 Welcome to my villains layer. Do you need a password? Around two billion passwords are stolen per year. Okay. I'm not really a villain. I'm Sarah Clark, and I'm here to help you understand the risks behind password-based authentication, how to mitigate those risks, and a couple of useful alternatives. There are three things we'd like for authentication. That it's secure, it's easy for the user, and easy for the developer. Unfortunately, this is easier said than done. Passwords are the easiest choice, but they also have problems. Weak passwords are ones that are easily guessed, often using automated tools. These include the perennial favorites, password, and 123456, but also short passwords or ones found in the dictionary. Even combinations of two or three common words are easily cracked and don't think that using numbers for letters will save you. Cracking tools know you're going to try that. Strong passwords are harder to crack, but people often forget them or use them for multiple sites. Password recovery is often an opportunity for attackers to get in the middle, and reused passwords could be cracked on one site and used in many places. Of course, if an attacker can steal your password outright, they could have an easy path into the system. In a one-year study, 81% of hacking-related breaches used weak or stolen passwords. So, how can we mitigate these problems? There are best practices, such as serving a login page, never storing or logging plain text passwords, encrypting passwords in transit, and so on. But even if you do all that, and maybe even more, you are still not done. Security is hard to get right, and compromising your site only takes a reused password and for another site to make a mistake. Doesn't matter whose fault it is. If a user's account is compromised on your site, they lose trust in your service. Many sites impose policies for passwords. These might sound like a good idea, but they often fail to get the job done. Take strong passwords. Many people substitute numbers for letters or put punctuation at the end or between words. These patterns are so predictable that password cracking tools routinely check them. Perhaps you can require your users to never reuse their password, but unless they work for you, this probably isn't going to work. We've all been bothered by sites that expire their passwords frequently. Recent research has demonstrated this actually makes sites less secure. Why? Complex passwords are hard to remember, so they're more likely to be reused, and they might be written down. And new passwords often look like the old ones with a trivial change. Ironically, using a single login service for many sites can improve security. Services such as signing with Google or signing with Facebook let users remember a single password. Central services can also track whether a login is coming from an unknown device or new location, and verify the user's identity in other ways. The other major option is multi-factor authentication. Two-factor authentication is the most common and typically involves something you know, such as a password, and something you have. A password is an example of single-factor authentication. Jane supplies her name and password to Google. It's only one factor, namely something she knows. Note that Google isn't storing the plain text password but using a hashed version. This is standard practice. Jane could switch to two-factor authentication using a one-time password. Google Authenticator is a great example of an app that generates a series of one-time passwords. That way, even if someone learned Jane's password, they wouldn't be able to log in without her password generator in hand. So how do you choose between a federated login and multi-factor authentication? A federated login using OAuth 2 is good for cases where you have a secure provider, you and your users both trust. Multi-factor authentication is especially useful when password reuse or phishing could be problems. It puts one of the key pieces out of the hands of potential attackers. This leaves us with two potential solutions, Identity Federation, and the more powerful Web Authentication API. Stay tuned and I'll show you how Identity Federation works. If you want to know about the Web Authentication API, see the Google videos from Google I-O 2018. Thanks for watching and I'll see you soon.