1 of 20

Authentication at Google:�Beyond Passwords and Towards Devices

Dirk Balfanz�

Cloud Identity Summit · June 2015 · San Diego

2 of 20

Bearer Tokens

Phishing

Password�Sharing

Network�Attacks

Client�Compromise

Server�Compromise

Passwords

!

!

!

!

!

Cookies

!

!

!

3 of 20

Bearer Tokens

Phishing

Password�Sharing

Network�Attacks

Client�Compromise

Server�Compromise

Passwords

!

!

!

!

!

Cookies

!

!

!

4 of 20

Crypto to the Rescue!

Password

Password

Password Reuse

Phishing

Interception

5 of 20

Crypto to the Rescue!

Test of User Presence

Public-Key�Crypto

Password Reuse

Phishing

Interception

6 of 20

Interlude: Smart Lock

7 of 20

Smart Lock for Android

Wearable

Trusted�Devices

Location

Trusted Voice

On-Body Detection

8 of 20

Smart Lock for Chromebook

9 of 20

Crypto to the Rescue!

Password Reuse

Phishing

Interception

10 of 20

Crypto-Based Logins

11 of 20

Crypto-Based Logins

password

password

password

password

12 of 20

Crypto-Based Logins: Coming Up

�Necessary first step: separate username & password input during login!

password

13 of 20

Crypto-Based Logins: Coming Up

password

�Use help of carrier: Mobile OpenID Connect��(unsolved issues: trust in carriers, something-you-know/are as a 2nd factor)

14 of 20

You can help!

15 of 20

Use this pattern.

Test of User Presence

Public-Key�Crypto

16 of 20

FIDO-enable�your web site.

Test of User Presence

Public-Key�Crypto

17 of 20

Don’t ask for�passwords.

Test of User Presence

Public-Key�Crypto

18 of 20

Bind cryptographic�keys to biometrics�or screen locks.

Test of User Presence

Public-Key�Crypto

19 of 20

password

If you’re an MNO: Help us solve this use case!

20 of 20

Thanks!