ShmooCon - My Hash Is My Passport: Understanding Web and Mobile Authentication

Sun, Jan 17, 2016

- ∞ -

HashPassport-AuthMethods_ShmooCon_2016.pdf

I just finished presenting this at ShmooCon, and wanted to get the slides out quickly before it got shoved aside by the next crisis. :) I’ll replace this with a blog entry that’s actually useful later.

The short version is this:

I do a lot of application testing, for web and iOS / mobile apps
Many (most?) of those apps rely on some kind of authentcation to a back-end server
How that authentication is handled seems to be generally restricted to a handful of systems
It seemed to me that being able to understand how those systems work is important to being able to fully test such applications
So this talk explains how the systems work, what’s good, and bad, and why
There’s also a whitepaper (in final draft) that goes into even more detail and has extensive references. I’ll post that here as well when it’s released.

Here’s the abstract from the conference, which says all I just said but in fancier words:

The great thing about standards is there are so many to choose from. That’s especially true in the realm of web and mobile application authentication. From Base-64 to OAuth, there are nearly as many ways to send your password to a server as there are ways to store that password.

But how do these work? Is any one system better than another, and if so, why?

Application testers need to understand how an app authenticates, in order to properly assess risk. Developers need to be able to make good design decisions. And end users may wonder just how safe their password really is online.

This talk explains, with simple examples, how some of the most frequently-seen authentication systems work. It identifies the characteristics of an “ideal” authentication system, compares the common methods against that ideal, and demonstrates how to verify that they’ve been implemented correctly.

Finally, the talk will demonstrate a tool which can help make it easier to identify, test, and verify these systems.

I hope for this presentation, and the white paper (and eventually, a simple tool as well) to be a good introduction and even reference to how these systems work.

Thanks for everyone who came to see the talk!

Click here to download the slides.