Loading…
Attending this event?
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Identity management [clear filter]
Monday, February 18
 

14:00

A modern take on passwords
Despite proclamations of the obsolescence of passwords, they remain an essential component of user authentication. Many long-accepted tenets of password-based authentication need to be reexamined.


Abstract
Passwords have been around for a long time. They are by far the widest-deployed way of authenticating users. Passwords suffer from many well-known and well-researched weaknesses. Nonetheless, numerous applications still rely on passwords, even in a security-sensitive context. Passwords even remain the most commonly used first factor in multi-factor authentication systems. Regardless of their popularity, many voices call for discarding passwords altogether. After all, would it not be better to have a stronger and more usable authentication mechanism?

In this session, we take a closer look at password-based authentication. We investigate many commonly-made implementation mistakes and better alternatives. We investigate how to make security work for your users, instead of working against them. In the end, you will walk away with a modern set of best practices for handling password-based authentication. Both your application and your users will benefit from these new insights.


This session is intended for anyone designing or implementing password-based user authenticationanyone building, designing or securing web applications

Speakers
JF

Jim Fenton

Internet Technologist, Altmode Networks


Monday February 18, 2019 14:00 - 15:30
Main building (room Lemaire)
 
Tuesday, February 19
 

11:00

Introduction to OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect are complex protocols to enable delegation and authentication. This session covers their meaning and highlights some potential security pitfalls you want to avoid.


Abstract
OAuth 2.0 is likely one of the most complex aspects of modern web applications. It is often mistakenly assumed that OAuth 2.0 offers authentication and authorization. Instead, OAuth 2.0 only offers delegation. To make matters more complicated, there are at least six different OAuth 2.0 flows, each for a particular purpose. On top of that, OpenID Connect (OIDC) redefines some of these flows to enable authentication explicitly.

In this talk, we will clear up the confusion about OAuth 2.0 and OIDC. We will explain the purpose and properties of most relevant flows. We explore how to use OAuth 2.0’s delegation mechanism to enable authorization on a backend. Finally, we will look at using OIDC for end-user authentication with a third-party provider. At the end of this talk, you will have a solid understanding of OAuth 2.0/OIDC and how to use it in your applications.


This session is intended for anyone dealing with authentication and API access in web and mobile applications.

Speakers
PD

Philippe De Ryck

Founder, Pragmatic Web Security


Tuesday February 19, 2019 11:00 - 12:30
Main building (room Lemaire)

14:00

Authentication beyond passwords
Passwords alone are limited in the security they can provide. Wider deployment of effective multi-factor authentication is needed to improve security in the presence of higher-risk applications and more advanced threats.


Abstract
In today's web, it is fair to say that threats against authentication are worse than ever before. We urgently need to increase the security of our applications by deploying multi-factor authentication. However, there is a myriad of different mechanisms. Some of these provide little more than a false sense of security. Others, in turn, provide excellent protection against a comprehensive range of threats. How can you tell these mechanisms apart? And which one is right for your application?

In this session, we discuss a variety of ways to tackle authentication. For each mechanism, we dive into the threats it can and cannot address. By tying these mechanisms together, we show how to build a comprehensive authentication solution. Additionally, we discuss account recovery and biometric authentication methods.


This session is intended for anyone designing or implementing authentication for moderate- and high-risk applications.

Speakers
JF

Jim Fenton

Internet Technologist, Altmode Networks


Tuesday February 19, 2019 14:00 - 15:30
West wing (room Lemaître)
 
Wednesday, February 20
 

11:00

The Android fingerprint subsystem
Fingerprints sensors on Android devices provide a significant usability benefit. However, it relies on many cooperating parts which if implemented or used incorrectly puts the device user at risk.


Abstract
Many smartphones and computers today contain a fingerprint sensor. Fingerprints are convenient for quick authentication and authorization decisions. But what security properties do fingerprint mechanisms provide? Moreover, are implementations of this technology actually secure?

In this session, we look at research-based data on the Android Fingerprint mechanism. We report the results of reversing and testing actual implementations from device manufacturers. We compare those against a reference model to describe the security elements that a real implementation should meet. This threat model makes a distinction between a "normal world" and a "secure world". In practice, the former corresponds to apps, and the latter to Android system processes, such as the kernel and the Trusted Execution Environment. Finally, we look at actual attacks against these systems using real-world (anonymized) examples.


This session is intended for anyone using or assessing the use of fingerprints for authentication and/or authorization.

Speakers
AL

Andrew Lee-Thorp

Principal consultant, Synopsys SIG


Wednesday February 20, 2019 11:00 - 12:30
West wing (room Lemaître)

14:00

API access control
In this opinionated live-coding session we show how to design and implement access control for APIs.


Abstract
In this opinionated live-coding session we show how to design and implement access control for APIs. API keys are an easy and commonly used technique. However, the security guarantees afforded are minimal. JSON Web Tokens (JWT) are much more granular and need not rely on shared keys. Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed.

In this session, we implement the latter on a FaaS (Function as a Service) platform with an API Gateway acting as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture. We illustrate the use of an OAuth authorization server in combination with JWTs to secure API access from a Single Page Application (SPA).


This session is intended for anyone building, designing, securing, or consuming remote APIs.

Speakers
MB

Michael Boeynaems

Independent cyber security expert
JP

Johan Peeters

Independent software architect


Wednesday February 20, 2019 14:00 - 15:30
West wing (room Lemaître)