Merging Passwordless and Physical Access Control – Lessons Learned

Oct 19

Session Details

In this talk we will share lessons from our journey of replacing passwords (both system-level and web-based) and physical door access with a single smartphone app. As Winston Churchill famously said, “antiquated authentication solutions are the enemy of progress.” Over the past 2 years, we have been working around the clock to help companies transition away from passwords and smartcards/keys to a smartphone-based solution. While most of the FIDO members and conference attendees will likely agree that passwords and smartcards have seen their heyday, transitioning the world’s infrastructure and users’ habits is no easy task. For example, in order for users to accept an alternative the new solution cannot just be marginally better – it has to feel like they jumped into their Delorean. Similarly, it can (almost) never fail. One bad experience is enough for most users to go back to the “old way.” Fortunately, for the entertainment and educational value of this talk, we have failed spectacularly numerous times and want to share those stories with the FIDO community to help others avoid similar pitfalls. We hope that our stories (some sad, some hilarious, and some unexpected) will help the community at large in our collective efforts to create a better tomorrow through secure, usable authentication mechanisms. To whet the appetite a bit, you will hear about smart door hardware getting “hulk ripped” from a wall, why Push notifications can make users unhappy with you, how to completely disable all forms of authentication on a MBP (not good…), and about a time when a user getting locked out of their office resulted in the discovery of a critical security vulnerability in the Linux kernel.