SAML, OAuth, and OpenID Connect that allow users to authenticate using existing identities from email or social media rather than creating new credentials. It emphasizes the need for any authentication solution to balance security, convenience, cost, and privacy.
4. Passwords?
290,729 (1%)
RockYou social network, Dec 2009: 30,000,000 passwords
40% uniques
10,000 (0.03%)
24%
1,000
100 : 5%
4
12%
Beyond password: Time for a change
5. Attacks
Compromised passwords
in 2013:
Living Social: 50 millions
Email
75%
EverNote: 50 millions
Drupal: 1 million
Social
Twitter: 250,000
…
5
Beyond password: Time for a change
(BitDefender)
6. Strong Authentication
At least 2 of:
Something you know (password, pin, etc.)
Something you have (card, mobile, etc.)
Something you are (biometrics)
Independents, protected
6
Beyond password: Time for a change
11. Need to define YOUR solution
Secure
Convenient
Cheap
11
Beyond password: Time for a change
12. Social Login
Identity reuse
Simpler for users (no new identifier to remember)
Single-Sign-On (SSO)
Alleviate the application
Privacy risks
Traceability
Disclosure of personal data
12
Beyond password: Time for a change
16. Authentication
Who are you?
Give him a
certificate
Alice
email
(nat sakimura)
16
Beyond password: Time for a change
OpenID
Identity
Provider
17. Authentication via email
Who are you?
Here’s my email,
give him a
certificate
Alice
email
Verifier
Does this email
belong to her?
Identity
Provider
17
Beyond password: Time for a change
18. SAML Assertions
Who are you?
Give him a
certificate
Alice
email
18
Beyond password: Time for a change
SAML
Identity
Provider
20. OAuth Authorization
Who are you?
20
Beyond password: Time for a change
Give him an
access key
OAuth
Server
Alice
21. Authorization to access identity
Who are you?
21
Beyond password: Time for a change
Give him an
access key
OpenID Connect
Server
Alice
22. Define YOUR solution
Confidentiality / Personal data sharing?
Pre-registration of web application?
Dependency to an identity provider?
Authentication methods?
22
Beyond password: Time for a change
23. THE Message
Passwords are bad
Strong Authentication
Too many identities is inconvenient
Reuse identities (emails, social networks…)
Authentication is a sensitive and potentially complex task
Delegation, SSO
Privacy needs to be protected
Don’t ask for more data or access rights than needed
23
Beyond password: Time for a change