Focus Areas:
Application Security
,
Web Application Security
Presentation Material
Abstract
In a mobile-first world, user registration using only a phone number has become pretty common, and this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers. This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities—ranging from account takeover, password stealing, to denial of service. The talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues.
Presented at Security Fest 2024.