SecAppDev 2023 - Authentication

User authentication is a critical component in almost every application. In this workshop, we explore user authentication and investigate which mechanisms are available in modern applications, along with their security properties, pros, and cons. You will learn about state-of-the-art passwordless authentication mechanisms, including the Web Authentication API and the newly-introduced PassKey mechanism. Additionally, we explore multi-factor authentication mechanisms and their security properties.

This workshop consists of a mix between lectures, demos, interactive quizzes, and hands-on labs.

Learning goal: In-depth understanding of the security properties provided by modern authentication mechanisms, along with the technical knowledge to implement these mechanisms in modern web applications.

This session explains the principles of entity authentication, authenticated key establishment and Public Key Infrastructure. The lecture is illustrated with the protocols used in 3G, SSH, TLS, and Signal.

Key takeaway: This session will explain how entity authentication and authenticated key establishment protocols work and will help you to choose the right protocol

In this session, we start by threat modeling an authentication system. We analyze the risks of secret-based authentication and guide you in building usable password policies. We'll dive into the math, and investigate secure password storage.

Key takeaway: Analyze the security of user authentication, make the right trade-offs, and strengthen the security of password-based authentication