My Hash is My Passport: Understanding Web and Mobile Authentication

Presented at ShmooCon XII (2016), Jan. 17, 2016, 11 a.m. (60 minutes).

The great thing about standards is there are so many to choose from. That's especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways to store that password.

But how do these work? Is any one system better than another, and if so, why?

Application testers need to understand how an app authenticates, in order to properly assess risk. Developers need to be able to make good design decisions. And end users may wonder just how safe their password really is online.

This talk explains, with simple examples, how some of the most frequently-seen authentication systems work. It identifies the characteristics of an "ideal" authentication system, compares the common methods against that ideal, and demonstrates how to verify that they've been implemented correctly.

Finally, the talk will demonstrate a tool which can help make it easier to identify, test, and verify these systems.


Presenters:

  • David Schuetz / Darth Null as David Schuetz
    David (@DarthNull) is a Senior Consultant with NCC Group, where he performs web and iOS application security testing, iOS research, MDM reverse engineering, and other such fun. He's honored to have spoken at multiple security conferences on topics from rainbow tables to iOS and MDM to puzzle contests. When not actively engaged in paying work, David loves solving crypto puzzles, working on side projects like KhanFu, and playing Ingress.

Links:

Similar Presentations: