Sylvain Maret is a security expert with 17 years of experience who gave a presentation on strong authentication in web applications in 2012. He discussed various strong authentication technologies like PKI with digital certificates, biometrics, and one-time passwords. He explained how these technologies work at a technical level and emphasized standards from the Initiative for Open AuTHentication. Maret also touched on topics like token-based key generation and storage, and how strong authentication integrates with web applications and impacts application security best practices.
2. Strong Authentication in Web Application
“State of the Art 2012”
Sylvain Maret / Digital Security Expert / OpenID Switzerland
@smaret
Version 1.01 / 22.11.2012
3. Who am I?
• Security Expert
– 17 years of experience in ICT Security
– Principal Consultant at MARET Consulting
– Expert at Engineer School of Yverdon & Geneva University
– Swiss French Area delegate at OpenID Switzerland
– Co-founder Geneva Application Security Forum
– OWASP Member
– Author of the blog: la Citadelle Electronique
– http://ch.linkedin.com/in/smaret or @smaret
– http://www.slideshare.net/smaret
• Chosen field
– AppSec & Digital Identity Security
17. SSL/TLS Mutual Authentication :
how does it work?
Validation
CRL Authority
or
OCSP Request
Valid
Invalid
Unknown
SSL / TLS Mutual Authentication
Alice
Web Server
18. Strong Authentication with
Biometry (Match on Card
technology)
• A reader
– Biometry
– SmartCard
• A card with chip
– Technology MOC
– Crypto Processor
• PC/SC
• PKCS#11
• Digital certificate X509
20. (O)ne (T)ime (P)assword
• OTP Time Based • Others:
– Like SecurID
– OTP via SMS
• OTP Event Based – OTP via email
– Biometry and OTP
– Phone
• OTP Challenge
– Bingo Card
Response Based
– Etc.