SecAppDev 2023 - Authentication
Machine learning security
OWASP top 10
Supply chain security
Designing and building secure user authentication mechanisms
One-day workshop by Philippe De Ryck in room West Wing
Thursday June 15th, 09:00 - 17:30
User authentication is a critical component in almost every application. In this workshop, we explore user authentication and investigate which mechanisms are available in modern applications, along with their security properties, pros, and cons. You will learn about state-of-the-art passwordless authentication mechanisms, including the Web Authentication API and the newly-introduced PassKey mechanism. Additionally, we explore multi-factor authentication mechanisms and their security properties.
This workshop consists of a mix between lectures, demos, interactive quizzes, and hands-on labs.
Learning goal: In-depth understanding of the security properties provided by modern authentication mechanisms, along with the technical knowledge to implement these mechanisms in modern web applications.
Entity authentication and key establishment
Deep-dive lecture by Bart Preneel in room Lemaire
Wednesday June 14th, 11:00 - 12:30
This session explains the principles of entity authentication, authenticated key establishment and Public Key Infrastructure. The lecture is illustrated with the protocols used in 3G, SSH, TLS, and Signal.
Key takeaway: This session will explain how entity authentication and authenticated key establishment protocols work and will help you to choose the right protocol
Analysis of authentication: deciding on "good enough"
Deep-dive lecture by Avi Douglen in room West Wing
Tuesday June 13th, 09:00 - 10:30
In this session, we start by threat modeling an authentication system. We analyze the risks of secret-based authentication and guide you in building usable password policies. We'll dive into the math, and investigate secure password storage.
Key takeaway: Analyze the security of user authentication, make the right trade-offs, and strengthen the security of password-based authentication