Schedule

All sessions will be presented by Michael Grafnetter, expert on security in IT and Microsoft MVP. During 6 technical sessions in English, he will explain all issues related to modern authentication on real examples from practice.

Conference time zone: CEST (UTC+2)


Michael Grafnetter

Michael Grafnetter

Microsoft MVP

Michael is an IT security expert who works as a consultant, trainer, and researcher. He is best known as the author of the open-source Directory Services Internals (DSInternals) PowerShell module and Thycotic Weak Password Finder, tools used by security auditors and penetration testers worldwide. He is a Microsoft MVP and holds a master’s degree in Software Engineering. Michael has spoken at many conferences, including Black Hat Europe, HipConf New York, SecTor Toronto, and BSides Lisbon.

Watch the live-stream on the Update NOW Portal
Registration
W3C WebAuthn and FIDO2 Primer

We will start our journey to passwordless web applications by looking at the core FIDO2 Project standards, i.e., W3C Web Authentication (WebAuthn) and FIDO Client to Authenticator Protocol 2 (CTAP2).
We will dive into the workflows for registration and validation of FIDO2-compatible devices while exploring key concepts like Attestation, AAGUID, Assertion, Platform and Roaming Authenticators, User Presence, and User Verification.
We will also be discussing the FIDO Alliance Metadata Service (MDS3), which can be used by apps to prove the genuineness of a device model and get its certification status.
Last but not least, we will explore the current FIDO2 ecosystem, including browser, OS, and hardware support.

Client-Side Code and Data Model

As W3C Web Authentication is a JavaScript API, expect a deep dive into its methods and data model. We will explore credential creation and request options, data structures returned by authenticators, attestation statement formats, and protocol extensions. You will also see some debugging and troubleshooting in action.

Lunch break
Server-Side Code in ASP.NET Core

Leveraging W3C Web Authentication in ASP.NET is slightly more complicated than validating usernames and passwords, especially because of heavy cryptography. In this session you will learn what information needs to be stored in a database about each authenticator and how client requests should be validated. You will also see several NuGet packages that will make these tasks much easier.

Mobile Apps and W3C WebAuthn

One of the key advantages of W3C Web Authentication is its support across all platforms. In this session, we will focus on the specifics of its implementation in iOS and Android, including some minor limitations.

Coffee break
Desktop Apps and W3C WebAuthn

Although the FIDO2 Project primarily targets web-based applications, the CTAP2 protocol can also be leveraged by desktop apps. We will therefore explore ways of interacting with FIDO2 Security Keys and Windows Hello from XAML applications, including attestation, assertion, credential management, and token reset.

Best Practices for Higher Security and Usability

In the last session, we will look at some real-world challenges of deploying FIDO2 authentication and how key players are dealing with them, including UX. You will learn about some mistakes made by developers in the past, which led to serious security incidents. We will also be discussing lost or stolen FIDO2 devices and account recovery options.

End of the Conference

General partners

RIGANTI s.r.o
RIGANTI s.r.o
More information
ITIXO s.r.o
ITIXO s.r.o
More information

Conference partners

Crayonic Inc.
Crayonic Inc.
More information