Talk delivered by Chema Alonso in Codemotion 2014 ES {Madrid}. It is about passwords, second factor authentication and Second Factor Authorization using Latch... with a Breaking Bad touch.
7. She thinks security is “do the things
right”
Creating a Strong Password:
Variety – Don’t use the same password on all the sites you visit. Don’t use a word
from the dictionary.
Length – Select strong passwords that can’t easily be guessed with 10 or more
characters.
Think of a meaningful phrase, song or quote and turn it into a complex password
using the first letter of each word.
Complexity – Randomly add capital letters, punctuation or symbols. Substitute
numbers for letters that look similar (for example, substitute “0” for “o” or “3″ for “E”.
Never give your password to others or write it down.
14. We need to apply Science on “new”
way
• 99 % of purity
• Good for all users
• Not past errors
• Second Factor Auth
• Side-Channel
• Stealth
15.
16. She doesn´t like “new” ways to
security
• 2FA with OTP on
SMS
• RSA Hardware
Tokens
• Matrix of numbers
• G Authenticator-
Likes
• Biometry
• Etc….
17. She Complaints
G-Authenticator-likes
Not stolen-passwords advise
User needs to type OTP
Biometry
Lost once / Lost forever
Who has my biometry?
iOS Case
RSA Hardware Tokens
Expensive
Unconfortable
User needs to type OTP
SMS way:
Not anonymous
Tied to SIM
SIM Swapping attacks
GSM Attacks
User needs to type OTP
Roaming services
Matrix
Finite
Trojans ask for it
Usually on wallet
User needs to type OTP
21. Latch
Server
Users DB:
Login: XXXX
Pass: YYYY
Latch: Latch1
1.- Client sends
Login/password
Login Page:
Login:AAAA
Pass:BBBB
3.- asks about Latch1 status
4.- Latch 1 is OFF
5.- Login Error
6.- Someone try to get
Access to Latch 1 id.
2.- Check user/pass
Latch Security “Way”
22. Cares & Humility
• No users. No passwords. No personal data.
No trace.
• If anyone try to get access -> Can´t +
Warning
• if anyone access when open -> Warning
• if anyone try to unpair -> Latch + Warning