OWASP Global AppSec DC 2019 Talk on WebAuthn

Talks Sep 14, 2019

Excited to share that my colleague Murali and I gave a talk at the "OWASP Global AppSec DC 2019" security conference. The event was organized by the OWASP foundation and was held at Washington, D.C. between 9th-13th September.

Talk Title

Building Secure Password-less Web Applications using WebAuthn


According to the 2017 Verizon Data Breach Investigation Report, 81% of breaches were caused by weak, stolen or reused passwords. But what if you NEVER had to deal with passwords in the first place? For the past several years, security experts across the industry have been working on a robust authentication protocol that does not involve passwords. The result is a specification called WebAuthn, which is now an official W3C web standard. With WebAuthn, developers can build secure web applications that enable users to experience password-less logins. In this session, we will explain how WebAuthn works and show how developers can leverage it.


Below are the slides of the talk


Below are 2 videos which capture 4 demos. We demonstrated these live during the talk

  • Video 1: A custom ASP.NET core web app which leverages WebAuthn for registration & login. The web app uses FIDO2 .NET WebAuthn Library built by Anders Åberg and several community contributors. There are 3 demos in this video:
    • Demo 1: Registration & Login
    • Demo 2: User Verification
    • Demo 3: Defense against Phishing
  • Video 2: A custom ASP.NET core web app which integrates with Azure Active Directory (AAD). In this case AAD handles WebAuthn implementation details while the web app just federates with AAD for for authentication

Demos source code

The entire source code of the demos is available on GitHub. Check this repo.


A few favorite tweets around the talk :)