title: Password π author: name: I'm Adrien, frontend developer email: a.gibrat@oodrive.com theme: ./theme controls: false output: index.html
--
--
Since 2018, Microsoft advocate[The beginning of "The end of passwords"](https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless)
not secure haveibeenpwned 408 leaked
dataset = 8 506 873 299 accounts
not user friendly password = complexity your mom doesn't use a password manager
-- screen full
--
various best practices [ANSSI](https://www.ssi.gouv.fr/guide/mot-de-passe/ "Agence Nationale de la Sécurité des Systèmes d'Information") ①[NIST](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 "National Institute of Standards and Technology")never reuse password
use passphrase
check against lists (contextual, dictionary, common, leakedβ¦)
SMS is not secure OTP (PSD2: banking deprecated SMS)
force special characters leet EvilCorp$1
force periodic password changes #β¦ EvilCorp$2
-- screen large
-- screen large
-- screen
FIDO alliance π
--
- FIDO U2F Universal Second Factor authentication
using asymmetric cryptography with USB security key (+ NFC / BLE) - FIDO UAF Universal Authentication Framework
Passwordless Authentication with biometrics & external security device - FIDO2 W3C WebAuthn (March 2019) API for accessing Public Key
Secure passwordless & multi-factor authentication for the web
-- screen
[CTAP 2](https://en.wikipedia.org/wiki/Client_to_Authenticator_Protocol) = WebAuthn authenticator specification
(CTAP 1 = U2F only)
-- screen
& all evergreen browsers, including [Safari](https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/)
-- screen
-- screen
--
300 billion passwords by 2020
$6 trillion annual damage by 2021
Do FIDO2 passwordless & WebAuthn today!
Strong authentication is already a requirement for banking
and will eventually be one for other regulated industries.