Next Get Authentication SQRL and other trends in authentication systems

Justin Love FVCP 2018-03-14 Outline

• Theft of Server DB

• Weak Passwords

• Loss of User Information

• Theft of User Information Next Get Authentication SQRL and other trends in authentication systems

Justin Love FVCP 2018-03-14 Secure Quick Reliable Login Justin Love [email protected] http://wondible.com @wondible THREAT

Theft of Server Database https://duckduckgo.com/?q=database+compromise “Three may keep a secret if two are dead.

–Benjamin Franklin Some Secrets Should not be shared Nothing to Lose Public/Private Key Cryptography One Way Functions SSH Elliptic Curve https://en.wikipedia.org/wiki/File:EllipticCurveCatalog.svg Elliptic Curve https://en.wikipedia.org/wiki/File:EllipticCurveCatalog.svg

ED25519 http://arstechnica.com/security/2013/10/a-relatively-easy- to-understand-primer-on-elliptic-curve-cryptography/ Bitcoin AES Bittorrent Sync FIDO UAF “256 bits is the new black.”

–Steve Gibson https://github.com/jedisct1/libsodium THREAT

Weak Passwords Weak

https://xato.net/passwords/more-top-worst-passwords/ Password Schemes

http://xkcd.com/936/ Forgotten

http://xkcd.com/936/ Reused

http://xkcd.com/792/ Password Manager Something you Know Something you Have Something you Are Agents Apps Mobile Push Authentication Public/Private Key Cryptography SSH Crypto Currency Wallet SQRL Secure the Private Key Encryption Levels of Protection Multi-level Encryption THREAT

Loss of User Information User Responsibility

Out-of-band may be possible Offline Storage MetaMask Words

toilet truck film burger program evidence slam weird dolphin fitness tool agree Levels of Storage Semaphor Spideroak Software Recovery Key

toilet truck film burger program evidence slam Daily Use Key “Keyring” SQRL Identity Unlock Key Encrypted with Rescue Code (24 digits) Identity Master Key THREAT

Theft of User Information Cold Wallets Levels of Keys and Rights Recovery Account Manages Daily Accounts Semaphor Spideroak Software Keyring Rotation SQRL Identity Unlock Key Identity Master Key Lock Current Identity Previous Identity Disable

• Disable with IMK (daily use)

• Enable only with IUK (recovery) Review

• Theft of Server DB - Public/Private Key Crypto

• Weak Passwords - Agents and Levels of Protection

• Loss of User Information - Levels of Storage

• Theft of User Information - Levels of Storage Resources https://pinboard.in/u:wondible/t:next-gen-auth/ https://pinboard.in/u:wondible/t:sqrl/ https://pinboard.in/u:wondible/t:sqrl/

Justin Love [email protected] http://wondible.com @wondible