The future is brighter without passwords
and phishing
Yuriy Ackermann
FIDO, Authentication and Security specialist
twitter/github: @herrjemand
yuriy@webauthn.global
Enter today
Everyone authenticates like this
Type this
Maybe this
Logged in
The problem
Users hate it, phishers love it
Users reuse passwords
OTP is really easy to phish (DNC hack 2016)
UX is terrible
Solution: FIDO2/Webauthn
Let's kill passwords and OTP in one shot
Username
Logged in
Biometrics or pin
How it works: simple
cc: FIDO Alliance
How it works: hard
What is authenticator?
Security keys
Built-in platform authrs
Currently Window 10 and Android > 7
So what is in the end?
- No password - no phishing
- No password - no leaking
- User owns his PII
- Better UX
- If you into passwords, you can still use them but they never leave the device. No passwords over the internet
- Biometrics never leaves the device. cc: FIDO privacy principles
Success stories
- Google: Security Keys Neutralized Employee Phishing - https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/