The document discusses improving authentication on the web while reducing friction for users. It covers using biometric authentication, background signals from devices, and turning devices into authentication keys. The presenter recommends limiting stored data, using contextual data for step-up authentication, offering device authentication where possible, and planning for fallback options in case primary authentication fails. Overall, the goal is to make authentication secure yet easy for users.
11. It is mainly time, and not money, that users
risk losing when attacked. It is also time
that security advice asks of them.
”
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
”
17. 😃 Pros
• Everyone has access to
what they are
• Can't lose the factor*
• Less concern for account
recovery
🤔 Cons
• Often per-device
• Elevated risk of underlying data
being targeted if using cloud storage
• User privacy concerns
• Documented bias in voice
recognition models
BIOMETRICS
24. Examples
GEOLOCATION
Used for authorization and
more.
HEADER ENRICHMENT
AKA silent authentication
sends device details like IMSI
HISTORICAL BEHAVIOR
Purchase history or usage
patterns
25. BACKGROUND CHECKS
😃 Pros
• Outliers are apparent with
robust data
• Basic checks are easy to
implement
🤔 Cons
• Outliers can be legitimate use cases
• More complex analysis requires more
data engineering
• Privacy and regulatory concerns
29. Examples
WEBAUTHN
Open standard for web
authentication. Uses browser
APIs (~90% supported).
PUSH AUTHENTICATION
Approve/deny framework similar to
WebAuthn but built into a mobile
or web application.
30. DEVICES AS KEYS
🤔 Cons
• Per-device
• Account recovery is challenging
• Device support is not ubiquitous
😃 Pros
• Can be a password
replacement
• Phishing & spoofing proof
• Already using devices like
our phones and computers
every day