It Me: Under the Hood of Web Authentication | Robinson, Zhu

Garrett Robinson, Yan Zhu; It Me: Under the Hood of Web Authentication; At Some Conference; circa 2017-10; N slides.

Message

  1. Do not use (linear) string comparison, ever.
    Avoid: a == b
    Use: PRF(a) == PRF(b)
    where: Pseudo-Random Function PRF with HMACPRF
  2. Use U2F with Web Authentication
  3. 2FA is weakened by the Password Reset Flow
    • Uses SMTP to deliver secrets or capabilities.
    • SMTP is not encrypted.
    • SMTP’s STARTTLS is opportunistic and fails-open (fails to cleartext)

Mentions