SlideShare una empresa de Scribd logo

Authentication without Authentication - AppSec California

Descargar como PPTX, PDF
Soluto
Soluto

Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app ― without any predefined credentials. But how?

Tecnología
1 de 66
Authentication Without Authentication AppSec California 2018 @omerlh
We help people get the most out of their technology
“Logins are tricky. They account for a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today...” Source: Optimizely
What will you choose? Security or usability? Source: The Matrix
Why not both?
Source: Pinterest
Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
User authentication/authorization ● User credentials ● User name ● Group ● Role ● Etc.
Device authentication/authorization ● Credentials? ● Identifier? ● No user information
Building blocks ● OpenID connect ● Digital signature ● One time password
Goals ● Authentication/authorization standard ● End user identity validation ● End user profile information ● RFC
Can we eliminate the end user?
Supported authentication flows Authorization/implicit/hybrid Client credentials Resource owner
We need a new authentication flow
Requirements  Strong authentication solution  Unique device identification  Simple  Unique per request  Replay attacks  Fault tolerant
Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning Temporary device access Reverse engineering/code tampering Sensitive data exposure (server side)
Digital signature
Why digital signature? ●Wide spread ●Existing implementations
High-level design ●One-time registration ●Authentication request
Registration request 1 2 3 4 5
Authentication request 1 2 3 4 5
So far we have:  Strong authentication solution  Unique device identification  Simple  Unique per request  Fault tolerant
Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning Temporary device access Reverse engineering/code tampering  Sensitive data exposure (server side)
One time password
Reminder: Authentication request
Device Authentication API Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token Authentication request
So far we have…  Strong authentication solution  Unique device identification  Simple  Unique per request Fault tolerant
Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning Temporary device access  Reverse engineering/code tampering  Sensitive data exposure (server side)
Questions?
Fault tolerance
Network requests can fail ● Reasons ○ Timeout ○ Network failure ○ Temporary server errors ● Unknown server state ○ State did not change ○ State did change
Case A: Server state did not change
Case B: Server state did change
Case B: Server state did change
So far we have…  Strong authentication solution  Unique device identification  Simple  Unique per request  Fault tolerant
Mitigating temporary access threats
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
OpenId --- Digital Signature --- One Time Password --- Demo --- Edges Cases
Potential threats  Stolen/compromised device:  Existing OS protections  Man-in-the-middle  HTTPS (TLS)  Certificate pinning  Temporary device access  Reverse engineering/code tampering  Sensitive data exposure (server side)
Questions?
Demo time
Very-Cool-IoT-Project ● Show device’s nickname ● Highly sensitive ● Only the device can see it’s name
1 2 3 4
How does authorization work?
eyJhbGciOiJSUzI1NiIsImtpZCI6IjI5N2ZhMDhiNmY5YzlhN2NhZj M2YWRkZTRlOWQ3ZDQ5IiwidHlwIjoiSldUIn0.eyJuYmYiOjE1M TQ4OTgzODgsImV4cCI6MTUxNDkwMTk4OCwiaXNzIjoiaHR0c DovL2F1dGhvcml6YXRpb24tc2VydmVyIiwiYXVkIjpbImh0dHA6 Ly9hdXRob3JpemF0aW9uLXNlcnZlci9yZXNvdXJjZXMiLCJzZW 5zaXRpdmUucmVhZCJdLCJjbGllbnRfaWQiOiJydWJ5Iiwic3ViIj oiNTc2NjYiLCJhdXRoX3RpbWUiOjE1MTQ4OTgzODgsImlkcCI 6ImxvY2FsIiwic2NvcGUiOlsic2Vuc2l0aXZlLnJlYWQiXSwiYW1y IjpbInB3ZCJdfQ.eW_OreVsqHAzGs3DARVBAQowr7gn71ScOr zikdhw5_G_EHnSPN7fqjh4mp4FZOZZhx476H8oZtGBEQUf6W w6ZM824rm8d7IZQF3dE308tIa3VgbC0h1MpQilVf7xBZG5Cpt7 FWlkSIr5Dc9ihcOQivne4EWy- M6a8GZGIpDcSKtQ99uuMk5bBi- HlHx53m5llygxuUbKRTJvOsPG4cpB6CyC4J3MGT0hzmWTru2 IFRhIh6B1hiaUXp7z6mCULeGwRu64X31DGqGIFTdZQpkAb5E VF45gLcvwXVmouPsaiXNiJiMUD_38Vho4iIbn9zl87FQjdvRAJ1 JyFoGS1mMjCQ Let’s look at the token… https://jwt.io
Technology
Let’s see it in action... All the code is available on GitHub
Let’s test authorization…
Questions?
Acknowledgments The information in this presentation is based on my work at Soluto by Asurion, and I'd to thank the whole company for being awesome. I'd also like to give a special thanks to the following colleagues for their help: ● Oded Welgreen ● Asaf Kotzer ● Mark Geeslin ● Guy Segal ● Michael Kruglos
How can you use it? @omerlh
Feedback is much appreciated!
Responsible disclosure security@soluto.com @omerlh S/MIME certificate
What will you choose? Security or usability
Thank you! @omerlh @SolutoEng

Recomendados

Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password RequirementsJim Fenton
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QAFest
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 

Recomendados

Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password RequirementsJim Fenton
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QAFest
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
Applying Security Controls on REST APIs
Applying Security Controls on REST APIsApplying Security Controls on REST APIs
Applying Security Controls on REST APIsErick Belluci Tedeschi
 
Android attacks
Android attacksAndroid attacks
Android attacksBlueinfy Solutions
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
A Modern View of Smart Cards Security
A Modern View of Smart Cards SecurityA Modern View of Smart Cards Security
A Modern View of Smart Cards SecurityIlia Levin
 
Password management
Password managementPassword management
Password managementPortalGuard dba PistolStar, Inc.
 
Defcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-posDefcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-posPriyanka Aash
 
Two Factor Authentication and You
Two Factor Authentication and YouTwo Factor Authentication and You
Two Factor Authentication and YouChris Stone
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali OWASP Delhi
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free softwareGiuseppe Paterno'
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password AuthenticationShobha Rani
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupSoluto
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 

Más contenido relacionado

La actualidad más candente

Applying Security Controls on REST APIs
Applying Security Controls on REST APIsApplying Security Controls on REST APIs
Applying Security Controls on REST APIsErick Belluci Tedeschi
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and TestingBlueinfy Solutions
 
A Modern View of Smart Cards Security
A Modern View of Smart Cards SecurityA Modern View of Smart Cards Security
A Modern View of Smart Cards SecurityIlia Levin
 
Defcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-posDefcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-posPriyanka Aash
 
Two Factor Authentication and You
Two Factor Authentication and YouTwo Factor Authentication and You
Two Factor Authentication and YouChris Stone
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionRafidah Ariffin
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali OWASP Delhi
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free softwareGiuseppe Paterno'
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password AuthenticationShobha Rani
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 

La actualidad más candente (20)

Applying Security Controls on REST APIs
Applying Security Controls on REST APIsApplying Security Controls on REST APIs
Applying Security Controls on REST APIs
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Mobile Application Scan and Testing
Mobile Application Scan and TestingMobile Application Scan and Testing
Mobile Application Scan and Testing
 
A Modern View of Smart Cards Security
A Modern View of Smart Cards SecurityA Modern View of Smart Cards Security
A Modern View of Smart Cards Security
 
Password management
Password managementPassword management
Password management
 
Defcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-posDefcon 22-nir-valtman-a-journey-to-protect-pos
Defcon 22-nir-valtman-a-journey-to-protect-pos
 
Two Factor Authentication and You
Two Factor Authentication and YouTwo Factor Authentication and You
Two Factor Authentication and You
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password Solution
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password Authentication
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 

Similar a Authentication without Authentication - AppSec California

Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupSoluto
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)Artur Barseghyan
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCloudIDSummit
 
Authentication Without Authentication
Authentication Without AuthenticationAuthentication Without Authentication
Authentication Without AuthenticationSoluto
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataPrecisely
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Google FIDO Authentication Case Study
Google FIDO Authentication Case StudyGoogle FIDO Authentication Case Study
Google FIDO Authentication Case StudyFIDO Alliance
 
[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...PROIDEA
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxYury Leonychev
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Google Case Study - Towards simpler, stronger authentication
Google Case Study - Towards simpler, stronger authenticationGoogle Case Study - Towards simpler, stronger authentication
Google Case Study - Towards simpler, stronger authenticationFIDO Alliance
 
Implementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTTImplementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTTHiveMQ
 

Similar a Authentication without Authentication - AppSec California (20)

Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetupAuthentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
CIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open StandardsCIS14: Securing the Internet of Things with Open Standards
CIS14: Securing the Internet of Things with Open Standards
 
Authentication Without Authentication
Authentication Without AuthenticationAuthentication Without Authentication
Authentication Without Authentication
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Google FIDO Authentication Case Study
Google FIDO Authentication Case StudyGoogle FIDO Authentication Case Study
Google FIDO Authentication Case Study
 
[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...[4developers2016] - Security in the era of modern applications and services (...
[4developers2016] - Security in the era of modern applications and services (...
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
 
Troubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptxTroubles with Large Identity Providers.pptx
Troubles with Large Identity Providers.pptx
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
Google Case Study - Towards simpler, stronger authentication
Google Case Study - Towards simpler, stronger authenticationGoogle Case Study - Towards simpler, stronger authentication
Google Case Study - Towards simpler, stronger authentication
 
Implementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTTImplementing the 5 Pillars of IT Security for MQTT
Implementing the 5 Pillars of IT Security for MQTT
 

Más de Soluto

Solving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSolving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSoluto
 
Solving trust issues at scale
Solving trust issues at scaleSolving trust issues at scale
Solving trust issues at scaleSoluto
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniThings I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniSoluto
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarCan Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarSoluto
 
FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?Soluto
 
The Dark Side of Monitoring
The Dark Side of MonitoringThe Dark Side of Monitoring
The Dark Side of MonitoringSoluto
 
Hacking like a FED
Hacking like a FEDHacking like a FED
Hacking like a FEDSoluto
 
Monitoria@Icinga camp berlin
Monitoria@Icinga camp berlinMonitoria@Icinga camp berlin
Monitoria@Icinga camp berlinSoluto
 
Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Soluto
 
Kamus intro
Kamus introKamus intro
Kamus introSoluto
 
Secure Your Pipeline
Secure Your PipelineSecure Your Pipeline
Secure Your PipelineSoluto
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to HooksSoluto
 
Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Soluto
 
Monitoria@reversim
Monitoria@reversimMonitoria@reversim
Monitoria@reversimSoluto
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!Soluto
 
Security Testing for Containerized Applications
Security Testing for Containerized ApplicationsSecurity Testing for Containerized Applications
Security Testing for Containerized ApplicationsSoluto
 
Owasp glue
Owasp glueOwasp glue
Owasp glueSoluto
 
Unify logz with fluentd
Unify logz with fluentdUnify logz with fluentd
Unify logz with fluentdSoluto
 
Storing data in Redis like a pro
Storing data in Redis like a proStoring data in Redis like a pro
Storing data in Redis like a proSoluto
 
Monitor all the thingz slideshare
Monitor all the thingz slideshareMonitor all the thingz slideshare
Monitor all the thingz slideshareSoluto
 

Más de Soluto (20)

Solving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec CaliforniaSolving trust issues at scale - AppSec California
Solving trust issues at scale - AppSec California
 
Solving trust issues at scale
Solving trust issues at scaleSolving trust issues at scale
Solving trust issues at scale
 
Things I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi HevroniThings I wish someone had told me about Istio, Omer Levi Hevroni
Things I wish someone had told me about Istio, Omer Levi Hevroni
 
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec WebinarCan Kubernetes Keep a Secret? - Women in AppSec Webinar
Can Kubernetes Keep a Secret? - Women in AppSec Webinar
 
FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?FTRD - Can Kubernetes Keep a Secret?
FTRD - Can Kubernetes Keep a Secret?
 
The Dark Side of Monitoring
The Dark Side of MonitoringThe Dark Side of Monitoring
The Dark Side of Monitoring
 
Hacking like a FED
Hacking like a FEDHacking like a FED
Hacking like a FED
 
Monitoria@Icinga camp berlin
Monitoria@Icinga camp berlinMonitoria@Icinga camp berlin
Monitoria@Icinga camp berlin
 
Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?Can Kubernetes Keep a Secret?
Can Kubernetes Keep a Secret?
 
Kamus intro
Kamus introKamus intro
Kamus intro
 
Secure Your Pipeline
Secure Your PipelineSecure Your Pipeline
Secure Your Pipeline
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to Hooks
 
Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018Secure the Pipeline - OWASP Poland Day 2018
Secure the Pipeline - OWASP Poland Day 2018
 
Monitoria@reversim
Monitoria@reversimMonitoria@reversim
Monitoria@reversim
 
Languages don't matter anymore!
Languages don't matter anymore!Languages don't matter anymore!
Languages don't matter anymore!
 
Security Testing for Containerized Applications
Security Testing for Containerized ApplicationsSecurity Testing for Containerized Applications
Security Testing for Containerized Applications
 
Owasp glue
Owasp glueOwasp glue
Owasp glue
 
Unify logz with fluentd
Unify logz with fluentdUnify logz with fluentd
Unify logz with fluentd
 
Storing data in Redis like a pro
Storing data in Redis like a proStoring data in Redis like a pro
Storing data in Redis like a pro
 
Monitor all the thingz slideshare
Monitor all the thingz slideshareMonitor all the thingz slideshare
Monitor all the thingz slideshare
 

Último

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Authentication without Authentication - AppSec California