AppSec Europe 2016 has ended
Back To Schedule
Wednesday, June 29 • 09:00 - 17:00
Day 1/1 - How to FIDO-enable your web-application for Strong-Authentication

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Authenticating users with userid/passwords is simple, easy and well-understood. It is also notoriously vulnerable to attack. Most authentication schemes in use today such as passwords, OTP, KBA, biometrics have a fundamental flaw in their paradigm: shared-secrets. As long as the user and the server share a secret to authenticate the user, the user and the application are vulnerable to password-breaches and phishing attacks. The FIDO Alliance - a consortium of 250 companies worldwide - has been attempting to address the password-problem for the last two years and has created the Universal 2nd Factor (U2F) protocol Specifically designed for human authentication to web-applications, its goals were to eliminate password-based authentication and phishing attacks while using asymmetric-key cryptography coupled with hardware-based authenticators simple enough to use for consumers. A web-application, taking advantage of the U2F protocol and its Authenticators/Servers can protect itself the from attacks mentioned above. This training session will cover the following:
  • An overview of the FIDO Alliance, its mission and protocols;
  • The differences between the U2F, UAF and FIDO 2.0 protocols; 
  • The differences between FIDO and PKI; 
  • An in-depth presentation of the FIDO U2F protocol and its mechanics; 
  • A step-by-step tutorial on how to FIDO-enable a simple web-application using the simplest of the three protocols: U2F; 
  • A discussion of issues related FIDO-enablement: application design, performance, security, supporting users without FIDO Authenticators, dealing with lost/stolen Authenticators, etc. 
All attendees of this session will be given a FIDO Certified U2F Authenticator as part of the training session. The course will be based on the use of a FIDO Certified open-source U2F server, and other open-source tools.

Some FIDO related information from the author of this training:

avatar for Arshad Noor

Arshad Noor

CTO, StrongAuth, Inc.
Arshad Noor is CTO of StrongAuth, Inc., a Silicon Valley company that has been building open-source data-protection solutions for 14 years. With over 29 years in the IT industry, he has developed applications, managed systems and defined architecture for some of the world's largest... Read More →

Wednesday June 29, 2016 09:00 - 17:00
Bramante 10

Attendees (4)