Braintree_Dev. @SeraAndroid / @PayPalDev

Modern Day Authentication

Tim Messerschmidt Head of Developer Advocacy, EMEA PayPal + Braintree

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

That’s me

Braintree_Dev. @SeraAndroid / @PayPalDev

>Death to Passwords _

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

The top 1000 most used passwords of 2012 wiki.skullsecurity.org/Passwords

Braintree_Dev. @SeraAndroid / @PayPalDev

4.7% OF ALL USERS USE THE PASSWORD PASSWORD

Braintree_Dev. @SeraAndroid / @PayPalDev

8.5% OF ARE USING PASSWORD OR 123456

Braintree_Dev. @SeraAndroid / @PayPalDev

9.8% USE PASSWORD, 123456 OR 12345678

Braintree_Dev. @SeraAndroid / @PayPalDev

... and it doesn’t even stop here 14% have a password from the top 10 40% have a password from the top 100 79% have a password from the top 500 91% have a password from the top 1000

Braintree_Dev. @SeraAndroid / @PayPalDev

A brief analysis of the situation in 2013 cbsn.ws/1siTPGH

Braintree_Dev. @SeraAndroid / @PayPalDev

1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. Adobe123

11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey down 18. shadow 19. sunshine 20. 12345

Braintree_Dev. @SeraAndroid / @PayPalDev

1.  123456 up 1 2.  password down 1 3.  12345678 4.  qwerty up 1 5.  abc123 down 1 6.  123456789 new 7.  111111 up 2 8.  1234567 up 5 9.  iloveyou up 2 10. adobe123 new

11. 123123 up 5 12. admin new 13. 1234567890 new 14. letmein down 7 15. photoshop new 16. 1234 new 17. monkey down 11 18. shadow 19. sunshine down 5 20. 12345 new

Braintree_Dev. @SeraAndroid / @PayPalDev

1.  123456 up 1 2.  password down 1 3.  12345678 4.  qwerty up 1 5.  abc123 down 1 6.  123456789 new 7.  111111 up 2 8.  1234567 up 5 9.  iloveyou up 2 10. adobe123 new

11. 123123 up 5 12. admin new 13. 1234567890 new 14. letmein down 7 15. photoshop new 16. 1234 new 17. monkey down 11 18. shadow 19. sunshine down 5 20. 12345 new

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

>The 3 key problems _

Braintree_Dev. @SeraAndroid / @PayPalDev abstrusegoose.com/296

Braintree_Dev. @SeraAndroid / @PayPalDev

/\$\d+/ “Favor security too much over the experience and you’ll make the

website a pain to use.”

smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form

Braintree_Dev. @SeraAndroid / @PayPalDev

vs.

Braintree_Dev. @SeraAndroid / @PayPalDev

People forget passwords…

45% admit to leaving a website instead of re-setting their password or answering security questions

- Blue Inc. 2011

Braintree_Dev. @SeraAndroid / @PayPalDev

Let’s admit it: Passwords really suck!

Braintree_Dev. @SeraAndroid / @PayPalDev

People hate to register

Out of 657 surveyed users 66% think that social sign-in is a desirable alternative.

- Blue Inc. 2011

Braintree_Dev. @SeraAndroid / @PayPalDev

braintreepayments.com/blog/goodbye-passwords-one-touch-hello-bitcoin

> Braintree Says Goodbye to Passwords With One Touch Payments for PayPal and Venmo, and Hello to Bitcoin _

Braintree_Dev. @SeraAndroid / @PayPalDev

Merchant app

PayPal app

Merchant app

�

Braintree_Dev. @SeraAndroid / @PayPalDev �

Merchant app

PayPal app

Merchant app

Braintree_Dev. @SeraAndroid / @PayPalDev �

Merchant app

PayPal app

Merchant app

Braintree_Dev. @SeraAndroid / @PayPalDev �

Merchant app

PayPal app

Merchant app

Braintree_Dev. @SeraAndroid / @PayPalDev

2 Factor Authentication twofactorauth.org

Braintree_Dev. @SeraAndroid / @PayPalDev

Passwordless Authentication medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

>Authorization & Authentication _

Braintree_Dev. @SeraAndroid / @PayPalDev

/\$\d+/ OAuth 1.0 2007

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Request Request Token

Grant Request Token

Direct User to Service

Obtain Authorization

Direct to Consumer

Request Access Token

Grant Access Token

Access Resources

The Consumer

Service Provider

Braintree_Dev. @SeraAndroid / @PayPalDev

/\$\d+/ OAuth 1.0a 2009

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

/\$\d+/ OAuth 2.0 2012

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Direct User to Service

Obtain Authorization

Request Access Token

Grant Access Token

Direct to Consumer

Access Resources

The Consumer

Service Provider

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

/\$\d+/ OpenID

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

/\$\d+/ Combinations

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

>What’s next? _

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

>Utilizing A Trusted Environment _

Braintree_Dev. @SeraAndroid / @PayPalDev

>Scaling Security _

Braintree_Dev. @SeraAndroid / @PayPalDev

>FIDO Alliance _

Braintree_Dev. @SeraAndroid / @PayPalDev

1 Security Matters to users and developers 2 Difference Authentication and Authorization 3 User Experience Should be enhanced not impaired

Braintree_Dev. @SeraAndroid / @PayPalDev

Braintree_Dev. @SeraAndroid / @PayPalDev

Спасибо за внимание!

tim@getbraintree.com braintreepayments.com/developers

slideshare.com/PayPal