passwords are dead,

long live passwords!

Hi, I'm Alejandro (@a0viedo on social media)

I work on systems

I'm a GDE for the Web platform

I co-organize NodeConf Argentina

this talk is about the web

but first, a recap on passwords

NIST Special Publication 800-63. Appendix A., 2003

“[Passwords] just don’t meet the challenge for anything you really want to secure.”

Bill Gates

“An investigation into users’ considerations towards using password managers”

Fagan, Albayram, Khan and Buck - 2017

More “users” than “non-users” in our sample report higher technical expertise, especially in the area of computer security, which could reflect an actual higher technical proficiency among “users”

enter a new era

FIDO

webauthn

CTAP1

UAF

U2F

Registration

  1. Client requests a challenge for the user
  2. Server sends a challenge
  3. Client uses Webauthn to get information about the authenticator and signs the challenge
  4. Client sends back result to server
  5. Server replies if it's successful or no

Login

  1. Client requests a challenge for the user
  2. Server sends a challenge
  3. Client uses Webauthn to sign the challenge
  4. Client sends back result to server
  5. Server replies if it's successful or no

demo

enter a new era v2

FIDO2

webauthn

CTAP2

single factor

second factor

multi-factor

w/ or w/o passwords

will this means it's the end of passwords?

thanks for listening

bit.ly/passwords-are-dead

@a0viedo
Made with Slides.com