AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Back To Schedule
Thursday, January 23 • 4:20pm - 5:10pm
Who Dis? The Right Way to Authenticate

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems, and end-user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password-based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk.

Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages, and other authentication misconfigurations. We briefly highlight our talk's evolution based on feedback provided by audiences at prior conferences. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.

Detailed Outline :
1. Introduce Authentication and various schemes used today
1.a.Token-based: Oauth, magic links, service to service
1.b. passwords, MFA
1.c. Password-less

2. Problem prevalence
2.a. Study overview: Major sites - selection category, login crawler and collect auth related data.
2.b. summary and dataset
2.c. disclosed reports and correlation with study data

3. Discussion on authentication pitfalls
3.a. Walkthrough password handling and MFA bypasses
3.b. Token-based misconfigurations: leakages, expiry, revocation handling.
3.c. Callouts to related artifacts: headers, cookies, storage
3.d. Password-less: potential pitfalls and contextual examples

4. How to fix this?
4.a. Walkthrough sample applications demonstrating best practices for authentication schemes discussed so far
4.b. Highlight corrected code patterns that address specific pitfalls identified earlier.

5. Comparison of best practice vs business case compromise
5.a. Highlight cases where documented best practices cannot be applied
5.b. Address how developers can use context to secure authentication workflow.

6. Closing Notes
6.a. Open source repo containing code samples and checklists
6.b. Any developer should be able to clone this and use it as a definition of done for commits related to authentication.

avatar for Lakshmi Sudheer

Lakshmi Sudheer

Senior Security Partner, Netflix
Lakshmi Sudheer is a Security engineer who is passionate about all things Information security and mostly been on Application Security side of the world. She also enjoys speaking about her open-source projects and has spoken at Defcon’s BTV, BSides LV, RSA 2018, Appsec USA & AppSec... Read More →
avatar for Dhivya Chandramouleeswaran

Dhivya Chandramouleeswaran

Security Engineer, Lyft
Dhivya Chandramouleeswaran is a security engineer at Lyft providing proactive security guidance to key product teams. She develops security automation tools and enjoys reviewing the security of new technologies. She has given talks at OWASP App Sec DC, Defcon BTV, CSA summit and BSides... Read More →

Thursday January 23, 2020 4:20pm - 5:10pm PST
Garden Terrace Room