Merken

Taking the pain out of passwords and authentication

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
without loss hello everybody my name is Alex
and I'm addicted possible it's welcoming yourself thank you it's been beamforming since my last that last login my addiction started in 1996 Sesame into my new free so that can 1
possibly content tend get a hundred I since lost count some days I go go through thousands of bits of entropy in a single session with your help I hope that I can get it get through this problem so I won't dwell on
this we all know the Woodstock everybody myself included and I'm certain a lot of you chooses 1 2 3 4 5 6 the same parts what I use my luggage we're use them we write them down which share them and we get inevitably fish and we still forget the the bloody thing equally from the point of view from of the server passwords are a pain in the ass the complexity rules just keep getting more Kafkaesque as we progress there is such a thing as a lower case number and I'm not sure it's possible to get 3 unique symbols that have to be somewhere some password requirements wanted to do so and equation is 2 weeks if anybody was and don't worry your password is stored securely
it's getting worse the breeding like cockroaches I'm sure there is somebody in this room that has a password database upward of 500 or a thousand possible strong passwords adjust to complex for the human brain to remember usable passwords adjust to work too weak to be of any use and animals lost progressing the is rising to top it all off and we've now got games consoles phones that understand all manner of crazy Internet of Things devices asking for your password and yes you still do need to have 3 symbols mixed case and the digits I'm part of a fine tradition today predicting the death of the password Bill Gates predicted 2004 IBM in 2011 wired magazine predicted the death of a password in 2012 so he googling 2013 WallStreetJournal in 2014 I'm sure that there is somebody in 19 seventies predicting the death of the password taking and this liberty but I think even Winston Churchill understood where we're coming from the problem is not the passwords of bad the problem is that
passwords on the least worst option they all the least common denominator their work all kind of work everywhere when we compared to the alternatives federated login people know what they are but the fragmented was it you all Google account was Facebook account was your Twitter account was get how the count was it you all and Mozilla Open ID account is it's hard to remember and passwords of 3 to implement and deploy the command box with Django and various other site web frameworks and federated login is it requires a slightly more effort but but it it leaks tracking that every time you log in with your Facebook account to 0 wine magazines wide but also Facebook knows and so does everybody and so the the advertisers that partner with Facebook and you can't use a Facebook log in to Logan teeth stuff lecture the distinct advantages federated organs have a password is that the act reaching credentials is something else is problem but if we compare pass to hardware tokens 100 tokens is still we it's just buying accident big businesses and enterprises use them so um by why wouldn't be happy giving a security token to of my aunts my uncle horse let's say In addition to that their proprietary if you want to use an nice secure ID you have to use it with our state security software and you can't substitute another token if firms the security becomes expensive or unavailable they're hard to deploy you have to physically post mountain and hard to read because the post of software tokens have become a bit more popular in recent years and think of Google Authenticator they're often also paired with the SMS technique sending a six-digit PIN far from call or as a text message I their truck they require a bit of training again the fragmented there is a standard and in theory you don't have to use the Google Authenticator application you can use any application that works with that the standard but it's an the bitterness uh you usually don't need a 3rd party to use such an application thought some of them do and they do metadata when you log in biometrics the familiar everybody seeing iris scanners and fingerprint readers in the movies then that is so you don't need to train people how to use them the problem with that by metrics is that's about the only good thing about them that proprietary the expensive there hard to deploy because nobody has a fingerprint reader unless it's on an iPhone then impossible to radius here until cloning comes along of and with the exception of this I platform with Touch ID is almost no so we start with or can we do to mitigate this so the 1st 1 is that uh and you might want to switch out your password generator and I'm sure you're all familiar with certain xk CD cartoon I will mention it by name but if you'd like to use it and you can't be bothered to code your own I highly recommend costs phrase pick installable comes with a command line tool and you don't have to give any special incantations given nice familiar but xk CD style password studies have shown that this style pass-phrase is easy to use easier to use than the mixed case symbols digits type and if you need extra entropy just add another word similarly horse races just as is usable from the command line doesn't causal search is also also model that you can import if you have 15 years being mixed-case digits at least 1 upper-case then you can make that a bit easier to type on phones and games consoles and thermostats and I'd like to try a quick experiment the could you will
get area phones we're tablets and try to type that possible would you don't have to type into a password field just any text editor role note application will do to give your mental tape raise your hand when you done I had fantastic how many times did you have to switch keyboard did anybody made data yeah so on average depending whether it's Android I Os different versions takes 24 tabs on 9 keyboard changes type a password and and it's a typical randomly generated and considered strong password now I'd like to try this variance raise your hand when he finished the sorry so yes a case of a few raised hands without easier the OK so the improvement is to save about 7 taps and you only have to change the world twice with this variant this comes from some research done by the US National Institution for Standards and Technology sorry that's institution for science and technology and they find that on average you say a set number of taps in a certain number of people changes by permuting passwords like this if you'd like to put me urine passwords either creators of Python package for you can use it from the command line or in your python software that Lincoln was will take you to a summary of the research by permuting the password you do lose some entropy you can typically regain that lost entropy just by just adding 1 or 2 characters and the research summarizes the the bits of entropy lost and gained by that in by the permutation and and in extra characters I hope to be able to get this integrated into key passport provide as plug-ins so and in the coming months the now if you're running server annual fed up with the or users choosing 1 2 3 4 5 yet again the classical way of combating this is to ask for mixed symbols digits never repeating not centers username there'll ad hoc rules what you really care about is entropy but it takes the math to measure entropy so very few people coded up luckily you don't need to it's been done for you if you're writing Django at and you'd like to get rid of those but knowing roles beat still like to encourage users to have strong passwords then you can use Django z x seeing the BN costs it's gender on that that is a mixture of python and Java script it's based on a on underlying package called z exceed the BN and they know it measures the entropy of the password based on the user name and the current day and a few other signals and as the past as the user types in new password it gives them an interactive strength meter and again there is research that has been done to show that if you provide this interactive feedback it encourages users to pick strong passwords without antagonizing them without driving them away as much because of course when somebody's creating an account you don't want to drive them away with repeated validation errors on the new account and if you'd like to use z expedient in other Our framework so then I think that these the Python Package Index page for this Django and also links to the underlying package that you can use yourself another thing you can do to make your users lives easier is to let them see the possible
we've taken it as we take it for granted that he should hide the password when people talking in 30 years now that makes sense when the passive feel would always appear on an office computer in the middle of the load cubicles with people passing behind without but without being behind the screen all on a shared terminal on a mainframe but those days it past multimed than not you'll be typing a password on the phone or tablet we lack talk and there won't be anybody else around so why 103 and the safest thing to do so as to not scary uses way of make them think that the form is broken insecure is to find faults still hide the password but provided little tick box or uh clickable icons so that they can show it at the link below goes to V. page from which this screenshot is taken and shows more examples I'm afraid I don't have a pre-packaged Python solution for this just it is so it is a standard feature of log dialogs windows
Internet Explorer past so version that has a slightly unusual implementation in that rather than that I symbol being of all toggle you actually hold your finger down on it on a touch screen all the mouse buttons and it shows as long as it's being are clicked on like a dead man's switch so this is the this is ongoing usability evolutionary and this is a very good chance that browsers will implement it like this but by default but it's not happened yet of it should so ideally if it if this ever becomes a reusable HTML component or some form of HTML 5 uh things fall back it should take into account that it could become a native the final mitigation that I'd like to say that I'd like to suggest is please please please don't disabled auto-completion don't disable password managers the 2nd example we see that was I call that the British Gas called out quite recently for doing this on Twitter and and thanks to the was Twitter not create more at a Twitter modeled a Twitter modeled brandishing pitchforks and torches and British Gas will be reconsidering the practice of using this but unfortunately umpteen banks and the counts city councils county councils still think that they that should allow you to save your password unfortunately the only way to get 1 to time so that more or less all I have to say about that passwords the next thing I want to introduce to you is a new standard or a new pair of standards for authentication they come from a body called the find alliance which was set up a baton year-ago to fix strong authentication and as I said earlier the problem with all the alternatives to passwords is that they tend to be fragmented proprietary unfamiliar and generally on standardized in the final lines mission is to fix all those things there is token specifications they will did if you pay the money they will do certification testing for you and give you a logo trademark that you can use and stamp products we don't have to do that and it's based on public key cryptography and think of the Wi-Fi Alliance a decade or 15 years ago when wireless internet was still a weird thing the they all are the Wi-Fi Alliance for authentication end the aim of the standards is to allow multiple authentication methods such as dongles fingerprint readers opinions smart cards mobile phones whatever to all be usable against the same API and old be usable no matter what the transport be that your space Bluetooth NSC something we haven't thought of yet single browser API no matter what combination of those gets used and because it's based on public key cryptography no sensitive data leads users authenticator says nothing sensitive on your server to be leaked out there's nothing sensitive in the browser to get fixed so if God forbid you user database gets a little the only thing the only sensitive information will get into the wild is things that specifically chosen to gather final on standards don't require that you gathering e-mail address you can still gathering e-mail address and if God forbid your server gets breached an e-mail addresses the worst thing will get really password hashes if it within the fight alliance standard but is and isn't industry consortium the Big Bang is far Google that Microsoft are saying some sort of pay pal and a host of others but there the internet companies that are as fed up with authentication as you are and and it's growing and recently a recent they accepted at 1st government the members so the
at US Government National Institute of Science and Technology has joined and so has the UK Home Office there 2 standards that have been announced by the Fido alliance the
1st is universal authentication framework this is the 1 that is designed to replace passwords 2nd is the universal 2nd factor framework that's the 1 that's designed to standardize 2 step authentication so he still have a password on the 2 s but it doesn't have to be a strong because you've got a 2nd factor it could just be obtained if you want to the way they no matter which of those 2 you choose the way it's the way it works is before you even that the 1st the very 1st time you open an apple visit website you'll be asked to register and and it can but doesn't have to ask for use in an e-mail address but when it comes time to a set of secret you would activate your the authenticated beer the that your mobile phone or you're speaking or something else your authenticator would generate a new private key that proteins only used this pairing studies for any other so have 2 different websites but I used against the Sankei there's no way to those 2 websites not connotes the Sankei it's just different private key they say primary key is stored in a secure element on the authenticator and the authenticator sends back to your website to the at a public key and a key handle for use in future authentication session
these once registration is complete the service stores private key against that users identify user name and e-mail address whatever and can be sent back to the authenticated as a challenge next time authentication looks almost identical to registration the only difference is that when the user is asked to activate their authenticated it really it it uses the case that it previously generated 2 signs the challenge sent so to give you a concrete example with some code this is a pseudo code Python web server that's handling the registration for a new new to f devices the library when using is an open source BSD-licensed package provided by you because it works with you become OK is it should also work with you to as authenticators for many other the and why did you see there is just the an edge it is just the the main over our website it must be HTTP S you cannot do uh any find alliance authentication over an unsecured channel we
simply generates a challenge story and some session against the user's username and send that challenge to client the challenge gets sent is just a short snippet and it's older by 64 encoded so it's safe to stick anywhere that you the you don't have to worry too much about binary encoding of the that these challenge that you see of the bottom is just a randomly generated by string there's no structure to it but and you can generate as many as you want and throw them away you don't have to worry about that and I didn't have to worry about losing the so that challenge gets sent to the browser and the simplest way of doing that would be to just put in Hidden Field on your on your registration for within the browser the the EU tourist provider provides a job script API which we call you to adopt register with the challenge of generated server side
that takes a callback that except the response generated by the authenticator so what would happen when this John script gets it if this little authenticate was plugged into the laptop little green light starts flashing as part of your page a production text saying please activate your device now i is the use of touch that which allows the authenticated to respondents had a proof of human presence it generates new predicate returns at this JavaScript Java Script fix it in but the text field and submits the form and responses again is just and Jason the challenge is exactly
what was sent by the server there climate data and registration data are generated by the key and they are a cryptographically so attached to the challenge so the traits so somebody changes the challenge on the wire the client data and registration data will not validate the FIB also is what was sent by the server has to match that gets changed if somebody tries to demand middle attack the false signatures will fail it is but it doesn't matter that it's thinking became it it just has to be guided by you to an authenticated that final
step of registration server we receive the challenge that was sent binary sorry we we receive a response that was sent by the you to if authenticated we retrieve the challenge that we generated earlier we cool and to FDR complete registered with both of those that takes care of all lucrative all of all cryptography forest checks the signatures and returns a registration object that's just Python dictionary contains a key handle the public key of the authenticator that was freshly generated and the AP idea that we generated all way back we save those 3 things for future authentication and and
that's just an example of the registration that is at return when we called complete register function the thing that I'm going to skip over there is the attestation certificate that is so that you can say I will only accept signatures from if you want to restrict yourself to just you became or just sansón finds all just some particular brand you can do they all contain a manufacturer or certificate or the manufacturer signs that certificate and there is an online database you can check process take attestation certificate against and but for simplicity we're just going to skip over that right now authentication is almost identical on server we generate a challenge the difference is that instead of start register this time you start authenticate again we save the challenge that we challenge like this Apple idea is the same that we as it was during registration challenges of freshly generated at random killing Key handled it is what was return by the authenticated during registration and it's how we identify the key again on the clients received the challenge
submits it to the authenticated defense character starts flashing all get is doing something being leading beat so that it can get your attention the user activates the authenticator and the authenticated then returns a response the can transmit factor server uh on this you just press the gold circles of this world that doesn't prove its name he approves and present this is so this is a new to and device the idea of it is that it is the 2nd factor so obviously this is cryptographically unique it's got a private key inside that was burned in Bern at the factory it's time for evidence that sort of thing but so is only useful as a 2nd factor not as a a you 80 s of a universal you AF device which would have something by Mexican it so that it not only was it proof that it was the past and present the by the fingerprint of the retina and it was prove that it was is then you move the last you can use right the yes but then the point is you can use this is the the sole authentication factor cause it's if it effectively it's a baritone if someone steals and it was the sole factor and they would have everything they needed to pretend to be made so the final step of
authentication like I said this is a you need to every device this is the 2nd factor 2 and for log with this 1st as usual we verify the user's username and password assuming that's correct we get the associated device that was stored during registration we then called verify authenticate which gives us counter and defined as to whether touches In the current version of standard touch is
always asserted that that will always be true the point of the counter is that although this device is temporary it could be and vulnerability of some sort the counter is an indication of whether this device is being close so somebody could get in there with a microscope for I don't know powerful magnets for an X-ray machine or something they might be able to close if they did and we both using it there is an internal counter that would be and it shouldn't always increase but if the 2 of them sometimes you would see account of the returned that's less than the counts of the Seoul last time it was used if that happens it means someone's close the device and you need to take some sort of action could be sent user an e-mail lock the account it depends on the particular application assuming almost correct you then just store the new counter values device and the user successfully authenticated this being 2nd factor don't have to use it just login you can choose to do it when they when the user starts a sensitive that starts a sensitive like entering the London entering and in Section transfering 100 thousand dollars to Nairobi and you can you can ask for additional authentication at any point and so that brings us to the dance but before I do that this anybody have questions about the code the thank you for not not entirely about the truth about of if you have an future on your mobile any register 0 did you or more button to carry on your laptop in my instance and social jumping ahead of the the current version the vast majority of deployed hardware and moment just what to you but the standards included transports for Bluetooth low energy and then because that would have to next my a lot of to my reliance on using the well it would be Bluetooth low-energy so you wouldn't have to to devices they could but basically the browser if it supported that form of you are for you to have have a Bluetooth stack in it it would take for local devices your find the listening it was send a message that says yes I'm here yes I mean you wear authenticated the browser would then send back I have these handles do you know about any of the the fund say yes and the phone would go being leading Libby and asking to and authenticate from printed and look at such time for demo which
coming want and indeed alleging that
side it was really yes you
we test is some sort of thinking
edge on the screen I mean it's this acoustic peak around so this is
the demo application of a Django application called agenda to factor all it currently supports the Google Authenticator wrapped SMS phone call all plane you the 5 extended to also accept you to have devices so I'm currently not logged in and there is a secret page that I count the said on just organ saved passwords I thought I I thoroughly recommend possible managers and I haven't yet enable two-factor authentication on this account so I can view the extra secret page which requires additional verification so I need to set up to to a factor authentication here I can choose between the different versions in your own Django application you probably choose the problem provides the probably offer fewer choices just keep things simple I'm going to go with you to act instead the sorry can't see it but I do promise that there is a little bit there is a little green blinking LED here touch the dongle to prove that I'm present the sorry and so that jobs that I showed you earlier I the call back when it is cold just inserts it into the input with that idea in a real world applications you wouldn't have that box that what users will you show the user is just an animated thing saying now please activate your device and the 2nd that they did you submit the form and return all commands that the end so complete registration and and I've never found number at this point this is a standard feature of gender artifacts and this is just an example access not actually widened Twilio but in a real application would be so Cervantes register that found J. yeah so there we go this
accounts now registered factor and I can view that
secret page now that requires 2 steps for authentication follow them log in again choose password and I can choose whether to use authentication or not I'm going to touch the devices
but it's two-factor authentication without having to data finite pocket and type in the 6 bloody digits few
symptoms and question walls supported requirements the but if you want to see any of the code that domain those
Urals I will be uploading the slides tweeting the URL and supporting the URL on the description page this talk on your website I'm afraid the
code that you've just seen running isn't available on pipe idea I still need to convince the maintainers of the upstream projects that might pull requests were the so the browser
support and frame this is the bad news the only thing that supports you to and at the moment it's grown but
it's grown on any platform which is good and chromium and 5 books have evolved open to add support
and they just need somebody to do the work they're not that they're not supposed to it or anything and in a few days time windows tend to be released and the new age browser will support you to f and that 1 just USB tokens that will be and biometric devices like fingerprint readers for virus scanners into laptops that support Windows 10 the for the hardware support the only thing that the browser browser singular supports the moment USB standard for Bluetooth an NFC was released on the 1st of july this month and so expect support for small devices in the coming months but in terms of funds that support it if any of you have a galaxy S 5 or 6 or a galaxy of fault congratulations you have a unique you AF authenticated and you might already be using you where to log into type of the paper applications support users Uriah form devices and Jordan violence Google making a push for for all fingerprint authentication in that time touch ideas brainstorming on hundreds lunch for far too long and you will see more finds a fingerprint readers in the next few months being released crowd are 1 of the find members and then you hardware support box possibly even it would be the ultrasonic fingerprint reading so you can touch anywhere on the globe if you'd like more information these specifications
are available and there's a tutorial that goes into the step that I have in a bit more detail but there is a nice video that gives you a history of find alliance and the sales pitch and if you'd like to use any of you because open source libraries and they were until recently GPL but they are all lgpl but then I relicensing you can the uh you to act with you because tokens all In theory any other tokens for SSH Logan for pounds the only and their own that Python bindings go bindings their jobs bindings so and you don't have to be in a browser to use it the client application just has to implement the wire protocol that is standardized and thank you very the few
we do have time for questions and we have questions different this 1 right my current impressionist some of all that the only proves that you know that you are willing to authenticate the skills super-secret possible you and a manual is this correct so there are 2 standards from the fiber line I speak you so you to at the initiative factor authentication you are proving that you know a secret password and you are proving you know take you out of particular devices have control that that's understood but proved that there you are willing to altered indicators the possible abroad sorry could you repeat that your willingness 2 ought to indicate is that you type in your secret possible at that you have to remember model in a possible miniature by I would say that part of the the proof that you willing to authenticate and I is the proof that willing to authenticate is that both the you complete authentication the act of doing it is the indication that you're willing to do it all of those the 2nd proof that you're willing to authenticate and that's the pressing the button the button on that you're drafted biased s were where solid again that the the UBG New I guess uh that the the button in the middle of that a splintered and as long as this but nothing happens and this device only a response to the challenge if you click this type of these that doesn't need to be made exactly but that's why you're so that's where should use this you begin as the 2nd factor you shouldn't I won't recommend you to uh to and your puzzle I would recommend you do not yes effectiveness of users and in my opinion should use a strong password and then use this as a 2nd effect on you to and to increase security you what is because of your password could somehow get credit probably all what about the so so yes so you you to act is not a replacement for password of depending on the application you could choose to allow the weak passwords you don't have to the true promise at least from my point of view of the final Alliance is when the new AS standard comes about and that mandates that the authenticator not only proves that I'm president just pressing a button but also proves assigned me by some form of metrical typing in or something else and so I agree that by metrics are not the greatest thing they are mitigated in this case because the biometric data doesn't travel otherwise it never leaves the authentication device just like but Touch ID on my phone having no one's ever happy authenticating it was a quick up the question that I would get so if I understood the substandard correctly yeah it's required so if you have a physical device right so you can't have a what's circle the application on your PC so the stand the specification strong encourages you to make it a physical device specifically something that is temporary wouldn't and as a secure element but you have to do anyway because of this you can only connect using news well if you invert the kernel of evil and they tend to be a useful the device of their own and there is there is a job there is a Chrome extension that is a source you to F authenticator it has a particular and when that when you as the server receives the registration data that would be evident in the attestation certificate says nothing in 1 of protocol it says it must be hardware device why particles can't enforce that but you would the service has access to
uh metadata services that includes the and this is the the manufacturer signatures all various different devices so you become a sign there um certificate Samson assigned their certificate other providers of assigned that any software implementation of authenticated would have to have a a manufacturer ID but it would have to be available in the metadata service and you could choose to blacklist that or white list only you become devices what when registration occurs thank you I'm I've ever talk these and if I had the from using 1 to 2 x in the human with image to lose their it sounds quite so make clear that this is our use so 2 parts to that of any any website or application worth its salt that implements two-factor authentication will In the force you will strongly encourage utility and set up some sort of backup method that would typically be his eye color is a 6 digit codes right down on the paper and keep it somewhere safe all or it'll be please give us your mobile number will textual messages back up all both of those the gender two-factor authentication that lets you do both these on the part of it is that if I use that it's a of lost small black it's not an internal if I is that Scott on-board GPS going on board radio containing remotely I can ask it to wring itself if you gonna keep all your eggs in 1 basket that's a pretty good at asking yeah 2 questions 1 of them was really and um still I'm a bit confused because you start by saying well past would have issues and what the data in the demo the 1st thing you do is take a bus with and then uses the positive manager to store to basically put your variants of the computer and then use a 2nd authentication using your tokens which while I'm not convinced you know the lake others that it's a suitable solution not questioning of and how is this any different from grits indicator in the sense of the growth of actually is convenient because the 6 digit number that is changing all the time and synchronized with the clock somewhere and there true by the memory that does exactly the same job or went on possible to think and and this whole behind the to justify how good this is so I don't see how to the group device will actually of about is better than something which is purely software so Google Authenticator 1 time password standard that is based on how do require that the server stores the sea that generates the 6 numbers every 30 seconds so if there is a certain bridge very secret data in addition to the possible it and with these the service not storing anything secret why find this more convenient than talking in 6 that going to the Google Authenticator rapid talking in the 6 digit number that but it it uh and you have a choice of what you want to use and you can use this is your Google Account by the way is the residue became or as you to if device and if you want a dedicated you to have devised new carrots chief about 15 years sorry I forgot the important question of we set them from 1 very short question and this is a yes-or-no question In the vital state is there any on capability to rest passwords this is the the case where someone is putting a gun to my head and I need to log into my banque but I want to indicate my bank I want to be able to successfully login but also indicate that I have begun to my so it's a 2nd password that also works indicates the bad conditions so in the case of you who have your duress cost would be would be you type that in it's the 1st factor I guess that wouldn't be part of the new to that would be codified exchange in terms of you may ask I haven't
seen any reference to that the only this is speculation now the only way I can think of doing it would be if you tactile device that of the normal authentication if you press and hold it does the rest but I I don't know if this could be the programs do that
I I don't know if there's anything in the fighter standards for be the unit that you thank
Bit
Einfügungsdämpfung
Besprechung/Interview
Entropie
Zählen
Hilfesystem
Server
Punkt
Sichtenkonzept
Datenhaltung
Mathematisierung
Zahlenbereich
Ikosaeder
Schlussregel
Symboltabelle
Gleichungssystem
Internet der Dinge
Komplex <Algebra>
Computeranimation
Metropolitan area network
Bildschirmmaske
Task
Schnelltaste
Spieltheorie
Digitalisierer
Mereologie
Server
Mixed Reality
Passwort
Passwort
Schreiben <Datenverarbeitung>
Zählen
Computeranimation
Homepage
Metadaten
Freeware
Typentheorie
Skript <Programm>
Addition
Hardware
Datentyp
Computersicherheit
Magnetbandlaufwerk
Ausnahmebehandlung
IRIS-T
Token-Ring
Digitalisierer
Login
Server
Biostatistik
Fehlermeldung
Maschinenschreiben
Facebook
Wellenpaket
Selbst organisierendes System
Wort <Informatik>
Mathematisierung
Systemplattform
Service provider
Leck
Informationsmodellierung
Spieltheorie
Datennetz
Datentyp
Elektronischer Fingerabdruck
Äußere Algebra eines Moduls
Mobiles Internet
Generator <Informatik>
Varianz
Radius
Symboltabelle
Schlussregel
Plug in
Binder <Informatik>
Schnelltaste
Rückkopplung
Offene Menge
Wort <Informatik>
Bit
Applet
Versionsverwaltung
Kartesische Koordinaten
NP-hartes Problem
Login
Metropolitan area network
Mixed Reality
Meter
Bruchrechnung
Schnelltaste
Permutation
Adressierung
Mixed Reality
Programmierumgebung
Konfiguration <Informatik>
Zusammengesetzte Verteilung
Texteditor
Datenfeld
Twitter <Softwareplattform>
Message-Passing
Standardabweichung
Aggregatzustand
Rückkopplung
Web Site
Belegleser
Quader
Interaktives Fernsehen
Zahlenbereich
Physikalische Theorie
Framework <Informatik>
Benutzerbeteiligung
Software
Mittelwert
Passwort
Passwort
Implementierung
Hardware
Beobachtungsstudie
Linienelement
Schaltwerk
Validität
Token-Ring
Persönliche Identifikationsnummer
Uniforme Struktur
Flächeninhalt
Zahlzeichen
Entropie
Unternehmensarchitektur
Klon <Mathematik>
Offene Menge
Sensitivitätsanalyse
Browser
Adressraum
Versionsverwaltung
Computer
Zählen
Login
Raum-Zeit
Computeranimation
Internetworking
Homepage
Metropolitan area network
Datenmanagement
Bildschirmfenster
Radikal <Mathematik>
Default
E-Mail
Gerade
Metropolitan area network
Softwaretest
Umwandlungsenthalpie
Schlüsselverwaltung
Datenhaltung
Güte der Anpassung
Vorzeichen <Mathematik>
Biprodukt
Großrechner
Token-Ring
Twitter <Softwareplattform>
Grundsätze ordnungsmäßiger Datenverarbeitung
Elektronischer Fingerabdruck
Server
Information
Standardabweichung
Public-Key-Kryptosystem
Multiplikation
Quader
Schaltnetz
Implementierung
Bildschirmmaske
Multiplikation
Hash-Algorithmus
Elektronischer Fingerabdruck
Äußere Algebra eines Moduls
Passwort
Zusammenhängender Graph
Passwort
Hardware
Touchscreen
Programm
Dongle
Digitales Zertifikat
Browser
Einfache Genauigkeit
Symboltabelle
Binder <Informatik>
Quick-Sort
Einfache Genauigkeit
Chipkarte
Office-Paket
Last
Tablet PC
Authentifikation
Baum <Mathematik>
Public-Key-Kryptosystem
Beobachtungsstudie
Web Site
Schlüsselverwaltung
Adressraum
Sprachsynthese
Maßerweiterung
Element <Mathematik>
Ausgleichsrechnung
Teilbarkeit
Framework <Informatik>
Computeranimation
Metropolitan area network
Faktor <Algebra>
Authentifikation
Passwort
Passwort
Registrierung <Bildverarbeitung>
Grundraum
Schlüsselverwaltung
Standardabweichung
Public-Key-Kryptosystem
Server
Subtraktion
Web Site
Browser
Adressraum
Parser
Service provider
Code
Computeranimation
Metropolitan area network
Benutzerbeteiligung
Client
Vorzeichen <Mathematik>
Prozess <Informatik>
Binärdaten
Minimum
Programmbibliothek
Skript <Programm>
Speicher <Informatik>
Datenstruktur
E-Mail
Open Source
Browser
Varianz
Endogene Variable
Dienst <Informatik>
Registrierung <Bildverarbeitung>
Server
Authentifikation
Identifizierbarkeit
Versionsverwaltung
Zeichenkette
Maschinenschreiben
Server
Applet
Parser
Computeranimation
Homepage
Bildschirmmaske
Client
Fibonacci-Folge
Notebook-Computer
Endogene Variable
Skript <Programm>
Green-Funktion
Browser
Varianz
Vorzeichen <Mathematik>
Biprodukt
Elektronische Unterschrift
Endogene Variable
Prädikat <Logik>
Bildschirmmaske
Datenfeld
Registrierung <Bildverarbeitung>
Beweistheorie
Mereologie
Server
Authentifikation
Persönliche Identifikationsnummer
Versionsverwaltung
Schlüsselverwaltung
Public-Key-Kryptosystem
Subtraktion
Server
Prozess <Physik>
Regulärer Ausdruck
Computeranimation
Trigonometrische Funktion
Client
Kryptologie
Vorzeichen <Mathematik>
Endogene Variable
Passwort
Lineares Funktional
Prinzip der gleichmäßigen Beschränktheit
Digitales Zertifikat
Wald <Graphentheorie>
Vervollständigung <Mathematik>
Schlüsselverwaltung
Datenhaltung
Elektronische Unterschrift
Endogene Variable
Objekt <Kategorie>
Registrierung <Bildverarbeitung>
Rechter Winkel
Server
Authentifikation
Reelle Zahl
Registrierung <Bildverarbeitung>
Schlüsselverwaltung
Maschinenschreiben
Server
Punkt
Versionsverwaltung
Parser
Computeranimation
Endogene Variable
Elektronischer Fingerabdruck
Passwort
Kreisfläche
Sender
Physikalischer Effekt
Browser
Varianz
Strömungsrichtung
Vorzeichen <Mathematik>
Quick-Sort
Teilbarkeit
Endogene Variable
Bildschirmmaske
Registrierung <Bildverarbeitung>
Maschinenschreiben
Beweistheorie
Server
Authentifikation
Faktor <Algebra>
Standardabweichung
Demo <Programm>
Punkt
Momentenproblem
Browser
Gruppenoperation
Versionsverwaltung
Kartesische Koordinaten
Zählen
Transportproblem
Code
Computeranimation
Virtuelle Maschine
Bildschirmmaske
Notebook-Computer
Demo <Programm>
Hardware
Teilbarkeit
Quick-Sort
Endogene Variable
Energiedichte
Softwareschwachstelle
Authentifikation
Garbentheorie
Message-Passing
Standardabweichung
Lesezeichen <Internet>
Logarithmus
Chi-Quadrat-Verteilung
Computeranimation
Demo <Programm>
Ebene
Einfügungsdämpfung
Bit
Demo <Programm>
Punkt
Quader
Selbst organisierendes System
Versionsverwaltung
Zahlenbereich
Kartesische Koordinaten
Datensicherung
Computeranimation
Homepage
Metropolitan area network
Datenmanagement
Gewicht <Mathematik>
Prozess <Informatik>
Reelle Zahl
Faktor <Algebra>
Passwort
Passwort
Chi-Quadrat-Verteilung
Auswahlaxiom
Gammafunktion
Demo <Programm>
Touchscreen
Softwaretest
Vervollständigung <Mathematik>
Dongle
Singularität <Mathematik>
Programmverifikation
Systemaufruf
Ein-Ausgabe
Teilbarkeit
Quick-Sort
Lesezeichen <Internet>
Registrierung <Bildverarbeitung>
Geschlecht <Mathematik>
Login
Authentifikation
Standardabweichung
Finitismus
Datensicherung
Teilbarkeit
Computeranimation
Homepage
Metropolitan area network
Token-Ring
Faktor <Algebra>
Login
Datentyp
Authentifikation
Passwort
Demo <Programm>
Server
Desintegration <Mathematik>
Browser
Datei-Server
Migration <Informatik>
Code
Computeranimation
Homepage
Rechenschieber
Softwarewartung
Deskriptive Statistik
Domain-Name
Projektive Ebene
Demo <Programm>
Maschinenschreiben
Momentenproblem
Quader
Browser
Kartesische Koordinaten
Term
Systemplattform
Framework <Informatik>
Computeranimation
Erwartungswert
Bildschirmmaske
Notebook-Computer
Bildschirmfenster
Datentyp
Elektronischer Fingerabdruck
Hardware
Umwandlungsenthalpie
Hardware
Ultraschall
Browser
Virensuchprogramm
Elektronischer Fingerabdruck
Authentifikation
Information
Benutzerführung
Biostatistik
Lesen <Datenverarbeitung>
Standardabweichung
Bit
Punkt
Browser
Kartesische Koordinaten
Element <Mathematik>
Information
Computeranimation
Videokonferenz
Eins
Client
Prozess <Informatik>
Vorlesung/Konferenz
Urbild <Mathematik>
Gerade
Umwandlungsenthalpie
Schnelltaste
Softwareentwickler
Hardware
Sichtenkonzept
Computersicherheit
Quellcode
Teilbarkeit
Dienst <Informatik>
Registrierung <Bildverarbeitung>
Rechter Winkel
Beweistheorie
Server
Benutzerführung
Biostatistik
Standardabweichung
Maschinenschreiben
Physikalische Theorie
Informationsmodellierung
Bildschirmmaske
Datentyp
Endogene Variable
Programmbibliothek
Passwort
Indexberechnung
Maßerweiterung
Peripheres Gerät
Soundverarbeitung
Kreisfläche
Digitales Zertifikat
Protokoll <Datenverarbeitungssystem>
Linienelement
Open Source
Token-Ring
Mereologie
Gamecontroller
Authentifikation
Partikelsystem
Demo <Programm>
Gruppenkeim
Bridge <Kommunikationstechnik>
Kartesische Koordinaten
Computer
Datensicherung
Service provider
Metadaten
Datenmanagement
Prozess <Informatik>
Vorzeichen <Mathematik>
Vorlesung/Konferenz
Auswahlaxiom
Addition
Oval
Quellcode
Zeiger <Informatik>
Elektronische Unterschrift
Teilbarkeit
Dienst <Informatik>
Forcing
Geschlecht <Mathematik>
Registrierung <Bildverarbeitung>
Festspeicher
Digitalisierer
Konditionszahl
Server
Message-Passing
Standardabweichung
Aggregatzustand
Web Site
Zahlenbereich
Term
Whiteboard
Software
Datentyp
Passwort
Indexberechnung
Speicher <Informatik>
Bildgebendes Verfahren
Schreib-Lese-Kopf
Digitales Zertifikat
Zwei
Softwarewerkzeug
Token-Ring
Quick-Sort
Residuum
Mereologie
Codierung
Authentifikation
Kantenfärbung
Softwareentwickler
Einheit <Mathematik>
Kontrollstruktur
Authentifikation
Information
Optimierung
Computeranimation
Standardabweichung

Metadaten

Formale Metadaten

Titel Taking the pain out of passwords and authentication
Serientitel EuroPython 2015
Teil 149
Anzahl der Teile 173
Autor Willmer, Alex
Lizenz CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben
DOI 10.5446/20067
Herausgeber EuroPython
Erscheinungsjahr 2015
Sprache Englisch
Produktionsort Bilbao, Euskadi, Spain

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Alex Willmer - Taking the pain out of passwords and authentication Passwords are a pain for us all - programmers, users and admins alike. How can we reduce that pain, or eliminate it entirely? This talk will - Review research into techniques that improve the usability of password systems, and mitigate shortcomings - Introduce the new standards Universal Authentication Framework (UAF) & Universal Second Factor (U2F) - Describe how they streamline authentication, even eliminate passwords entirely - Show how to integrate UAF/U2F in Django and other Python frameworks - Summarize the state of support for UAF & U2F in browsers, devices, and the wider world
Schlagwörter EuroPython Conference
EP 2015
EuroPython 2015

Ähnliche Filme

Loading...