Stop Blaming Your Users for Bad Passwords

Submitted by Scott Brady

Talk Abstract:

Users cannot secure your web applications through password choice alone. You cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.

Typical 2FA implementations such as TOTP and push notification have had some success, but they can be frustrating to use and are still vulnerable to basic phishing techniques. OWASP and NIST are now recommending FIDO2, which offers a realistic solution in the form of frictionless, possession-based authentication that has inbuilt anti-phishing techniques. But what does FIDO2 look like to a developer, and how does it actually work?

In this talk, I’m going to look at:

  • why common 2FA mechanisms aren’t up to scratch
  • how to phish your friends using Evilginx
  • spooky biometrics
  • how to use WebAuthn and FIDO2 to protect your users

About Scott Brady

Scott Brady is a software developer specializing in IdentityServer4 and all things Authentication, Identity, OAuth, and OpenID Connect. Scott spends his time helping customers implement Single Sign On solutions, writing articles, and building IdentityServer components at Rock Solid Knowledge. In 2019 Scott spent his time building a FIDO2 server for ASP.NET Core and now has more security keys than he knows what to do with.