.NET Day 2023: The state of the .NET Auth, Cloud Security

Transcript

1. THE STATE OF THE .NET AUTH, CLOUD SECURITY https://damienbod.com

2. State of ASP.NET Core, .NET authentication Trends from OAuth2 and

   OpenID Connect passkeys, FIDO2 Self Sovereign Identity, E-ID Schweiz, eIDAS Some security recommendations

3. .NET 7 & .NET 8 A big push in authentication,

   new APIs, docs in .NET 8 Still using tokens in the browser  The time for secure cookies in now. Too many solutions in .NET and not sticking to the standards. Every producer seems to make different client library wrappers

4. .NET 8 templates, solutions Moving back to less secure solutions

   with weak interoperability  OIDC, OAuth2 client templates are missing (Apart from Microsoft Entra ID)

5. ASP.NET Core Identity APIs Using a username, password to request

   an access token for a public client is a bad idea Simple but unsecure! - Impersonation - Phishing - Access token storage problems - Client hijacking - MFA

6. ASP.NET 8 security docs • New docs in the making,

   looking good already • Feedback is wanted, get involved • Decision flow chart

7. .NET YARP reverse proxy • Isolate your legacy solutions •

   Great solution for implementing app moderization • Downstream APIs • Just awesome in so many ways ☺
8. None

9. OAuth 2.0 for Browser- Based Apps https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/

10. Backend for frontend security • Improved security • Recommended security

    architecture for modern Web UIs • Industry is moving on from tokens for web applications • Not all services, cloud solutions have adopted, (Or want to adopt)

11. BFF with reverse proxy

12. OAuth 2.0 Demonstrating Proof-of- Possession at the Application Layer (DPoP)

    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop
13. None

14. Cross Device authentication • Scan this QR code

15. Cross-Device Flows: Security Best Current Practice https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/

16. Cross Device authentication • Never trust a QR Code •

    Mind the GAP problem • Open to phishing attacks • Aim for phishing resistant authentication! • Certificate authentication • FIDO2, passkeys • Windows for business

17. passkeys, FIDO2 Move away from Authenticators and SMS

18. FIDO2 Fast IDentity Online

19. FIDO2, passkeys are awesome

20. https://github.com/YubicoLabs/java-webauthn-passwordless-workshop

21. None

22. Self Sovereign Identity

23. What is a digital identity?

24. None

25. Schweiz E-ID 2025+ • PoC built using legacy Hyperledger Aries,

    new Swiss Wallet • Unknown which VC types, standards will be supported • SIOP V2, Didcomm V1, Didcomm V2? • Over consent credential theft problem unsolved, Verifiers will collect data. • Less secure compared to existing systems (open to phishing attacks) • More complexity, identity solutions require a ledger layer to use SSI • Interop between SSI solutions, ledgers, wallets has no solution, vendor lockdown

26. Self Sovereign Identity is NOT a good solution for authentication

    It is a good solution for online identity

27. Cross device authentication that starts from a QR Code is

    UNSECURE Near device authentication which starts from a QR Code is secure (passkeys)

28. Some best practices

29. The old way…

30. Network/IT security versus App Security • One does not replace

    the other! • Use both • Do not use setups which prevent doing one or the other correctly!

31. Good security is not complex to implement or use •

    Less is more • KISS • Do not create custom solutions, complex solutions • Useability

32. Use a Zero Trust Strategy • Verify locally, implement security

    at the app and at the source • In production even when you use a WAF and K8s, use HTTPS • Do not use setups which prevent application security • Avoid moving the security to gateways, Firewalls, WAF • (You can do this as well)

33. USE Standards Don’t implement this yourself, use certified libs, packages,

    tested

34. Move auth to the Cloud Move away from On-Prem solutions

    but not always…

35. Use a single cloud identity provider Use a single cloud

    identity provider for applications.

36. Use HTTPS everywhere Even in dev!

37. Never implement a username/password You should never need to implement

    a username/password request Use ASP.NET Core Identity if implementing your own identity provider and token server Always delegate the IAM management to an existing system if possible or use a solution based on standards • Azure AD (Azure AD B2C) • Auth0 • Keycloak • OpenIddict with ASP.NET Core Identity • IdentityServer with ASP.NET Core Identity

38. Team of 50 people focused on developing business solutions Security

    workshops, security consulting, DevOps Security Focus on hand crafted solutions generating business value .NET, Azure, App security, React, Blazor, Angular, Power Apps, Power BI & data
39. None

40. Thanks https://github.com/damienbod https://github.com/swiss-ssi-group https://www.bj.admin.ch/bj/de/home/staat/gesetzgebung/staatliche-e-id.html https://www.isolutions.ch/en/services/business-solutions/application-security/