Presentation is loading. Please wait.

Presentation is loading. Please wait.

A World Without Passwords

Published byStella Cox Modified over 6 years ago

Similar presentations

Presentation on theme: "A World Without Passwords"— Presentation transcript:

1 A World Without Passwords
Molly Dalton @mollyadalton

2

3

4

5 “People are prone to taking mental shortcuts. “. - Kevin Mitnick
“People are prone to taking mental shortcuts. “ Kevin Mitnick Infamous information stealer Top-notch Information Stealer

6

7

8 Overview of passwordless authentication
contoso.com Client Server User requests to use passwordless login Challenge Sign Challenge with Private Key Signed Challenge Check signature Return Information

9 Let’s make a few things clear
Relying Party Client contoso.com Browser Platform Server Website

10 Gestures ***** Client Authenticator Windows Hello TPM

11 One User One Device One Account One credential

12 molly personal account
Molly’s Device molly work account outlook.com molly personal account Credentials for Molly Outlook personal Outlook work

13 Overview of traditional password authentication
contoso.com Client Server Input password to site Password + Salt Username Hash (Password + Salt) Password Sign-in user Compare with stored hashed password

14 Overview of passwordless authentication
contoso.com Client Server Request information from Server Challenge Sign Challenge with Private Key Signed Challenge Check signature Return Information

15 DEMO

16 Web Authentication API
- makeCredential (registering a user) - getAssertion (authenticating a user)

17 Overview of registering a user
contoso.com User requests to use passwordless login Relying Party Client

18 var webauthnAPI = navigator.authentication;
if(!webauthnAPI){ /*Handle Error*/ }

19 Overview of registering a user
User requests to use passwordless login contoso.com makeCredential call Relying Party Client

20 webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, options)
.then(function (newCredentialInfo) { /* Send new credential info to server */ }).catch(function (err) { /* No hardware or permission*/ });

21 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var userAccountInformation = { rpDisplayName: “Contoso ”, displayName: “Molly Dalton”, name: id: “ ”, imageURL: };

22 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var cryptoParams = [ { type: "ScopedCred", algorithm: "ES256" }, algorithm: "RS256" } ];

23 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";

24 makeCredential(userAccountInformation, cryptoParams, challenge, options)
var options = { timeoutSeconds: 300, excludeList: [] // No excludeList };

25 Overview of registering a user
User requests to use passwordless login contoso.com User account information, crypto params, and attestation challenge makeCredential call Relying Party Client

26

27 Overview of generating a credential
Unlock with Fingerprint Authenticator Client Generate key pair Public Key + Credential ID Windows Hello Attestation Statement Private Key TPM

28 Overview of registering a user
User requests to use passwordless login User account information, crypto params, and attestation challenge makeCredential call contoso.com Public key, attestation statement, and credential id Relying Party Client makeCredential promise resolved User is now registered

29 Molly’s Computer bank.com social.com Authenticator medical.com
Public Key for bank.com social.com Authenticator Public Key for social.com Private Key for social.com Private Key for bank.com medical.com Private Key for medical.com Public Key for medical.com

30 Overview of authenticating a user
User requests to be authenticated contoso.com Client Relying Party

31 webauthnAPI.getAssertion(challenge, options)
.then(function (assertion) { /* Send assertion to server for verification*/ }).catch(function (err) { /*No hardware or rejected*/ });

32 getAssertion(challenge, options)
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";

33 getAssertion(challenge, options)
var options = { timeoutSeconds = 300, // 5 minutes allowList: [] };

34 getAssertion(challenge, options)
var cred1 = {     type: "ScopedCred",     id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo=" }; var cred2 = {     id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="      var options = {                 timeoutSeconds: 300,    allowList: [cred1, cred2];

35 Login using no credentials
Outlook.com allowList: [] Login Here All credentials from Outlook.com

36 Microsoft.com needs your identity
Molly Dalton Microsoft Molly Dalton Microsoft Ok Cancel

37 var userAccountInformation = {
rpDisplayName: “Outlook ”, displayName: “Molly Dalton”, name: id: “ ”, imageURL: };

38 Login using username UserInfo Outlook.com Login with username madMolly
madMolly - Username madMolly “ ” - Credential ID - Public Key Outlook.com Additional Information

39 Overview of authenticating a user
Requests to be authenticated contoso.com sends Challenge down to the authenticator Client getAssertion call Relying Party

40

41 Overview of signing a challenge
Client authenticatorData clientDataHash authenticatorData clientDataHash Private Key Signature

42 Overview of authenticating a user
Requests to be authenticated sends Challenge down to the authenticator contoso.com getAssertion call signs challenge with private key Relying Party Client getAssertion promise resolved

43 UserInfo Relying Party Signature Additional Information
madMolly - Username Signature “ ” - Credential ID - Public Key Additional Information

44 Overview of authenticating a user
Requests to be authenticated sends Challenge down to the authenticator contoso.com getAssertion call signs challenge with private key Relying Party Client getAssertion promise resolved User is authenticated

45 What’s next

46 1. Experimental version now

47 2. Polyfill available

48 3. Build experience with new update

49 4. Read the spec

50 blog.microsoftedge.com

51 status.microsoftedge.com

52 issues.microsoftedge.com

Download ppt "A World Without Passwords"

Similar presentations

Login to Top Hat Email Password Log In Need a Top hat Account – sign up here. I forgot my password You must log in first Display error Messages here.

Login to Top Hat Password Log In Need a Top hat Account – sign up here. I forgot my password You must log in first Display error Messages here.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 

Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
ADVANCED CONCEPTS IN GOOGLE CALENDAR Advanced Session By Information Technology Services itservices.uncc.edu.

ADVANCED CONCEPTS IN GOOGLE CALENDAR Advanced Session By Information Technology Services itservices.uncc.edu.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Club/Student E-mail Mobile Device Syncing Last updated : 28 May 2014.

Club/Student Mobile Device Syncing Last updated : 28 May 2014.
Digital Certificate Installation & User Guide For Class - 2 Certificates.

Digital Certificate Installation & User Guide For Class - 2 Certificates.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
HTML5 Application Development Fundamentals

HTML5 Application Development Fundamentals
VASP PREPAYMENT SYSTEM Training Module for CLIENTS.

VASP PREPAYMENT SYSTEM Training Module for CLIENTS.
Microsoft Azure Introduction ISYS 512. Microsoft Azure Microsoft Azure is a cloud.

Microsoft Azure Introduction ISYS 512. Microsoft Azure Microsoft Azure is a cloud.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Similar presentations

Ads by Google