Next Get Authentication SQRL and other trends in authentication systems Justin Love FVCP 2018-03-14 Outline • Theft of Server DB • Weak Passwords • Loss of User Information • Theft of User Information Next Get Authentication SQRL and other trends in authentication systems Justin Love FVCP 2018-03-14 Secure Quick Reliable Login Justin Love [email protected] http://wondible.com @wondible THREAT Theft of Server Database https://duckduckgo.com/?q=database+compromise “Three may keep a secret if two are dead. –Benjamin Franklin Some Secrets Should not be shared Nothing to Lose Public/Private Key Cryptography One Way Functions SSH Elliptic Curve https://en.wikipedia.org/wiki/File:EllipticCurveCatalog.svg Elliptic Curve https://en.wikipedia.org/wiki/File:EllipticCurveCatalog.svg ED25519 http://arstechnica.com/security/2013/10/a-relatively-easy- to-understand-primer-on-elliptic-curve-cryptography/ Bitcoin AES Bittorrent Sync FIDO UAF “256 bits is the new black.” –Steve Gibson https://github.com/jedisct1/libsodium THREAT Weak Passwords Weak https://xato.net/passwords/more-top-worst-passwords/ Password Schemes http://xkcd.com/936/ Forgotten http://xkcd.com/936/ Reused http://xkcd.com/792/ Password Manager Something you Know Something you Have Something you Are Agents Apps Mobile Push Authentication Public/Private Key Cryptography SSH Crypto Currency Wallet SQRL Secure the Private Key Encryption Levels of Protection Multi-level Encryption THREAT Loss of User Information User Responsibility Out-of-band may be possible Offline Storage MetaMask Words toilet truck film burger program evidence slam weird dolphin fitness tool agree Levels of Storage Semaphor Spideroak Software Recovery Key toilet truck film burger program evidence slam Daily Use Key “Keyring” SQRL Identity Unlock Key Encrypted with Rescue Code (24 digits) Identity Master Key THREAT Theft of User Information Cold Wallets Levels of Keys and Rights Recovery Account Manages Daily Accounts Semaphor Spideroak Software Keyring Rotation SQRL Identity Unlock Key Identity Master Key Lock Current Identity Previous Identity Disable • Disable with IMK (daily use) • Enable only with IUK (recovery) Review • Theft of Server DB - Public/Private Key Crypto • Weak Passwords - Agents and Levels of Protection • Loss of User Information - Levels of Storage • Theft of User Information - Levels of Storage Resources https://pinboard.in/u:wondible/t:next-gen-auth/ https://pinboard.in/u:wondible/t:sqrl/ https://pinboard.in/u:wondible/t:sqrl/ Justin Love [email protected] http://wondible.com @wondible.