Mad Monster Standards - Exploring Webauthn

Presented at CrikeyCon VII (2021), March 6, 2021, 2:30 p.m. (30 minutes)

Webauthn is a standard allowing browsers to communicate between an authenticator device and a web server to perform cryptographic authentication. Seen as the future of login and "the end of passwords" by microsoft and many others, this standard and it's behaviour will only become more important - and relevant - in the field of security. In this talk we'll explore the benefits of webauthn to end users and deployments, how webauthn works, and we'll dive into some of the darker cobweb ridden corners that yield some surprising - and common - mistakes in implementations. For defense, you'll walk away knowing more about why webauthn is the future of auth and how to avoid common pitfalls that may impact your deployments. For offense, you'll learn about ways to bypass or reduce the strength of webauthn when incorrectly implemented.

Presenters:

• William Brown 'Firstyear'
  William is a senior software engineer for SUSE. He is part of the 389 Directory Server project, which is one of the major opensource LDAP servers used internationally, and the foundation of FreeIPA's server. He is also the developer of the Webauthn server and softtoken for Rust, and has been invited to participate in the w3c working group to further develop Webauthn. When not deep in authentication services, he can be found flipping people on a mat, or doing vertical stick tricks.

Similar Presentations:

• Kernelcon 2020 Virtual / Passwords are dead? Long live WebAuthn!
• Black Hat USA 2019 / WebAuthn 101 - Demystifying WebAuthn
• Global AppSec - DC 2019 / Building Secure Password-less Web Applications using WebAuthn