It Me: Under the Hood of Web Authentication | Robinson, Zhu

Garrett Robinson, Yan Zhu; It Me: Under the Hood of Web Authentication; At Some Conference; circa 2017-10; N slides.

Message

  1. Do not use (linear) string comparison, ever.
    Avoid: a == b
    Use: PRF(a) == PRF(b)
    where: Pseudo-Random Function PRF with HMACPRF
  2. Use U2F with Web Authentication
  3. 2FA is weakened by the Password Reset Flow
    • Uses SMTP to deliver secrets or capabilities.
    • SMTP is not encrypted.
    • SMTP’s STARTTLS is opportunistic and fails-open (fails to cleartext)

Mentions

The power of two – All you need to know about two-factor authentication | Naked Security

Chester Wisniewski; The power of two – All you need to know about two-factor authentication; In Naked Security; 2014-01-31.