AppSec California 2020

Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems, and end-user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password-based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk.

Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages, and other authentication misconfigurations. We briefly highlight our talk's evolution based on feedback provided by audiences at prior conferences. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.

Detailed Outline :
1. Introduce Authentication and various schemes used today
1.a.Token-based: Oauth, magic links, service to service
1.b. passwords, MFA
1.c. Password-less

2. Problem prevalence
2.a. Study overview: Major sites - selection category, login crawler and collect auth related data.
2.b. summary and dataset
2.c. disclosed reports and correlation with study data

3. Discussion on authentication pitfalls
3.a. Walkthrough password handling and MFA bypasses
3.b. Token-based misconfigurations: leakages, expiry, revocation handling.
3.c. Callouts to related artifacts: headers, cookies, storage
3.d. Password-less: potential pitfalls and contextual examples

4. How to fix this?
4.a. Walkthrough sample applications demonstrating best practices for authentication schemes discussed so far
4.b. Highlight corrected code patterns that address specific pitfalls identified earlier.

5. Comparison of best practice vs business case compromise
5.a. Highlight cases where documented best practices cannot be applied
5.b. Address how developers can use context to secure authentication workflow.

6. Closing Notes
6.a. Open source repo containing code samples and checklists
6.b. Any developer should be able to clone this and use it as a definition of done for commits related to authentication.