A few years ago, I left the Offensive and switched to the Defensive side, and together with my team, I am trying to achieve one of the main goals of the Application Security department – to prevent mass account hijacking and the most difficult thing – targeted hijacking. And, as it turns out, if your service has web authentication and tens or hundreds of millions of users per month, you fall into the trap of a lack of secure and affordable user authentication approaches. Let’s take a look at everything in order – let’s go through the current mechanisms, highlight issues, and make a conclusion, how we could fix the current situation.
Account hijacking can happen at different stages:
- Login to account
- The user has already been logged in and the session is hijacked
- Account recovery process
Continue reading “The modern Internet does not provide a secure mechanism to prevent account hijacking. FIDO2 – cool, but is not a final solution”
Make sure that the same user came to me as the one who registeredAuthentication in a Typical Web Application