Bringing Crypto Back: Web Authentication without Bearer Tokens
No ratings
Presented at CloudIdentitySummit 2014 by
From the inception of the Web to this day, we have been using an embarrassingly weak form of authentication online: bearer tokens. Both passwords and authentication cookies fall into this category, as they grant access to whoever presents them to a server. This is in stark contrast to even the simplest authentication protocols we learn in school. We can't turn back time, however, and the Web today is what it is. How, then, do we "bring Crypto back", and add stronger forms of authentication to the Web without boiling the ocean? Dirk will talk about two efforts he has been involved in at Google, both designed to incrementally add public-key cryptography to existing authentication mechanisms - one aimed at cookies, and one aimed at passwords. They offer the security of public-key-based challenge-response protocols without getting rid of cookies or passwords.