1 of 20
Authentication at Google:�Beyond Passwords and Towards Devices
Dirk Balfanz�
Cloud Identity Summit · June 2015 · San Diego
2 of 20
Bearer Tokens
| |
Phishing |
Password�Sharing |
Network�Attacks |
Client�Compromise |
Server�Compromise |
| Passwords |
! |
! |
! |
! |
! |
| Cookies |
|
|
! |
! |
! |
3 of 20
Bearer Tokens
| |
Phishing |
Password�Sharing |
Network�Attacks |
Client�Compromise |
Server�Compromise |
| Passwords |
! |
! |
! |
! |
! |
| Cookies |
|
|
! |
! |
! |
4 of 20
Crypto to the Rescue!
Password
Password
Password Reuse
Phishing
Interception
5 of 20
Crypto to the Rescue!
Test of User Presence
Public-Key�Crypto
Password Reuse
Phishing
Interception
6 of 20
Interlude: Smart Lock
7 of 20
Smart Lock for Android
Wearable
Trusted�Devices
Location
Trusted Voice
On-Body Detection
8 of 20
Smart Lock for Chromebook
9 of 20
Crypto to the Rescue!
Password Reuse
Phishing
Interception
10 of 20
Crypto-Based Logins
11 of 20
Crypto-Based Logins
password
password
password
password
12 of 20
Crypto-Based Logins: Coming Up
�Necessary first step : separate username & password input during login!
password
13 of 20
Crypto-Based Logins: Coming Up
password
�Use help of carrier: Mobile OpenID Connect �� (unsolved issues: trust in carriers, something-you-know/are as a 2nd factor)
14 of 20
You can help!
15 of 20
Use this pattern.
Test of User Presence
Public-Key�Crypto
16 of 20
FIDO-enable�your web site.
Test of User Presence
Public-Key�Crypto
17 of 20
Don’t ask for�passwords.
Test of User Presence
Public-Key�Crypto
18 of 20
Bind cryptographic�keys to biometrics�or screen locks.
Test of User Presence
Public-Key�Crypto
19 of 20
password
If you’re an MNO: Help us solve this use case!
20 of 20
Thanks!
