We are going to kill passwords. - OneConference · Is this going to work? • Passwords are...

We are going to kill passwords.

Koen Sandbrink

One Conference 2019

CC-BY-SA Iijjccoo / Wikimedia Commons

Passwords• 4000 years old

• 4000 ways to fail

Passwords• 4000 years old

• 4000 ways to fail

CC-BY-SA Robert Lawton / Wikimedia Commons

What is the problem?• Passwords are breached

• Passwords are phished

• Passwords are guessed

• Passwords are not user-friendly

FIDO-allianc

e

FIDO Alliance

FIDO Alliance• Universal Authentication Framework (UAF)

• Universal Second Factor (U2F)

• Client To Authenticator Protocol (CTAP)

• FIDO 2.0 →W3C Web Authentication

How does it work?

Is this going to work?• Passwords are breached

• If public keys are leaked, there is no problem

• Passwords are phished

• WebAuthn authenticates domain; phishing doesn’t work

• Passwords are guessed

• Stealing private keys is not scalable

• Passwords are not user-friendly

• Tokens are user-friendly

Single factor is not that bad anymore

Less secure More secure

Is this perfect?• Lost tokens

• Weak biometrics

• Weak cryptography

• Wrong user actions

The last three hurdles…• What are the administration costs?

• Who’s on first?

• Apple says yes?

World domination plan• Track 1: create demand

• Track 2: create supply

CC-BY-SA Iijjccoo / Wikimedia Commons

koen.sandbrink@ncsc.nl

english.ncsc.nl