The modern Internet does not provide a secure mechanism to prevent account hijacking. FIDO2 – cool, but is not a final solution

Reading Time: 14 minutes

A few years ago, I left the Offensive and switched to the Defensive side, and together with my team, I am trying to achieve one of the main goals of the Application Security department – to prevent mass account hijacking and the most difficult thing – targeted hijacking. And, as it turns out, if your service has web authentication and tens or hundreds of millions of users per month, you fall into the trap of a lack of secure and affordable user authentication approaches. Let’s take a look at everything in order – let’s go through the current mechanisms, highlight issues, and make a conclusion, how we could fix the current situation.

Account hijacking can happen at different stages:

  1. Login to account
  2. The user has already been logged in and the session is hijacked
  3. Account recovery process

Make sure that the same user came to me as the one who registered

Authentication in a Typical Web Application
Continue reading “The modern Internet does not provide a secure mechanism to prevent account hijacking. FIDO2 – cool, but is not a final solution”