Explore the future of web authentication in this 49-minute conference talk from ShowMeCon 2019. Delve into the challenges of traditional password systems and discover innovative solutions like U2F, FIDO2, and WebAuthn. Learn about the unique security problems facing the web and the goals for designing better authentication systems. Examine the potential of FIDO as a password killer and understand authentication mechanisms beyond webpages. Gain insights into preventing phishing, precomputation, and relay attacks, while exploring challenge message contents and authenticator configurations. Analyze the choice of algorithms, password operations, and the process of changing passwords. Critically assess the advantages, disadvantages, and potential pitfalls of new authentication methods, concluding with a discussion on the way forward for modern web security.
Overview
Syllabus
Intro
U2F, FIDO2 and Webauthn
FIDO - Password Killer?
The Web Doesn't Password Good
A Unique Security Problem
Goals
Designing a Better Authentication System
Authentication Outside of the Webpage
Summary
Phishing and Precomputation Attacks
Preventing Relay Attacks
Challenge Message Contents
Configuring and Attacking the Authenticator
Choice of Algorithms
Other Password Operations
Change Password
The Bad
The Ugly
The Way Forward
