Who Dis? The Right Way to Authenticate

Presented at Global AppSec - DC 2019, Sept. 13, 2019, 3:30 p.m. (45 minutes)

Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems and end user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk. Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages and other authentication misconfigurations. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.

Presenters:

  • Dhivya Chandramouleeswaran - Lyft
    Dhivya Chandramouleeswaran is a security engineer at Lyft providing proactive security guidance to key product teams. She develops security automation tools and enjoys reviewing the security of new technologies. She has given talks at OWASP App Sec DC, Defcon BTV, CSA summit and BSides Vegas.
  • Lakshmi Sudheer
    Lakshmi Sudheer is a Security Researcher. She has been in the security industry for about four years now. She works on reviewing architectures and providing security guidelines to various product teams. Prior to this, she was at a startup doing all things Application Security and has experience with security consulting at Bishop Fox. She has also spoken about her open source projects at security conferences like BSides LV, RSA 2018, Appsec USA & AppSec Cali.

Links:

Similar Presentations: