Upload
elevenpaths
View
128
Download
0
Tags:
Embed Size (px)
Citation preview
Lose your password20 times in 20 minutes
…and use Latch so that you don’t carethat much about it
elevenpaths.com
Jose Palazon
6elevenpaths.com
Asymmetric cryptography, Good certificatesNo certificate pinning, compromised CA
04
12elevenpaths.com
Hashes. Weak passwordsBrute force
09
abcdefg…hiJ…
aaabacadaeafag…hahbhc…
aaaaabaacaadaaeaafaag…helhemhen…
aaaaaaaaabaaaacaaaadaaaaeaaaafaaaag…hellohellphellq…
hell0h3ll0h3110hello7719hello77…
13elevenpaths.com
Hashes. Common passwordsDictionary attacks
10
• Pet names
• Artists
• Celebrities
• Countries
• Entire dictionaries
• All languages (not only human)
• …
• John The Ripper wordlists: 40 million entries in 20+ languages
24elevenpaths.com
Shared secrets and sync problemsExpensive to replace when compromised and exposed meanwhile
19
26elevenpaths.com
Lose your password 40 times in 40 minutes• Phising via Email• Phising via XSS• iOS biometrics (fingerprint printed in transparent plastic)• Android Face recognition (picture in front of camera)• RFID (building access, cars keys) using antennas• Track phone accelerometer while typing password• Keys click with a microphone from afar• Remote camera• Default passwords• Post its• Thermal image in cash machines• Keylogger• Compromised sudo (or different sudo in $PATH) and its win/osx
equivalents when installing applications etc…• Passwords sent via GET remain in the system logs (even if https)• Login prompt: type password instead of username ends up in logs
32elevenpaths.com
Pairing protocolCompletely anonymous and private for both parties.
• From the service provider, find the latch preferences. It should ask you to enter a pairing code
• Generate a temporary pairing code with the latch mobile app
• Read the pairing code from your phone screen and type it into your service provider website
• The service provider will send latch the pairing code and get a unique account identifier in return.
• The Service provider will use this identifier to query the status of this, and only this Latch.
How to pair
33elevenpaths.com
Secure side channel, alerts
• Latch only tells the device that new data is available.
• Data is never sent using other parties• All data is encrypted on a secure channel.
between the phone and Eleven Paths.
Sending data to the phone
• New latch• Latch removed• Access attempt while latch locked• Access while unlocked (optional)
Alerts and notifications
34elevenpaths.com
Not only authenticationEven operations are anonymous
• Sits on top of any authentication• Provides an easy second factor, no tokens• Optional extra factors (OTP)• Access to customer applications• Access to VPN and remote networking• Access to B2B applications• Email and social networks• Control panels
Authentication
• Credit card operations• Bank transfers• Online payments• Card Not Present transactions• International phone calls• Publishing rights on Internet Media
Authorization
35elevenpaths.com
Scheduler and autolockand of course, a panic button
• Services that you only use at work• Services that you never use when sleeping
Scheduler
• Set latches to close on their own if you forget to close them after use
Autolock
42elevenpaths.com
Frequently Asked Questions
My phone
1• What if I run out of battery?
• What if my phone is stolen?
• What if I switch phones?
The service
2
My accounts
3
• What if Latch is compromised?
• What if the Latch service is down?
• Is this like puting all my eggs in a basket?
• What if I lost my Latch password?