Stealth Authentication: Preventing Information Leaks in Web Application Security - APPSEC CA 2017

Explore a conference talk on implementing "stealth" authentication techniques to enhance web application security. Learn how to prevent information leakage during authentication processes, potentially thwarting hackers' attempts to exploit vulnerabilities. Discover the OWASP Top 10 security risks, upfront web application security measures, and strong authentication methods like OTP and challenge-response. Examine practical examples of implementing two-factor authentication, simulating second factors for unknown users, and handling account lockouts securely. Gain insights into usability considerations, configuration options, and strategies to prevent hidden information channels. Enhance your understanding of advanced authentication security practices to better protect web applications from potential threats.

Intro
Facts and Figures about Airlock & Ergon
OWASP Top 10
Upfront Web Application Security
Upfront Authentication
Strong Authentication Examples: OTP
Strong Authentication Examples: C/R
Trivial: Feedback Messages
Trivial Remedy: Generic Feedback Message
How About 2-Factor Authentication?
Requirements
Step 1: Simulate 2nd Factor with OTP
Step 1: Simulate 2nd Factor with MTAN
Account Locked Information
Simulate for unknown users
Step 3: Unknown users with different 2nd factors
What we implemented
Some Implementation Details
Configuration
Usability Considerations
Prevent other hidden channels
Conclusion