Passwords are old, Let's use WebAuthn

About Me

Md. Shahbaz Alam

CTO, Alfaaz Lingua

Full Stack Developer

Auth0 Ambassador

Mozilla Representative

GDG Ranchi Organizer

@mdsbzalam

Agenda

1. Passwords

2. Auth0 as Authentication Tool

3. WebAuthn

PASSWORDS

Passwords should be like Joey

WHAT'S A PASSWORD?

ANYTHING THAT'S A SHARED SECRET!

PASSWORD1234

A string

RKYLHWK8@YB&YTI!8UKZH#TY?

A string

CAN BE HARD TO REMEMBER

IF COMPLEX!

A PASSWORD MANAGER CAN HELP!

CAN BE HARD TO GUESS( BY SOMEONE) IF COMPLEX!

BUT DO USE PASSWORD MANAGER SO YOU DON'T FORGET!

1234

A pincode

NOT SO HARD TO GUESS

OFTEN COMBINED WITH THE MAXIMUM ALLOWED NUMBER OF ATTEMPTS!

FAIRLY EASY TO REMEMBER

USUALLY USED ONLY WITH ACCESS TO A PHYSICAL THING

(CARDS, PHONES, KEYPADS, ...)

A pattern

Passwordless ✨

ONE TIME PASSWORDS

Valid for one-time use

Often expire after a certain time

Sent directly to the user

SENT IN SMS

iOS and Android let you fill in the OTP with the press of a button

NOT ALL TELECOM OPERATORS TAKE SECURITY SERIOUS, SMS MESSAGES CAN BE INTERCEBTED

You need your cellphone on hand

SENT IN AN EMAIL

You don't need a second device

EMAILS CAN BE INTERCEPTED

AUTHENTICATOR APP

SOCIAL

ONE LESS PASSWORD TO REMEMBER

ONLY GIVE PASSWORDS TO A SERVICE YOU TRUST

YOU RELY ON ANOTHER SERVICE FOR YOUR AUTHENTICATION

OFTEN USED AS A SECOND FACTOR

SO HOW'S YOUR PASSWORD SHOULD BE?

LIKE JOEY

SO DON'T SHARE IT WITH ANYONE

LIKE JOEY

USE UPPERCASE AND LOWERCASE CHARACTER

LIKE THIS?

KXnCTowPLjkTIwQ

LIKE JOEY

Joey doesn't know French, he makes it up,

So, make your Passwords randomly

LIKE JOEY

Joey has One Chandler

Your Password should only be used on one account.

Tips for a good password

Use a complex password
Don’t use personal data
Don’t reuse passwords
Change passwords frequently

xkcd: Password Strength

So how about this?

DrTdMeToEtAeBtILePe

Easy to remember!

DrTdMeToEtAeBtILePe

Doctor told be to eat Apple but I like Pineapple

AUTH0

auth0.com

Why choose this approach?

> Single Sign-On

> Enterprise Connections

> Passwordless email and SMS

> Multi-factor Authentication

> Brute Force Protection

> Breached Password detection

WEB AUTHENTICATION API 🤩

WEBAUTHN 🤩

KEY BASE AUTHENTICATION

HARDWARE AUTHENTICATION

HOW DOES IT WORK

webauthn.me

Resources

Auth0

https://auth0.com

WebAuthn

https://webauthn.me

xkcd Password Strength

https://xkcd.com/936/

Connect with me

Facebook

facebook.com/mdsbzalam

Twitter

@mdsbzalam

Instagram

@mdsbzalam

https://in.linkedin.com/in/mdsbzalam

E-mail

mdsbzalam@gmail.com

@mdsbzalam

Slide

https://slides.com/mdsbzalam/wizathon19

@mdsbzalam

Thank you

@mdsbzalam

Passwords are old, Let's use WebAuthn

By Mohammad Shahbaz Alam

Passwords are old, Let's use WebAuthn

1,008

Mohammad Shahbaz Alam

Full Stack Developer, Developer Advocate @ Magic Labs, GDG-Ranchi Organizer, and Mozilla Representative. Loves speaking on Serverless, Authentication & Authorization, Security, Web Extensions and VR at meet-ups and conferences.

Passwords are old, Let's use WebAuthn

About Me

Md. Shahbaz Alam

Agenda

PASSWORDS

Passwords should be like Joey

WHAT'S A PASSWORD?

ANYTHING THAT'S A SHARED SECRET!

PASSWORD1234

A string

RKYLHWK8@YB&YTI!8UKZH#TY?

A string

CAN BE HARD TO REMEMBER

IF COMPLEX!

A PASSWORD MANAGER CAN HELP!

CAN BE HARD TO GUESS( BY SOMEONE) IF COMPLEX!

BUT DO USE PASSWORD MANAGER SO YOU DON'T FORGET!

1234

A pincode

NOT SO HARD TO GUESS

OFTEN COMBINED WITH THE MAXIMUM ALLOWED NUMBER OF ATTEMPTS!

FAIRLY EASY TO REMEMBER

USUALLY USED ONLY WITH ACCESS TO A PHYSICAL THING

(CARDS, PHONES, KEYPADS, ...)

A pattern

A pattern

Passwordless ✨

ONE TIME PASSWORDS

Valid for one-time use

Often expire after a certain time

Sent directly to the user

SENT IN SMS

iOS and Android let you fill in the OTP with the press of a button

NOT ALL TELECOM OPERATORS TAKE SECURITY SERIOUS, SMS MESSAGES CAN BE INTERCEBTED

You need your cellphone on hand

SENT IN AN EMAIL

You don't need a second device

EMAILS CAN BE INTERCEPTED

AUTHENTICATOR APP

SOCIAL

ONE LESS PASSWORD TO REMEMBER

ONLY GIVE PASSWORDS TO A SERVICE YOU TRUST

YOU RELY ON ANOTHER SERVICE FOR YOUR AUTHENTICATION

OFTEN USED AS A SECOND FACTOR

SO HOW'S YOUR PASSWORD SHOULD BE?

LIKE JOEY

LIKE JOEY

SO DON'T SHARE IT WITH ANYONE

LIKE JOEY

LIKE JOEY

USE UPPERCASE AND LOWERCASE CHARACTER

LIKE THIS?

KXnCTowPLjkTIwQ

LIKE JOEY

Joey doesn't know French, he makes it up,

So, make your Passwords randomly

LIKE JOEY

Joey has One Chandler

Your Password should only be used on one account.

Tips for a good password

Use a complex password

Don’t use personal data

Don’t reuse passwords

Change passwords frequently

xkcd: Password Strength

So how about this?

DrTdMeToEtAeBtILePe

Easy to remember!

DrTdMeToEtAeBtILePe

Doctor told be to eat Apple but I like Pineapple

AUTH0

Why choose this approach?

> Single Sign-On

> Enterprise Connections

> Passwordless email and SMS

> Multi-factor Authentication

> Brute Force Protection

> Breached Password detection

WEB AUTHENTICATION API 🤩

WEBAUTHN 🤩