Who dis? The Right Way To Authenticate

Presented at BSidesLV 2019, Aug. 7, 2019, 2 p.m. (55 minutes).

In today's ecosystem, verification of identity is no longer applicable just to the user; extending to microservices, cloud providers, IoT devices and many other emerging systems as well. 81% of discovered breaches are due to broken authentication, indicate it as a prevalent issue. Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often lose context on best practices.

In this context, we talk about popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed in disclosed reports related to these schemes. Finally, we will conclude with actionable solutions to correct these flaws realized in the form of practical guidelines. These would be security design patterns that developers or designers could refer to in their daily tasks


Presenters:

  • Lakshmi Sudheer
    Lakshmi Sudheer is a Security Researcher at Adobe. She holds a Master of Science in Information Security and has been in the security industry for about four years now. At Adobe, she works on reviewing architectures and providing security guidelines to various product teams. Prior to Adobe, she was at a startup doing all things Application Security and has experience with security consulting at Bishop Fox. She has also spoken about her open source projects at security conferences like RSA 2018, Appsec USA & AppSec Cali.
  • Dhivya Chandramouleeswaran
    Dhivya Chandramouleeswaran is a Security Researcher at Adobe. She received her master's degree in Information Security and Information Technology from Carnegie Mellon University in 2017. At Adobe, she provides proactive security guidance to key product teams, develops security automation tools and enjoys reviewing security of new technologies. She loves talking about her open source projects at conferences, most recent being Girls Who Code, DefendCon and CISO summit.

Links:

Similar Presentations: