Passwords are Dead, Long live Passkeys! - Stephen Rees-Carter

Passwords are Dead, Long live Passkeys! - Stephen Rees-Carter - NDC Security 2024

Рет қаралды 2,599

3 ай бұрын

This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper
Attend the next NDC conference near you:
ndcconferences.com
ndc-security.com/
Subscribe to our KZbin channel and learn every day:
/‪@NDC‬
Follow our Social Media!
/ ndcconferences
/ ndc_conferences
/ ndc_conferences
Authentication is hard! Passwords are guessable, while SMS and app-based multi-factor authentication can be compromised. Even the promise of hardware tokens comes at a cost, being easy to lose and/or forget. Unfortunately, as developers, we're stuck trying to solve this difficult problem: how to make authentication work without putting our users at risk. Every option appears to have downsides... but there is hope!
Passkeys are a new authentication technology that uses cryptography within the web browser to securely identify and authenticate users, automatically syncing across devices, to entirely eliminate the need for passwords. It's like magic! We'll learn what they are, how they work, and why they are (virtually) unhackable. Your users will love a simplified login flow, and you'll stop worrying about account takeovers.

Пікірлер: 11

@computer9764 3 ай бұрын

You forgot the critical reason that SMS-based multi-auth is argued against, which is that it, quite frequently, is used as the only factor.

@AldoInza 3 ай бұрын

And SMS can be hijacked by employees of the phone companies, and lots of employees in the phone companies have that ability,.

@putnam120 3 ай бұрын

Yeah gonna pass on trusting Microsoft with credentials given recent events

@lindhe 3 ай бұрын

So sync it with 1Password or something instead?

@EpKjelltzer 3 ай бұрын

Even BitWarden already supports creating, storing, and syncing passkeys. No need to trust big tech with this.

@urvhalt 3 ай бұрын

So, we can tag thoose keys with names that tell what they are for, and store them all behind one bad password?

@urvhalt 3 ай бұрын

... but 2fa for that password of course. Yes, more convenient comapred to a hardcopy with a list of complex passwords.

@lindhe 3 ай бұрын

It's possible to memorize one good password. The problem is that it's not possible to memorize 1000 unique strong passwords, and that's why we need a system for it.

@pepeshopping 3 ай бұрын

Flying half a world away for that? Riiiiiigt, because a bunch of 0s and 1s are hard to log, read, steal. If a human made it, another human can break it! I RESPECT a lot more the people that understand that computer security, LIKE physical security, is an illusion! If somebody really wants in, they will!

@lindhe 3 ай бұрын

Yes, they are infact hard to log and steal.

@capability-snob 3 ай бұрын

Current operating systems and browsers are not great at keeping your secrets, it's true. This is a solvable problem, though.