You still use the password after all Exploring FIDO2 Security Keys - PowerPoint PPT Presentation

Dec 10, 2023 •457 likes •571 views

You still use the password after all Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Drmuth Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)

“You still use the password after all” Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, and Markus Dürmuth Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)
WEB AUTHENTICATION VIA PASSWORDS Webserver Username + Password
PHISHING OF PASSWORDS Attacker Username + Password Phishing Identity Theft
FIDO2 → REPLACING PASSWORDS Webserver Phishing FIDO2 Authenticator
FIDO2 “ PASSWORDLESS ” SETUP Authenticator Client Relying Party User Presence / Verification
Implementation Study Environment Software company • Life sciences sector • STUDY Participants 8 employees • Optional FIDO2 login Sales, developers, managers • •
STUDY PROTOCOL Interview 4 Weeks Workshop
SECURITY AND PURPOSE “It’s more secure because no password needs to be transmitted, the key is used [...] to sign in.” – P6 “It is okay [to use the key] for stuff like online banking [...] not for Facebook or email” – P6
ADOPTION BARRIERS “Well, if I forget or loose it, I couldn’t get into my account” – P3 “I just entered the password because I am used to it.” – P7
AUTHENTICATION TIMINGS Security key Browser auto-fill Manual logins 0 10 20 30 40 50 Time (s)
CONTACT Florian Farke Mobile Security Group Ruhr University Bochum florian.farke@rub.de

Recommend

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides

Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Day 3 Steps in compiling: (Optional preprocessing) Lexical analysis

483 views • 17 slides

Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

1.88k views • 85 slides

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security CURRENT STATUS Problem Statement Stringent

286 views • 15 slides

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks Bauhaus-Universitt Weimar www.webis.de NDSS 2017, February 27 th 2017 Mnemonic Password Creation Password: Show password Random

684 views • 17 slides

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides

The Password Doesnt Fall Far: How Service Influences Password Choice Miranda Wei, The

The Password Doesnt Fall Far: How Service Influences Password Choice Miranda Wei, The University of Chicago Maximilian Golla, Ruhr University Bochum Blase Ur, The University of Chicago Baltimore, USA | August 12, 2018

474 views • 25 slides

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton

Investigating the Distribution of Password Choices David Malone and Kevin Maher, Hamilton Institute, NUI Maynooth. 19 April 2012 How to Guess a Password? Passwords are everywhere. If you dont know the password, can you guess it? 1. Make a

420 views • 18 slides

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides

[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database]

[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database] Connection = mysql://USER:PASSWORD@HOST/TABLE !{SECRET: container_ref : key_name } !{ENV: env_var }

430 views • 16 slides

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of /etc/shadow File: How would normal users change their password? Two-Tier Approach Implementing fine-grained access control in operating

576 views • 31 slides

return password return hash( password ) return hash( password, salt )

return password return hash( password ) return hash( password, salt ) return hash( password, salt, cost ) b83546b4 V[i] = H( V[i-1] ), i=0..N-1 b83546b4 b2e2a2f5 V[i] = H( V[i-1] ),

503 views • 47 slides

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides

Tuesday, 1 September If you are still using the default password that was assigned when

Tuesday, 1 September If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Tuesday, 1 September REMINDER: Department coffee/tea this

821 views • 25 slides