It Me: Under the Hood of Web Authentication | Robinson, Zhu

Garrett Robinson, Yan Zhu; It Me: Under the Hood of Web Authentication; At Some Conference; circa 2017-10; N slides.

Message

  1. Do not use (linear) string comparison, ever.
    Avoid: a == b
    Use: PRF(a) == PRF(b)
    where: Pseudo-Random Function PRF with HMACPRF
  2. Use U2F with Web Authentication
  3. 2FA is weakened by the Password Reset Flow
    • Uses SMTP to deliver secrets or capabilities.
    • SMTP is not encrypted.
    • SMTP’s STARTTLS is opportunistic and fails-open (fails to cleartext)

Mentions

webappsec-test.info

http://webappsec-test.info/

This site hosts the development of the test suites for specifications under development in the W3C‘s Web Application Security Working Group


Take me to the tests!