You Shall Not Password: Modern Authentication for Web Apps - Eli Holderness - NDC Sydney 2022

Learn about modern authentication methods for web applications and why passwords are no longer enough. Explore multi-factor authentication, hardware tokens, single sign-on, and more.

Key takeaways
  1. Password-based authentication is insecure: Passwords can be easily guessed, stolen, or phished.

  2. Multi-factor authentication (MFA) is more secure: MFA requires users to provide multiple forms of identification, making it more difficult for attackers to gain access to accounts.

  3. Hardware tokens are a good option for MFA: Hardware tokens are physical devices that generate unique codes that can be used to authenticate users.

  4. Single sign-on (SSO) can be convenient for users: SSO allows users to log in to multiple websites and applications using the same credentials.

  5. OpenID Connect (OIDC) is a popular SSO framework: OIDC is a standard that allows websites and applications to authenticate users using their existing identities from providers like Google, Facebook, and Twitter.

  6. Security Assertion Markup Language (SAML) is another popular SSO framework: SAML is an XML-based standard that allows websites and applications to exchange authentication information.

  7. JSON Web Tokens (JWTs) are a popular way to represent authentication information: JWTs are a compact, self-contained way to securely transmit information between parties.

  8. WebAuthn is a newer standard for hardware-based authentication: WebAuthn allows websites and applications to use hardware tokens to authenticate users.

  9. It’s important to consider the trade-offs when choosing an authentication method: There are many factors to consider when choosing an authentication method, such as security, usability, and cost.

  10. There is no one-size-fits-all solution for authentication: The best authentication method for a particular application will depend on the specific requirements of that application.