We are going to kill passwords.
Koen Sandbrink
One Conference 2019
CC-BY-SA Iijjccoo / Wikimedia Commons
Passwords• 4000 years old
• 4000 ways to fail
Passwords• 4000 years old
• 4000 ways to fail
CC-BY-SA Robert Lawton / Wikimedia Commons
What is the problem?• Passwords are breached
• Passwords are phished
• Passwords are guessed
• Passwords are not user-friendly
FIDO-allianc
e
FIDO Alliance
FIDO Alliance• Universal Authentication Framework (UAF)
• Universal Second Factor (U2F)
• Client To Authenticator Protocol (CTAP)
• FIDO 2.0 →W3C Web Authentication
How does it work?
Is this going to work?• Passwords are breached
• If public keys are leaked, there is no problem
• Passwords are phished
• WebAuthn authenticates domain; phishing doesn’t work
• Passwords are guessed
• Stealing private keys is not scalable
• Passwords are not user-friendly
• Tokens are user-friendly
Single factor is not that bad anymore
Less secure More secure
Is this perfect?• Lost tokens
• Weak biometrics
• Weak cryptography
• Wrong user actions
The last three hurdles…• What are the administration costs?
• Who’s on first?
• Apple says yes?
World domination plan• Track 1: create demand
• Track 2: create supply
CC-BY-SA Iijjccoo / Wikimedia Commons
english.ncsc.nl