FIDO on MacOS: How it works, Attack Vectors and Other Learnings

Presented at Objective by the Sea version 4.0 (2021), Oct. 1, 2021, noon (25 minutes).

WebAuthn and FIDO are quickly becoming a strong authentication mechanism of choice for a lot of IdPs and their customers. In general this is a very good development as these technologies have strong support from a wide variety of hardware, operating systems and a growing number of websites. However, it's also important to understand where the weak points are.

In this session we will cover some basics about why you should care about WebAuthn and FIDO on Apple devices, how it's built into the OS through the browsers or via an external Security Key, possible attack vectors, and then some learnings for organizations around deploying these technologies. We'll do some live demos as we go through this showing you the user experience and how potentially malicious code can wedge itself into the transaction.

Presenters:

• Joel Rennich - Director of Jamf Connect at Jamf
  Joel Rennich is the director of Jamf's Mac authentication and account management solution, Jamf Connect. Joel joined Jamf as part of the company’s acquisition of NoMAD (later rebranded to Jamf Connect).

Links:

• https://objectivebythesea.org/v4/talks.html#FIDO on MacOS
• https://infocon.org/cons/Objective by the Sea/Objective by the Sea 4 2022/FIDO on MacOS How it works, Attack Vectors and Other Learnings - Joel Rennich.mp4
• https://infocon.org/cons/Objective by the Sea/Objective by the Sea 4 2022/FIDO on MacOS How it works, Attack Vectors and Other Learnings - Joel Rennich.eng.srt (subtitles)
• https://www.youtube.com/watch?v=FVGYUKoVQXc
• https://objectivebythesea.org/v4/talks/OBTS_v4_jRennich.pdf

Similar Presentations:

• Black Hat USA 2016 / Breaking FIDO: Are Exploits in There?
• BSidesLV 2019 / Why FIDO Security Keys & WebAuthn are Awesome
• HushCon Seattle 2022 / Phishing, FIDO, and the Future of AuthN