Overview
Syllabus
Intro
Servers suck at passwords Your password must satisfy the following rules
Passwords are the least worst Passwords
Mitigations: Password permute Passwords that you characters are easier to type on mobile
Encourage strong passwords Provide strength feedback as the user types
Allow users to see their password
fido
UAF - Universal Authentication Framework
Registering: server Server generates a challenge
Registering browser Javascript relays the challenge to the device
Registering: browser Javascript relays the challenge to the device
Registration: server Verify the response against the challenge
Authentication server Verify the password, then generate a challenge
Authentication: browser Javascript sends the challenge to the device
Authentication: verify the response
More info
Taught by
EuroPython Conference