SlideShare a Scribd company logo

Beyond passwords: time for a change

O
Olivier Potonniée

The document discusses moving beyond passwords for user authentication on websites. It notes that passwords have been compromised in many large data breaches and advocates for stronger authentication using two or more factors such as something you know, have, or are. The document explores options for strong authentication like smart cards as well as delegation protocols like SAML, OAuth, and OpenID Connect that allow users to authenticate using existing identities from email or social media rather than creating new credentials. It emphasizes the need for any authentication solution to balance security, convenience, cost, and privacy.

Technology
1 of 24
Download to read offline
Beyond password: Time for a change Olivier Potonniée Octobre 2013
How can web applications authenticate their online users? 2 Beyond password: Time for a change
Often… 3 Beyond password: Time for a change
Passwords? 290,729 (1%) RockYou social network, Dec 2009: 30,000,000 passwords 40% uniques 10,000 (0.03%) 24% 1,000 100 : 5% 4 12% Beyond password: Time for a change
Attacks Compromised passwords in 2013: Living Social: 50 millions Email 75% EverNote: 50 millions Drupal: 1 million Social Twitter: 250,000 … 5 Beyond password: Time for a change (BitDefender)
Strong Authentication At least 2 of: Something you know (password, pin, etc.) Something you have (card, mobile, etc.) Something you are (biometrics) Independents, protected 6 Beyond password: Time for a change
Protiva Cloud Confirm 7 Beyond password: Time for a change
8 Beyond password: Time for a change
I have an issue with smart cards 9 Beyond password: Time for a change
10 Beyond password: Time for a change
Need to define YOUR solution Secure Convenient Cheap 11 Beyond password: Time for a change
Social Login Identity reuse Simpler for users (no new identifier to remember) Single-Sign-On (SSO) Alleviate the application Privacy risks Traceability Disclosure of personal data 12 Beyond password: Time for a change
Authentication delegation 13 Beyond password: Time for a change
Delegation protocols SAML OAuth 14 Beyond password: Time for a change
A simple URL 15 Beyond password: Time for a change
Authentication Who are you? Give him a certificate Alice email (nat sakimura) 16 Beyond password: Time for a change OpenID Identity Provider
Authentication via email Who are you? Here’s my email, give him a certificate Alice email Verifier Does this email belong to her? Identity Provider 17 Beyond password: Time for a change
SAML Assertions Who are you? Give him a certificate Alice email 18 Beyond password: Time for a change SAML Identity Provider
OAuth Authorization to access personal data 19 Beyond password: Time for a change
OAuth Authorization Who are you? 20 Beyond password: Time for a change Give him an access key OAuth Server Alice
Authorization to access identity Who are you? 21 Beyond password: Time for a change Give him an access key OpenID Connect Server Alice
Define YOUR solution Confidentiality / Personal data sharing? Pre-registration of web application? Dependency to an identity provider? Authentication methods? 22 Beyond password: Time for a change
THE Message Passwords are bad Strong Authentication Too many identities is inconvenient Reuse identities (emails, social networks…) Authentication is a sensitive and potentially complex task Delegation, SSO Privacy needs to be protected Don’t ask for more data or access rights than needed 23 Beyond password: Time for a change
Thanks 24 Beyond password: Time for a change

Recommended

Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
Olivier Potonniée
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
Aaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
Seth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
OpenID and decentralised social networks
OpenID and decentralised social networksOpenID and decentralised social networks
OpenID and decentralised social networks
Simon Willison
 

Recommended

Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web Applications
Olivier Potonniée
 
Securing online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applicationsSecuring online services by combining smart cards and web-based applications
Securing online services by combining smart cards and web-based applications
Olivier Potonniée
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
Aaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
Seth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
OpenID and decentralised social networks
OpenID and decentralised social networksOpenID and decentralised social networks
OpenID and decentralised social networks
Simon Willison
 
Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon
Kaliya "Identity Woman" Young
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
Gabriella Davis
 
Single sign on
Single sign onSingle sign on
Single sign on
Rob Fitzgibbon
 
Single sign on
Single sign onSingle sign on
Single sign on
guest64ab8e
 
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to doNEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
New England Direct Marketing Association, Inc.
 
Building the Social Web with OpenID
Building the Social Web with OpenIDBuilding the Social Web with OpenID
Building the Social Web with OpenID
Simon Willison
 
Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)
Simon Willison
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
Myles Eftos
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web Summit
Kaliya "Identity Woman" Young
 
How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!
AVG Technologies AU
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
Evernym
 
Defi MOOC Fa21 - Decentralized Identity.pptx.pdf
Defi MOOC Fa21 - Decentralized Identity.pptx.pdfDefi MOOC Fa21 - Decentralized Identity.pptx.pdf
Defi MOOC Fa21 - Decentralized Identity.pptx.pdf
ssuser00208b
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008
eComm2008
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
FHSU CITI CS Training.pptx
FHSU CITI CS Training.pptxFHSU CITI CS Training.pptx
FHSU CITI CS Training.pptx
LaurieAnnFrazier
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentation
Joan Dembowski
 
Masterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy BasicsMasterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy Basics
Excellence Foundation for South Sudan
 
The Implications of OpenID
The Implications of OpenIDThe Implications of OpenID
The Implications of OpenID
Simon Willison
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
 

More Related Content

Similar to Beyond passwords: time for a change

Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)
Simon Willison
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
Evernym
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008
eComm2008
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
The Implications of OpenID
The Implications of OpenIDThe Implications of OpenID
The Implications of OpenID
Simon Willison
 

Similar to Beyond passwords: time for a change (20)

Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon Self-Sovereign Identity: Lightening Talk at RightsCon
Self-Sovereign Identity: Lightening Talk at RightsCon
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
 
Single sign on
Single sign onSingle sign on
Single sign on
 
Single sign on
Single sign onSingle sign on
Single sign on
 
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to doNEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
NEDMA18 Keynote: Cyber Security – what you need to know, what you need to do
 
Building the Social Web with OpenID
Building the Social Web with OpenIDBuilding the Social Web with OpenID
Building the Social Web with OpenID
 
Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)Implications Of OpenID (Google Tech Talk)
Implications Of OpenID (Google Tech Talk)
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...
 
Self-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web SummitSelf-Sovereign Identity for the Decentralized Web Summit
Self-Sovereign Identity for the Decentralized Web Summit
 
How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!How I'd hack into your business and how you can stop me!
How I'd hack into your business and how you can stop me!
 
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign IdentityThe Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
The Future of Authentication - Verifiable Credentials / Self-Sovereign Identity
 
Defi MOOC Fa21 - Decentralized Identity.pptx.pdf
Defi MOOC Fa21 - Decentralized Identity.pptx.pdfDefi MOOC Fa21 - Decentralized Identity.pptx.pdf
Defi MOOC Fa21 - Decentralized Identity.pptx.pdf
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
FHSU CITI CS Training.pptx
FHSU CITI CS Training.pptxFHSU CITI CS Training.pptx
FHSU CITI CS Training.pptx
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentation
 
Masterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy BasicsMasterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy Basics
 
The Implications of OpenID
The Implications of OpenIDThe Implications of OpenID
The Implications of OpenID
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Beyond passwords: time for a change