{Love Always Takes Care & Humility}

Chema Alonso

@chemaalonso

chema@11paths.com

Hacker & Developer

Worried About Security

She thinks security is “do the things

right”Creating a Strong Password:

Variety – Don’t use the same password on all the sites you visit. Don’t use a word

from the dictionary.

Length – Select strong passwords that can’t easily be guessed with 10 or more

characters.

Think of a meaningful phrase, song or quote and turn it into a complex password

using the first letter of each word.

Complexity – Randomly add capital letters, punctuation or symbols. Substitute

numbers for letters that look similar (for example, substitute “0” for “o” or “3″ for “E”.

Never give your password to others or write it down.

He doesn´t

Working “common way” is

useless• WireTyping

• Trojans & malware

• Phishing

• Shoulder Surfing

• Insiders

• Server-Side bugs

– Heartbleed, ShellShock, Schannel, PHP CGI, ….

• Client-Side bugs

• Enemies everywhere...

P@sswords, P@sswords,

Dam’t!!

P@sswords, P@sswords,

Dam’t!!

P@sswords, P@sswords,

Dam’t!!

We need to apply Science on “new”

way• 99 % of purity

• Good for all users

• Not past errors

• Second Factor Auth

• Side-Channel

• Stealth

She doesn´t like “new” ways to

security

• 2FA with OTP on

SMS

• RSA Hardware

Tokens

• Matrix of numbers

• G Authenticator-

Likes

• Biometry

• Etc….

She Complaints

G-Authenticator-likesNot stolen-passwords adviseUser needs to type OTP

BiometryLost once / Lost foreverWho has my biometry?iOS Case

RSA Hardware TokensExpensiveUnconfortableUser needs to type OTP

SMS way:Not anonymousTied to SIMSIM Swapping attacksGSM AttacksUser needs to type OTPRoaming services

MatrixFiniteTrojans ask for itUsually on walletUser needs to type OTP

What a hacker does?

A hacker provides because…

{Love Always Takes Care & Humility}

L A T C H

LatchServer

1.- Generate pairing code

2.- TemporaryPariring token

User Settings:Login: XXXXPass: YYYYLatch:

4.-AppID+Temp pairing Token

5.- OK+Unique Latch

6.-ID Latchappears in app

ULatch

Latch Security “Way”

LatchServer

Users DB:Login: XXXXPass: YYYY

Latch: Latch1

Login Page:

Login:AAAAPass:BBBB

1.- Client sendsLogin/password

3.- asks about Latch1 status

4.- Latch 1 is OFF

5.- Login Error

6.- Someone try to getAccess to Latch 1 id.

2.- Check user/pass

Latch Security “Way”

Cares & Humility

• No users. No passwords. No personal data. No trace.

• If anyone try to get access -> Can´t + Warning

• if anyone access when open -> Warning

• if anyone try to unpair -> Latch + Warning

Latch Periodic Table

Cooking

A PHP Recipe

User1Pass1

Login: User2Pass: Pass2

Latch: Latch2

Login: User1Pass: Pass1

Latch: Latch1

4-eyes verification

AssetLatch: Latch1

Latch: Latch 2

2 Keys Activation

User1Pass1

UserPass

Login: UserPass: Pass

Latch: Latch

Access Control

Why?

Answer

OTP

Double Supervision

Login: User

Pass: Pass

Latch: Latch

Op1:Unlock

Op2: OTP

User

Pass

Latch Plugin Contest

Mooooney

Latch Talks

See you in Codemotion 2015:

The end of the Trilogy

“Love After Death”