Post Password World – How do we get there? BRING IDEAS!

From IIW

Post Password World

Wednesday 2J

Convener: Dick Hardt

Notes-taker(s): Brenan Lee

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


How many people have ideas about post-password world?

1. Unguessable URL

prototyped as a bookmark-able token URL

add part of the unique URL to the header 

if you erase the bookmark, you need to re-gen the key

Dick - I don’t like that idea, issues


2. Phone-based 

2-factor authentication through phone Yubikey

biometrics aren’t very secure. 

apple pay is an "in the wild" example of using post password

the combination of hardware, safe biometric authentication, tokenization. 

identity proof - when I registered the card on the device, banks weren’t doing identity proofing

identity proof - my bank has identified me to perform transactions. 

to replace the password, you will have to 


3. Fido/UAF

https://www.fidoalliance.org/assets/downloads/FIDO-U2F-UAF-Tutorial-v1.pdf

QUESTION: Why do we need to solve the password problem?


4. Client Certs

QUESTION: Should we have passwords in 10 years?


5. ID in browser 

Sign in to browser once then browser brokers authentication for the user.


6. Trusted Signals

My wireless network knows who I am so it can authenticate me. 


7. Behavior (History)

My history indicates (probably) who I am 


8. ID + location on Map 

Plug in my ID and pick a point on a map to authenticate you are who you are


9. Microchip / Temp Tattoo / Taking a Pill with a Signal 

COMMENT: We can solve recovery and not solve passwords?

Is everyone comfortable with how Credit Cards handle authentication? (NO!)

10. Public Key Authentication

https://www.en.wikipedia.org/wiki/Public-key_cryptography


11. Google Authentication / Ubikey / BioMetrics

Biometrics are fragile. They are good as an additional factor. They are problematic if they are the single factor.

COMMENT: “Our current central IDP is our Mail system"

Banks are bad

Root-independent identity source to build upon


Desirable characteristics of post-password auth system

Low Cost

X-Device - App brokers sign 

As reliable as passwords

Recovery must be better than current patterns

Something in the auth mechanism must be revokable.

Continual Authentication

Security Gradient


Further Reading:

"A Quest To Replace Passwords - Joseph Bonneau"

http://www.jbonneau.com/doc/BHOS12-IEEESP-quest_to_replace_passwords.pdf