You Shall Not Password: Modern Authentication for Web Apps - Eli Holderness - NDC London 2022
Рет қаралды 4,467
Күн бұрынIn the good old days, your users would log into a web app with a username and password. But now people expect an alphabet soup of SSO, 2FA, OAuth, OIDC, SAML, FIDO2, OTP... What do they all mean - and why do they matter? Why is central authentication useful? What does two-factor authentication really protect us from, and what's still wide open? Learn how to keep your users safe as we discuss the good, the bad and the ugly of modern authentication mechanisms for the Web.
This talk is aimed at anyone passingly familiar with web development, with an interest in security, or who simply wants to know what’s really going on when you ‘sign in with Google’.
Check out more of our featured speakers and talks at
www.ndcconfere...
ndclondon.com/
@12q8 2 жыл бұрын
Oh it's not even just relaying on the telecom company's security. If someone has the id for your sim card, there are devices that can overwrite any simcard with your id without the telecom knowledge.
@jcsantosbr 2 жыл бұрын
Great talk with clean information and explanations!
@12q8 2 жыл бұрын
We have something similar to the sigle sign-on at the place I work at. We use Jira and other similar platforms, but the way they make it work is basically having everything on-premise, maintained by the company, in a local network.
@capability-snob 2 жыл бұрын
Humans make poor containers for arbitrary byte strings. Here's hoping we can stop using identity in access control decisions at all. Object-capability theory, a model not unlike the "magic link" system described here, is already the way we build high assurance systems outside of the web and is easier to use too. Hopefully we can fix the last mile of browser support for capabilities in the coming years.
@phizc 2 жыл бұрын
Do I have to pay someone, e.g. Google, if I want to use OpenID Connect on a website or app? If so, what does it cost?
@joshuajones4482 2 жыл бұрын
Please do not hash passwords for storage by simply applying a cryptographic hashing function to the raw password string concatenated with a salt string, as that construction is vulnerable to a couple of different kinds of attacks. Also, definitely do not store the salt value along with the password hash as this allows malicious entities to take advantage of length extension attacks, rendering the salt effectively useless. Instead, you should use an HMAC and ensure that the key is not stored alongside the produced hash digest.
@kibe2134 2 жыл бұрын
The way you say "stuff" scares me a bitm
@12q8 2 жыл бұрын
What about a synced password manager? Something synced on my PC and whatever other devices I have?
@andrewreiser3584 2 жыл бұрын
This was a pretty poor talk. Just vague descriptions of stuff. Who was this for, anyway? Project managers and business analysts? Certainly not devs.
@12q8 2 жыл бұрын
This is great, but seems rudimentary. I wonder if perhaps there is a way to make this as seamless as possible in the future.
NDC Conferences
Рет қаралды 23 М.
Аминка Витаминка
Рет қаралды 1,7 МЛН
NDC Conferences
Рет қаралды 8 М.
Sonny Sangha
Рет қаралды 1,4 МЛН
NDC Conferences
Рет қаралды 12 М.
NDC Conferences
Рет қаралды 9 М.
NDC Conferences
Рет қаралды 5 М.
Intellipaat
Рет қаралды 221 М.