Talk delivered by Chema Alonso in Codemotion 2014 ES {Madrid}. It is about passwords, second factor authentication and Second Factor Authorization using Latch... with a Breaking Bad touch.

1. {Love Always Takes Care & Humility}
Chema Alonso
@chemaalonso
chema@11paths.com

5. Hacker & Developer

6. Worried About Security

7. She thinks security is “do the things
right”
Creating a Strong Password:
Variety – Don’t use the same password on all the sites you visit. Don’t use a word
from the dictionary.
Length – Select strong passwords that can’t easily be guessed with 10 or more
characters.
Think of a meaningful phrase, song or quote and turn it into a complex password
using the first letter of each word.
Complexity – Randomly add capital letters, punctuation or symbols. Substitute
numbers for letters that look similar (for example, substitute “0” for “o” or “3″ for “E”.
Never give your password to others or write it down.

8. He doesn´t

9. Working “common way” is
useless
• WireTyping
• Trojans & malware
• Phishing
• Shoulder Surfing
• Insiders
• Server-Side bugs
– Heartbleed,
ShellShock,
Schannel, PHP CGI,
….
• Client-Side bugs
• Enemies
everywhere...

10. P@sswords, P@sswords,
Dam’t!!

11. P@sswords, P@sswords,
Dam’t!!

12. P@sswords, P@sswords,
Dam’t!!

14. We need to apply Science on “new”
way
• 99 % of purity
• Good for all users
• Not past errors
• Second Factor Auth
• Side-Channel
• Stealth

16. She doesn´t like “new” ways to
security
• 2FA with OTP on
SMS
• RSA Hardware
Tokens
• Matrix of numbers
• G Authenticator-
Likes
• Biometry
• Etc….

17. She Complaints
G-Authenticator-likes
Not stolen-passwords advise
User needs to type OTP
Biometry
Lost once / Lost forever
Who has my biometry?
iOS Case
RSA Hardware Tokens
Expensive
Unconfortable
User needs to type OTP
SMS way:
Not anonymous
Tied to SIM
SIM Swapping attacks
GSM Attacks
User needs to type OTP
Roaming services
Matrix
Finite
Trojans ask for it
Usually on wallet
User needs to type OTP

18. What a hacker does?
A hacker provides because…

19. {Love Always Takes Care & Humility}
L A T C H

20. Latch
Server
1.- Generate
pairing code
2.- Temporary
Pariring token
User Settings:
Login: XXXX
Pass: YYYY
Latch:
4.-AppID+Temp pairing Token
5.- OK+Unique Latch
6.-ID Latch
appears in app
ULatch
Latch Security “Way”

21. Latch
Server
Users DB:
Login: XXXX
Pass: YYYY
Latch: Latch1
1.- Client sends
Login/password
Login Page:
Login:AAAA
Pass:BBBB
3.- asks about Latch1 status
4.- Latch 1 is OFF
5.- Login Error
6.- Someone try to get
Access to Latch 1 id.
2.- Check user/pass
Latch Security “Way”

22. Cares & Humility
• No users. No passwords. No personal data.
No trace.
• If anyone try to get access -> Can´t +
Warning
• if anyone access when open -> Warning
• if anyone try to unpair -> Latch + Warning

23. Latch Periodic Table

24. Cooking

25. A PHP Recipe

26. User1
Pass1
4-eyes verification
Login: User2
Pass: Pass2
Latch:
Latch2
Login: User1
Pass: Pass1
Latch:
Latch1

27. 2 Keys Activation
Asset
Latch:
Latch1
Latch: Latch
2
User1
Pass1

28. Login: User
Pass: Pass
Latch: Latch
User
Pass
Access Control

29. Double Supervision
Why?
Answer
OTP
Login: User
Pass: Pass
Latch: Latch
Op1:Unlock
Op2: OTP
User
Pass

30. Latch Plugin Contest

31. Mooooney

33. Latch Talks

34. See you in Codemotion 2015:
The end of the Trilogy
“Love After Death”