Strange Loop

September 26-28 2018


Peabody Opera House


St. Louis, MO

Register for 2018!

"It Me": Under the Hood of Web Authentication

Don't you hate it when you get an email telling you that your account may have been compromised? You're not alone—many of the biggest security disasters in recent memory were authentication bypasses, including the Google OAuth phishing email worm (2017), Yahoo's forged cookie breach (2016), and Adobe's password database leak (2013). Authentication continues to be a key area of attack on the web, yet it remains poorly understood by many developers. Understanding secure authentication helps you protect your users (and yourself!), and provides a natural survey of topics in security and cryptography.

We'll start by taking a deep dive into popular authentication libraries in JavaScript and Python to see how they work under-the-hood. Along the way, we'll see some common "gotchas" in implementing authentication, including real-world examples of how they have been exploited and how modern libraries defend against them. You'll learn how to audit an authentication system, looking for security issues such as unsafe password storage, insecure implementation of one-time tokens, cryptographic errors, and lack of client-side protection for login forms and cookies. We'll also discuss the benefits and limitations of common security hardening techniques for authentication systems, such as two-factor authentication (2FA), and when you should consider using alternatives to the predominant "username + password" mode of authentication.

Yan Zhu


Yan is a software engineer at Brave and a Technology Fellow at the Electronic Frontier Foundation. She has worked on numerous open source security and privacy projects, including Let's Encrypt, HTTPS Everywhere, SecureDrop, and Privacy Badger. Previously she was a senior security engineer at Yahoo, a member of the W3C Technical Architecture Group, a recipient of Forbes' 30 Under 30 award, and a board member of Noisebridge Hackerspace. She dropped out of high school, got a B.S. from MIT in Physics, and started a PhD at Stanford before dropping out of that too.

Garrett Robinson

Garrett Robinson is a software engineer focusing on security and privacy issues. From 2014 to 2017 he was the lead developer of SecureDrop, an open source platform for journalists to securely communicate with confidential sources, and oversaw its expansion from 1 installation to over 30, including in major newsrooms such as The New York Times, The Washington Post, and The Intercept. Prior to that he was a security and privacy engineer at Mozilla, where he worked on Firefox's implementation of Content Security Policy (CSP) and experimented with techniques to protect web users from privacy-invading trackers, which lead to a collaboration with the EFF on the Privacy Badger browser extension.