OWASP Global AppSec DC 2019 Talk on WebAuthn
Excited to share that my colleague Murali and I gave a talk at the "OWASP Global AppSec DC 2019" security conference. The event was organized by the OWASP foundation and was held at Washington, D.C. between 9th-13th September.
Talk Title
Building Secure Password-less Web Applications using WebAuthn
Abstract
According to the 2017 Verizon Data Breach Investigation Report, 81% of breaches were caused by weak, stolen or reused passwords. But what if you NEVER had to deal with passwords in the first place? For the past several years, security experts across the industry have been working on a robust authentication protocol that does not involve passwords. The result is a specification called WebAuthn, which is now an official W3C web standard. With WebAuthn, developers can build secure web applications that enable users to experience password-less logins. In this session, we will explain how WebAuthn works and show how developers can leverage it.
Slides
Below are the slides of the talk
Demos
Below are 2 videos which capture 4 demos. We demonstrated these live during the talk
- Video 1: A custom ASP.NET core web app which leverages WebAuthn for registration & login. The web app uses FIDO2 .NET WebAuthn Library built by Anders Åberg and several community contributors. There are 3 demos in this video:
- Demo 1: Registration & Login
- Demo 2: User Verification
- Demo 3: Defense against Phishing
- Video 2: A custom ASP.NET core web app which integrates with Azure Active Directory (AAD). In this case AAD handles WebAuthn implementation details while the web app just federates with AAD for for authentication
Demos source code
The entire source code of the demos is available on GitHub. Check this repo.
Tweets
A few favorite tweets around the talk :)
Nice coincidence! Ordered @Yubico's yubikeys a coupe of days back and now @azuread announces #FIDO2 support. #WebAuthn FTW! https://t.co/2CWYubB6Ej
— Krishna Chaitanya T (@novogeek) July 11, 2019
@andersaberg I was playing around with the FIDO2 .Net library since the last few days. Nicely done! It would definitely benefit the community at large. Look forward to see more enhancements.. https://t.co/sL0uv1HEOw
— Krishna Chaitanya T (@novogeek) September 11, 2019
Excited to present at @owasp #GlobalAppSec today on #WebAuthn, along with @0xmurali. We have some cool demos too. The session is at 3.30 PM. Check out "Building Secure Password-less Web Applications using WebAuthn" https://t.co/8kQv2g8AzQ
— Krishna Chaitanya T (@novogeek) September 12, 2019
Great talk by @novogeek and @0xmurali! #GlobalAppsec @owasp pic.twitter.com/RtQmrwy2a0
— Rafael Dreher (@dreher) September 12, 2019
Is it possible to create a #WebApp that’s secure but doesn’t require a password? Yes! Krishna Chaitanya Telikicherla @novogeek and Murali Vadakke Puthanveetil @0xMurali demo their project during @owasp @GlobalAppSecDC 2019 pic.twitter.com/yOGY5dKh9O
— Edmond Momartin (@emomartin) September 12, 2019
Excellent presentation Krishna and Murali !!!
— Shyam Rayaprolu (@shyam_rayaprolu) September 12, 2019