Presented at
BSidesLV 2023,
Aug. 8, 2023, 11:30 a.m.
(45 minutes).
The use of passwordless technologies has increased lately, and more companies are providing their support for it; this includes big names such as Microsoft, Apple, and Google. Passwordless is a no-brainer for increasing account security since passwords are one of the most common targets of attacks still in 2023. While Passwordless technologies are inherently more secure than traditional password-based authentication, there seems to be an overall idea of this technology being unhackable, and a perception that account takeover and user impersonation are not even possible when using it.
This talk will cover real-world risks and vulnerabilities of passwordless solutions for Web applications and how a faulty implementation can lead to a more significant security breach than when using passwords alone. We will see how as a consequence of an attacker managing to compromise the passwordless authentication, users will not have that tiny piece of protection preventing other people from accessing their details: ironically, a password.
This talk will also cover the best practices for developers looking to integrate a passwordless mechanism (WebAuthn) into their Web application. Recommendations will be included for pentesters, enterprises, and end-users, too.
Presenters:
-
Aldo Salas
With more than 15 years of experience, Aldo has had the opportunity to work on all stages of Application Security, from penetration testing to program management and everything in between. He is currently on a quest to get rid of passwords by leading the Application Security program at HYPR. Aldo has participated as an OWASP local chapter leader for many years, and he has been active in the bug bounty community as well. Aldo has worked with several technologies and businesses, including financial, healthcare, media and entertainment, education, and information technology.
Links:
Similar Presentations: