"Stealth" Authentication - how to not leak information to hackers in web application authentication

No ratings

Presented at AppSecCali 2017 by

Marc Bütikofer

Web application authentication systems often unnecessarily leak valuable information to hackers and thus enable user enumeration, denial of service and attacks on authentication factors. The talk shows where information is leaked and how this can be prevented. Further, a simple and effective way of preventing denial of service attacks based on account locking is shown. Giving real-world examples, the term "side-channel-safe" second factor is introduced and it is shown how this property influences the security of the overall authentication scheme. The talk closes with usability considerations and what features a well designed "stealth authentication system" should provide.