SlideShare a Scribd company logo

Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security

Y
Yu-Shuan Hsieh

This document discusses improving web authentication security. It outlines problems with password-based authentication like weak passwords and storing passwords insecurely. It then describes multi-factor authentication methods like one-time passwords via text/email and FIDO2 standards. FIDO2 uses public/private key pairs during registration and login for stronger authentication compared to passwords and one-time codes. The document also notes challenges of adopting FIDO2 including both devices and browsers needing support.

Technology
1 of 45
Download to read offline
Improve Your Web Authentication Security Cherie Hsieh Chrome Dev Summit 2020 Extended
Experience in password-based Auth 1. Ensure passwords are "complex", i.e. P@ssw0rd1 2. Force users to change passwords regularly 3. Require new passwords not previously used by the user 4. Disable cut and paste 5. Use on-screen keyboard to enter your password https://web.stanford.edu/class/cs253/
Experience in password-based Auth 1. Ensure passwords are "complex", i.e. P@ssw0rd1 2. Force users to change passwords regularly 3. Require new passwords not previously used by the user 4. Disable cut and paste 5. Use on-screen keyboard to enter your password Bad user experience leads to a weak password. https://web.stanford.edu/class/cs253/
Src: https://xkcd.com/936/
Password lengths are significantly more important than password complexity requirements. https://docs.microsoft.com/en-us/archive/blogs/msftcam/password-complexity-versus-password-entropy
The problems of storing passwords
The problems of storing passwords Hash passwords?
The problems of storing passwords A whopping number (i.e., 59.18%) of CMS use default hashing schemes that can be highly parallelized with GPU hardware, making password guessing attacks easier.Indicatively, the popular CMS WordPress uses by default MD5. Computers & Security 2019 - Evaluation of password hashing schemes in open source web platforms
The problems of storing passwords user password cherie_1 e19d5cd5af0378da05f63f891c7467af cherie_2 a99442d2a736365f5fe637e299b0e339 Stolen database Password: abcd1234 MD5 hash: e19d5cd5af0378da05f63f891c7467af match Rainbow table attack
The problems of storing passwords In an offline guessing attack, the scenario is that an attacker has in his possession a database of users’ password hash values and he can attempt to crack each user’s password offline by comparing the hashes of likely password guesses with the stolen hash value. Computers & Security 2019 - Evaluation of password hashing schemes in open source web platforms
The problems of storing passwords Hash a password with a salt to prevent rainbow table attack Password: abcd1234 PBKDF2 hash: s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= Salt: cherie_hsieh Password: abcd1234 PBKDF2 hash: ubZa7Z4mx4+hes/82kc7ipNUFVePT19El3A+x4VgCQE= Salt: cherie_hsieh_1
The problems of storing passwords NO DOT use a constant salt value user password cherie_1 s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= cherie_2 s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow=
The problems of storing passwords How to store salt? user salt password cherie_1 cherie_hsieh s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= cherie_2 cherie_hsieh_1 ubZa7Z4mx4+hes/82kc7ipNUFVePT19El3A+x4VgCQE= user Password + salt cherie_1 s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= cherie_2 ubZa7Z4mx4+hes/82kc7ipNUFVePT19El3A+x4VgCQE=
The problems of storing passwords Add a pepper (secret salt) It is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module. https://en.wikipedia.org/wiki/Pepper_(cryptography)
The problems of storing passwords Add a pepper (secret salt) bcrypt(hash_hmac('sha256', password, pepper), salt); Hmac(hash-based message authentication code) a cryptographic hash function and a secret cryptographic key.
The practices for password-based Auth 1. Minimum password length should be at least 8 characters 2. Maximum password length should be at least 64 characters 3. Do not allow unlimited length, to prevent long password denial-of-service 4. Web applications SHOULD check passwords against known breach data. https://haveibeenpwned.com/ API
The practices for password-based Auth 1. The salt SHALL be at least 32 bits in length and be chosen arbitrarily 2. Use Bcrypt (with 13 cost factor) unless you have a good reason not to 3. Consider using a pepper to provide an additional layer of security 4. Do not include passwords in plaintext log files
The practices for password-based Auth Bcrypt increases the load on server resources. Benchmark testing: 1. HMAC using SHA-512 2. bcrypt(password) times/period time
The practices for password-based Auth https://web.dev/sign-in-form-best-practices/ https://web.dev/sign-up-form-best-practices/
The practices for password-based Auth Encourage/require use of Multi-Factor Authentication
Multi-Factor Authentication One-time password (OTP) authentication 1. Time-OTP 2. SMS-OTP Github example
TOTP Authentication Secret Key Time HASH function One-time password
TOTP Authentication GET /totp/register Client(mobile) STEP 1: Server generates a secret key Response Request otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example Type Label Params Session account secret Code: 200
TOTP Authentication STEP 2: Client stores the secret key and produces a passcode Storage account secret Generate a pass code Client(mobile) Scan the Qr code
TOTP Authentication STEP 3: Client sends the pass code to server Storage account secret Generate a pass code Request POST /totp/register Payload: pass code Session account secret Response Generate a pass code Equal Client(mobile)
TOTP Authentication STEP 4: Server stores the secret key Storage account secret Request POST /totp/register Payload: pass code Storage account secret ResponseResponse Code: 200 Client(mobile) Store the secret to database
SMS - OTP Authentication GET /motp/login Server generates an OTP and sends it to the client via SMS provider API Response Request Session account OTP Code: 200 SMS Provider Request a SMS send Response the result Send a SMS msg with OTP Client(mobile) Generates an OTP
SMS - OTP Authentication Validate the OTP sended from a client Request POST /motp/login Payload: OTP Session account OTP ResponseResponse Code: 200 Client(mobile)
SMS - OTP Authentication Your OTP is: 123456. @web-otp.glitch.me #12345 Domain OTP The Goals: 1. Eliminate the need to rely on heuristics for programmatic extraction of one-time codes from SMS messages. 2. Reliably associate one-time codes intended for use on a specific website with that site. https://github.com/wicg/sms-one-time-codes
SMS - OTP form best practices Web OTP API (Chrome 84) https://web.dev/sms-otp-form/ https://wicg.github.io/web-otp/
The security issues of TOTP 1. TOTP applications store the secret key using an insecure way. 2. Attackers can produce the same passcode if they get the shared secret key 3. The time sync problem between device and server https://www.usenix.org/system/files/soups2019-reese.pdf
The security issues of SMS - OTP 1. Phone numbers can be recycled and sometimes hijacked. 2. Mobile networks do not encrypt messages while in transit. 3. Attackers may also steal SMS codes through targeted phishing attacks. https://www.usenix.org/system/files/soups2019-reese.pdf Possible improvements 1. Generate an OTP with a registered Device ID (IMEI) 2. Form a new OTP combined with TOTP and SMS-OTP
A more secure solution for user login FIDO2 : WebAuthn & CTAP (U2F) (Client to Authenticator Protocol)(Fast IDentity Online)
FIDO 2 : WebAuthn & CTAP
FIDO 2 : WebAuthn & CTAP Try it! https://webauthn.io/
FIDO 2 : WebAuthn & CTAP Try it! https://webauthn.io/
FIDO 2 : WebAuthn & CTAP How it works (register) Authenticators Client Relying Party (Server) RequestNewCredential Challenge User Info RelyingParty ID(domain) Authenticator selector HTTPS protocol User Info RelyingParty ID CTAP protocol Pass the request to target authenticator(authenticator selector) via CTAP protocol 1 2 3
FIDO 2 : WebAuthn & CTAP How it works (register) Authenticators Client 4 Generate a new key pair & Credential ID HSM Software Key Generator Public Key Credential ID 5 or
FIDO 2 : WebAuthn & CTAP How it works (register) Authenticators Client Relying Party Challenge Public Key Credential ID 6 HTTPS protocol
FIDO 2 : WebAuthn & CTAP How it works (login) Authenticators Client Relying Party RequestCredential Challenge HTTPS protocol RelyingParty ID ClientDataHash CTAP protocol Pass the request to target authenticator via CTAP protocol 1 2 3
FIDO 2 : WebAuthn & CTAP How it works (login) Authenticators Client 4 Generate a signature With ClientDataHash and AuthenticatorData signed by private key AuthenticatorData Signature 5
FIDO 2 : WebAuthn & CTAP How it works (login) Authenticators Client Relying Party ClientData Challenge AuthenticatorData Signature 6 HTTPS protocol Validation
The challenges of FIDO 2 1. Both devices and browsers MUST support FIDO. 2. Hard to debug and testing ? Emulate Authenticators and Debug WebAuthn in Chrome DevTools
References 1. NIST SP 800-63 2. OWASP Password Storage Cheat Sheet 3. Stanford CS 253 Web Security 4. Web Authentication: An API for accessing Public Key Credentials
Thank you! Cherie Hsieh

Recommended

Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & Troubleshooting
Denis Gundarev
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
Michal Špaček
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 

Recommended

Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
MksYi
 
Citrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & TroubleshootingCitrix Internals: Tracing, Debugging & Troubleshooting
Citrix Internals: Tracing, Debugging & Troubleshooting
Denis Gundarev
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
HTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English versionHTTP Strict Transport Security (HSTS), English version
HTTP Strict Transport Security (HSTS), English version
Michal Špaček
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
ssuserec53e73
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
magda3695
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
Nick Owen
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
Mario Cardinal
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
m j
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
Francois Marier
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS
Amazon Web Services
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the Edge
Fastly
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
webhostingguy
 
HTTP
HTTPHTTP
HTTP
spacecharge
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
Ihor Uzhvenko
 
Smit WiFi_2
Smit WiFi_2Smit WiFi_2
Smit WiFi_2
mutew
 
Session management
Session management Session management
Session management
Dhruv Aggarwal
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
Thierry Gayet
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

More Related Content

Similar to Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security

15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
ssuserec53e73
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
Nicolas Blanco
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
magda3695
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
Nick Owen
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
Bastian Hofmann
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
Mario Cardinal
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
m j
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
Francois Marier
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
Vivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
vivaqa
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS
Amazon Web Services
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the Edge
Fastly
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
webhostingguy
 
HTTP
HTTPHTTP
HTTP
spacecharge
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
Ihor Uzhvenko
 
Smit WiFi_2
Smit WiFi_2Smit WiFi_2
Smit WiFi_2
mutew
 
Session management
Session management Session management
Session management
Dhruv Aggarwal
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
Thierry Gayet
 

Similar to Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security (20)

15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
The Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve itThe Identity Problem of the Web and how to solve it
The Identity Problem of the Web and how to solve it
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the Edge
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
 
HTTP
HTTPHTTP
HTTP
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
Smit WiFi_2
Smit WiFi_2Smit WiFi_2
Smit WiFi_2
 
Session management
Session management Session management
Session management
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 

Recently uploaded

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 

Recently uploaded (20)

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 

Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security

  • 1. Improve Your Web Authentication Security Cherie Hsieh Chrome Dev Summit 2020 Extended
  • 2. Experience in password-based Auth 1. Ensure passwords are "complex", i.e. P@ssw0rd1 2. Force users to change passwords regularly 3. Require new passwords not previously used by the user 4. Disable cut and paste 5. Use on-screen keyboard to enter your password https://web.stanford.edu/class/cs253/
  • 3. Experience in password-based Auth 1. Ensure passwords are "complex", i.e. P@ssw0rd1 2. Force users to change passwords regularly 3. Require new passwords not previously used by the user 4. Disable cut and paste 5. Use on-screen keyboard to enter your password Bad user experience leads to a weak password. https://web.stanford.edu/class/cs253/
  • 5. Password lengths are significantly more important than password complexity requirements. https://docs.microsoft.com/en-us/archive/blogs/msftcam/password-complexity-versus-password-entropy
  • 6. The problems of storing passwords
  • 7. The problems of storing passwords Hash passwords?
  • 8. The problems of storing passwords A whopping number (i.e., 59.18%) of CMS use default hashing schemes that can be highly parallelized with GPU hardware, making password guessing attacks easier.Indicatively, the popular CMS WordPress uses by default MD5. Computers & Security 2019 - Evaluation of password hashing schemes in open source web platforms
  • 9. The problems of storing passwords user password cherie_1 e19d5cd5af0378da05f63f891c7467af cherie_2 a99442d2a736365f5fe637e299b0e339 Stolen database Password: abcd1234 MD5 hash: e19d5cd5af0378da05f63f891c7467af match Rainbow table attack
  • 10. The problems of storing passwords In an offline guessing attack, the scenario is that an attacker has in his possession a database of users’ password hash values and he can attempt to crack each user’s password offline by comparing the hashes of likely password guesses with the stolen hash value. Computers & Security 2019 - Evaluation of password hashing schemes in open source web platforms
  • 11. The problems of storing passwords Hash a password with a salt to prevent rainbow table attack Password: abcd1234 PBKDF2 hash: s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= Salt: cherie_hsieh Password: abcd1234 PBKDF2 hash: ubZa7Z4mx4+hes/82kc7ipNUFVePT19El3A+x4VgCQE= Salt: cherie_hsieh_1
  • 12. The problems of storing passwords NO DOT use a constant salt value user password cherie_1 s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= cherie_2 s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow=
  • 13. The problems of storing passwords How to store salt? user salt password cherie_1 cherie_hsieh s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= cherie_2 cherie_hsieh_1 ubZa7Z4mx4+hes/82kc7ipNUFVePT19El3A+x4VgCQE= user Password + salt cherie_1 s9h1+QOYxB1xq8Qdg6emt/B4eotq5z8ZVet5GWeMVow= cherie_2 ubZa7Z4mx4+hes/82kc7ipNUFVePT19El3A+x4VgCQE=
  • 14. The problems of storing passwords Add a pepper (secret salt) It is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module. https://en.wikipedia.org/wiki/Pepper_(cryptography)
  • 15. The problems of storing passwords Add a pepper (secret salt) bcrypt(hash_hmac('sha256', password, pepper), salt); Hmac(hash-based message authentication code) a cryptographic hash function and a secret cryptographic key.
  • 16. The practices for password-based Auth 1. Minimum password length should be at least 8 characters 2. Maximum password length should be at least 64 characters 3. Do not allow unlimited length, to prevent long password denial-of-service 4. Web applications SHOULD check passwords against known breach data. https://haveibeenpwned.com/ API
  • 17. The practices for password-based Auth 1. The salt SHALL be at least 32 bits in length and be chosen arbitrarily 2. Use Bcrypt (with 13 cost factor) unless you have a good reason not to 3. Consider using a pepper to provide an additional layer of security 4. Do not include passwords in plaintext log files
  • 18. The practices for password-based Auth Bcrypt increases the load on server resources. Benchmark testing: 1. HMAC using SHA-512 2. bcrypt(password) times/period time
  • 19. The practices for password-based Auth https://web.dev/sign-in-form-best-practices/ https://web.dev/sign-up-form-best-practices/
  • 20. The practices for password-based Auth Encourage/require use of Multi-Factor Authentication
  • 21. Multi-Factor Authentication One-time password (OTP) authentication 1. Time-OTP 2. SMS-OTP Github example
  • 22. TOTP Authentication Secret Key Time HASH function One-time password
  • 23. TOTP Authentication GET /totp/register Client(mobile) STEP 1: Server generates a secret key Response Request otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example Type Label Params Session account secret Code: 200
  • 24. TOTP Authentication STEP 2: Client stores the secret key and produces a passcode Storage account secret Generate a pass code Client(mobile) Scan the Qr code
  • 25. TOTP Authentication STEP 3: Client sends the pass code to server Storage account secret Generate a pass code Request POST /totp/register Payload: pass code Session account secret Response Generate a pass code Equal Client(mobile)
  • 26. TOTP Authentication STEP 4: Server stores the secret key Storage account secret Request POST /totp/register Payload: pass code Storage account secret ResponseResponse Code: 200 Client(mobile) Store the secret to database
  • 27. SMS - OTP Authentication GET /motp/login Server generates an OTP and sends it to the client via SMS provider API Response Request Session account OTP Code: 200 SMS Provider Request a SMS send Response the result Send a SMS msg with OTP Client(mobile) Generates an OTP
  • 28. SMS - OTP Authentication Validate the OTP sended from a client Request POST /motp/login Payload: OTP Session account OTP ResponseResponse Code: 200 Client(mobile)
  • 29. SMS - OTP Authentication Your OTP is: 123456. @web-otp.glitch.me #12345 Domain OTP The Goals: 1. Eliminate the need to rely on heuristics for programmatic extraction of one-time codes from SMS messages. 2. Reliably associate one-time codes intended for use on a specific website with that site. https://github.com/wicg/sms-one-time-codes
  • 30. SMS - OTP form best practices Web OTP API (Chrome 84) https://web.dev/sms-otp-form/ https://wicg.github.io/web-otp/
  • 31. The security issues of TOTP 1. TOTP applications store the secret key using an insecure way. 2. Attackers can produce the same passcode if they get the shared secret key 3. The time sync problem between device and server https://www.usenix.org/system/files/soups2019-reese.pdf
  • 32. The security issues of SMS - OTP 1. Phone numbers can be recycled and sometimes hijacked. 2. Mobile networks do not encrypt messages while in transit. 3. Attackers may also steal SMS codes through targeted phishing attacks. https://www.usenix.org/system/files/soups2019-reese.pdf Possible improvements 1. Generate an OTP with a registered Device ID (IMEI) 2. Form a new OTP combined with TOTP and SMS-OTP
  • 33. A more secure solution for user login FIDO2 : WebAuthn & CTAP (U2F) (Client to Authenticator Protocol)(Fast IDentity Online)
  • 34. FIDO 2 : WebAuthn & CTAP
  • 35. FIDO 2 : WebAuthn & CTAP Try it! https://webauthn.io/
  • 36. FIDO 2 : WebAuthn & CTAP Try it! https://webauthn.io/
  • 37. FIDO 2 : WebAuthn & CTAP How it works (register) Authenticators Client Relying Party (Server) RequestNewCredential Challenge User Info RelyingParty ID(domain) Authenticator selector HTTPS protocol User Info RelyingParty ID CTAP protocol Pass the request to target authenticator(authenticator selector) via CTAP protocol 1 2 3
  • 38. FIDO 2 : WebAuthn & CTAP How it works (register) Authenticators Client 4 Generate a new key pair & Credential ID HSM Software Key Generator Public Key Credential ID 5 or
  • 39. FIDO 2 : WebAuthn & CTAP How it works (register) Authenticators Client Relying Party Challenge Public Key Credential ID 6 HTTPS protocol
  • 40. FIDO 2 : WebAuthn & CTAP How it works (login) Authenticators Client Relying Party RequestCredential Challenge HTTPS protocol RelyingParty ID ClientDataHash CTAP protocol Pass the request to target authenticator via CTAP protocol 1 2 3
  • 41. FIDO 2 : WebAuthn & CTAP How it works (login) Authenticators Client 4 Generate a signature With ClientDataHash and AuthenticatorData signed by private key AuthenticatorData Signature 5
  • 42. FIDO 2 : WebAuthn & CTAP How it works (login) Authenticators Client Relying Party ClientData Challenge AuthenticatorData Signature 6 HTTPS protocol Validation
  • 43. The challenges of FIDO 2 1. Both devices and browsers MUST support FIDO. 2. Hard to debug and testing ? Emulate Authenticators and Debug WebAuthn in Chrome DevTools
  • 44. References 1. NIST SP 800-63 2. OWASP Password Storage Cheat Sheet 3. Stanford CS 253 Web Security 4. Web Authentication: An API for accessing Public Key Credentials