14,717,618,286
Leaked Credentials
Since 2013
@kukicado
Only 4%
Secure Breaches
meaning data was useless
@kukicado
Passwords Have Failed
3 Alternatives to Authenticating Users
Ado Kukic
Developer Evangelist
Auth0
@kukicado
Traditional password-based authentication is antiquated from a user experience, business efficiency, and security point of view
@kukicado
The Password Problem
@kukicado
User Experience
- Average LastPass user has 191 passwords in their vault
- Password requirements widely vary from site to site
- 23% of users admit to having only one password
@kukicado
State of Nevada
Department of Motor Vehicles
@kukicado
Password Do's and Don'ts
- Minimum 8 characters
- All special characters ok
- Prevent common passwords
@kukicado
- No composition rules
- Knowledge based authentication
- Don't expire passwords
Do
Don't
Business Efficiency
- Technology acquisition and maintenance
- Support / Help Desk
- Preventative measures
@kukicado
Hurting Your Bottom Line
- Gartner Group
20% - 50% of all help desk support calls
- Forrester Research
Average password reset costs ~$70
@kukicado
Security Implications
- Security best practices
- Hardware / software vulnerabilities
- Social engineering
@kukicado
It's been
@kukicado
since the last data breach
3 Days
@kukicado
Stolen passwords account for
@kukicado
of breaches
81%
Password Based Attacks
- Key logging
- Brute Force
- Credential Stuffing
- Social Engineering
@kukicado
Password+
- Anomaly Detection
- Breached Password Detection
- Multi-factor Authentication
- Credential Managers
@kukicado
Alternative #1
Social Connections
@kukicado
Authenticate using existing accounts from an OAuth and OpenID Connect compatible provider.
@kukicado
How It Works
@kukicado
How It Works
@kukicado
/callback?code={123}
{ tokens }
{ sid 123 }
Authorization Code Flow
@kukicado
{ html }
Authenticated
@kukicado
Pros
- One click sign-up
- Capture better data about the user
- Delegate account verification to third-party
@kukicado
Cons
- User may not be using the social provider
- Reliance on third-party for authentication
- Account linking and additional maintenance required
@kukicado
Is Social Login For Me?
- 86% of users report being bothered by having to create a new account
- 88% of users will enter incomplete or false information on registration forms
- 92% of users will leave a website instead of resetting their password
@kukicado
Alternative #2
Passwordless
@kukicado
Authenticate users with a uniquely generated one-time code or magic link.
@kukicado
How It Works
@kukicado
How It Works
@kukicado
Pros
- No password to set, manage, or remember
- Reduced maintenance costs
- Better security against data breaches
@kukicado
Cons
- Requires access to email or SMS
- Reliance on availability of third party services
- Security implications of using email/phone as unique identifier
@kukicado
Passwordless in the wild
@kukicado
Alternative #3
WebAuthn
@kukicado
Authenticate users with public-key cryptography with phishing protections.
@kukicado
How It Works
@kukicado
How It Works
@kukicado
How It Works
@kukicado
Code Sample (Register)
navigator.credentials
.create({
publicKey: {
challenge: base64url.decode("<%= challenge %>"),
rp: {
name: "Awesome Corp" // sample relying party
},
user: {
id: base64url.decode("<%= id %>"),
name: "<%= name %>",
displayName: "<%= displayName %>"
},
authenticatorSelection: { userVerification: "preferred" },
attestation: "direct",
pubKeyCredParams: [
{
type: "public-key",
alg: -7 // "ES256" IANA COSE Algorithms registry
}
]
}
})
.then(res => {
var json = publicKeyCredentialToJSON(res);
post("/webauthn/register", {
state: "<%= state %>",
provider: "<%= provider %>",
res: JSON.stringify(json)
});
})
.catch(console.error);
Code Sample (Authenticate)
navigator.credentials
.get({
publicKey: {
challenge: base64url.decode("<%= challenge %>"),
allowCredentials: [
{
id: base64url.decode("<%= id %>"),
type: "public-key"
}
],
timeout: 15000,
authenticatorSelection: { userVerification: "preferred" }
}
})
.then(res => {
var json = publicKeyCredentialToJSON(res);
// Send data to relying party's servers
post("/webauthn/authenticate", {
state: "<%= state %>",
provider: "<%= provider %>",
res: JSON.stringify(json)
});
})
.catch(err => {
alert("Invalid FIDO device");
});
@kukicado
Pros
- No password to set, manage, or remember
- Built on open standards for interoperability
- Relies of public-key cryptography and not the user
@kukicado
Cons
- Account recovery is limited and difficult
- Not widely supported, especially legacy systems
- Physical keys can be stolen
@kukicado
WebAuthn Use Cases
- DropBox has enabled WebAuthn as a 2nd factor
- W3C Recommendation published March 4, 2019
- Lots of demos and SDKs in the works
https://webauthn.me
@kukicado
Summary
@kukicado
Traditional password based authentication is antiquated and insecure
There are 3 viable alternatives to password based authentication
No system is flawless, consider your specific use case before making the switch
Resources
@kukicado
WebAuthn Demo
https://webauthn.me
Passwordless
https://auth0.com/passwordless
Learn Identity
https://auth0.com/docs/videos/learn-identity
Talks at MidwestJS
@kukicado
Securing Vue.js with OpenID Connect and OAuth
Bobby Johnson (Room 127)
O-What? An Intro to OAuth For Software Developers.
Joel Lord (Room 235)
Thank You!
@kukicado
http://bit.ly/midwestjs-ado
Passwords Have Failed
By Ado Kukic
Passwords Have Failed
- 890