Lose your password20 times in 20 minutes

…and use Latch so that you don’t carethat much about it

elevenpaths.com

Jose Palazon

Insecure networks

3elevenpaths.com

Clear text passwords over the netTumblr iOS apps

01

4elevenpaths.com

Symmetric cryptographyClient side stored secrets. Secret sharing

02

5elevenpaths.com

Asymmetric cryptography, invalid certificatesMan In The Middle

03

6elevenpaths.com

Asymmetric cryptography, Good certificatesNo certificate pinning, compromised CA

04

7elevenpaths.com

StripSSLChange on the fly

05

Insecure storage

9elevenpaths.com

Clear text password storageJust grab them

06

10elevenpaths.com

Symmetric crypto, weak algorithmDES, IDEA, RC4, Blowfish, keys too weak

08

11elevenpaths.com

Symmetric crypto, good algorithmstill sharing secrets

07

12elevenpaths.com

Hashes. Weak passwordsBrute force

09

abcdefg…hiJ…

aaabacadaeafag…hahbhc…

aaaaabaacaadaaeaafaag…helhemhen…

aaaaaaaaabaaaacaaaadaaaaeaaaafaaaag…hellohellphellq…

hell0h3ll0h3110hello7719hello77…

13elevenpaths.com

Hashes. Common passwordsDictionary attacks

10

• Pet names

• Artists

• Celebrities

• Countries

• Entire dictionaries

• All languages (not only human)

• …

• John The Ripper wordlists: 40 million entries in 20+ languages

14elevenpaths.com

Hashes. Unsalted passwordsRainbow tables, hash collisions

11

15elevenpaths.com

Hashes. Salted passwordsRun dictionaries using the stored salt

12

Other

17elevenpaths.com

Password reuseHave I been pwned?

13

18elevenpaths.com

Password managersAll passwords and tokens together protected by a single key

14

19elevenpaths.com

Leaked passwordsEvery day

15

20elevenpaths.com

Password recovery mechanismsSecret questions. Email reset

16

21elevenpaths.com

Oauth in mobile devicesCan’t see it’s fake

17

One Time Passwords

23elevenpaths.com

Physical tokensExpensive to replace when lost or broken. Need to carry them

18

24elevenpaths.com

Shared secrets and sync problemsExpensive to replace when compromised and exposed meanwhile

19

25elevenpaths.com

OTP in mobile phonesHOTP, TOTP, Still sharing secrets

20

26elevenpaths.com

Lose your password 40 times in 40 minutes• Phising via Email• Phising via XSS• iOS biometrics (fingerprint printed in transparent plastic)• Android Face recognition (picture in front of camera)• RFID (building access, cars keys) using antennas• Track phone accelerometer while typing password• Keys click with a microphone from afar• Remote camera• Default passwords• Post its• Thermal image in cash machines• Keylogger• Compromised sudo (or different sudo in $PATH) and its win/osx

equivalents when installing applications etc…• Passwords sent via GET remain in the system logs (even if https)• Login prompt: type password instead of username ends up in logs

27elevenpaths.com

Enough Please!!What do I do??

elevenpaths.com

Reduce availability

Reduce exposure

Reduce risk

29elevenpaths.com

LatchLock and unlock anythingfrom a single screen

30elevenpaths.com

How it works

32elevenpaths.com

Pairing protocolCompletely anonymous and private for both parties.

• From the service provider, find the latch preferences. It should ask you to enter a pairing code

• Generate a temporary pairing code with the latch mobile app

• Read the pairing code from your phone screen and type it into your service provider website

• The service provider will send latch the pairing code and get a unique account identifier in return.

• The Service provider will use this identifier to query the status of this, and only this Latch.

How to pair

33elevenpaths.com

Secure side channel, alerts

• Latch only tells the device that new data is available.

• Data is never sent using other parties• All data is encrypted on a secure channel.

between the phone and Eleven Paths.

Sending data to the phone

• New latch• Latch removed• Access attempt while latch locked• Access while unlocked (optional)

Alerts and notifications

34elevenpaths.com

Not only authenticationEven operations are anonymous

• Sits on top of any authentication• Provides an easy second factor, no tokens• Optional extra factors (OTP)• Access to customer applications• Access to VPN and remote networking• Access to B2B applications• Email and social networks• Control panels

Authentication

• Credit card operations• Bank transfers• Online payments• Card Not Present transactions• International phone calls• Publishing rights on Internet Media

Authorization

35elevenpaths.com

Scheduler and autolockand of course, a panic button

• Services that you only use at work• Services that you never use when sleeping

Scheduler

• Set latches to close on their own if you forget to close them after use

Autolock

36elevenpaths.com

37elevenpaths.com

Mobile Apps

English, Spanish, Portuguese and German

39elevenpaths.com

SDKs and plugins

40elevenpaths.com

Latch for the Enterprise

41elevenpaths.com

Latch Satellite

42elevenpaths.com

Frequently Asked Questions

My phone

1• What if I run out of battery?

• What if my phone is stolen?

• What if I switch phones?

The service

2

My accounts

3

• What if Latch is compromised?

• What if the Latch service is down?

• Is this like puting all my eggs in a basket?

• What if I lost my Latch password?

43elevenpaths.com

Latch Plugin Contest

44elevenpaths.com

Interships for Students

45elevenpaths.com

https://latch.elevenpaths.com