SlideShare a Scribd company logo

CIS14: Authentication: Who are You? You are What You Eat

CloudIDSummit
CloudIDSummit

Dale Olds, VMware A pinch of authentication theory and methods, a taste of the sweet and the bitter of the much maligned password, and then larger portions of federated authentication protocols from SAML to OpenID Connect, clearing up along the way some confusion between federated authentication and tokens used for delegated authorization.

1 of 28
Download to read offline
© 2014VMware Inc. All rights reserved. Introduction to Authentication Cloud Identity Summit Dale Olds olds@vmware.com Senior Staff Engineer, VMware July 2014
An Introduction to Authentication ● Authentication definition and purpose ● Authentication methods ● Federated authentication ● Emerging trends and future directions
1. This presentation has been prepared for identity newbies. 2. All heckling is encouraged. 3. Advanced hecklers, please see #1.
Definitions for Identity and Authentication Terms From Open ID Connect Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html
A Few Definitions for Starters ● Entity – Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity. ● Identity – Set of attributes related to an Entity. ● Identifier – Value that uniquely characterizes an Entity in a specific context. ● Authentication – Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity.
The Authentication Event The ceremony that establishes context and security (Pam's view) Something to get past quickly on the way to something else (my view)
Why Do We Authenticate? ● Authentication is necessary for authorization. ● Authentication of a user is necessary to allow the user to DODO something. ● Authentication is the user in action ● Identity (user accounts) involves user information at rest ● Provisioning involves managing identity information by others. “If you don't eat your meat, you can't have any pudding. How can you have any pudding if you don't eat your meat?" Pink Floyd (via Gil)
Why Do We Authenticate? Photo by Emily Carlin, https://www.flickr.com/photos/cuttingboard/ To get to authorization
Authentication Methods, and the Problems with Passwords “Passwords are easy. Change is hard.” -- Jeff Bohren
Protecting Password Data is Difficult Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving some password data necessary so a service can verify the password, making it a tasty target. ● It's an arms race with the birds that want to eat your lunch.
Problems with Passwords: Password Hash Needs Salt Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving passwords in clear text is obviously dangerous if the password data is stolen. ● Save password hashes – non-reversible fingerprint of the password means raw passwords are not stored. ● Lookup tables, dictionary attacks and rainbow tables can be used to efficiently crack large amounts of hashed passwords. ● Using a unique, large salt value with each hash renders rainbow tables much less effective. ● CPU/GPU capabilities have greatly increased. Brute force cracking of passwords is feasible. ● Use hash algorithms such as Bcrypt to blunt increase in CPU capability, and get users to use larger passwords. ● And so it goes.
Problems with How Users Choose Passwords Users use the same password for multiple sites. Even “low value” sites share password with “high value” sites.
Passwords Should be Easy to Remember, Hard to Crack Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Four short words are easy to remember, and hard to crack. ● Password policy for punctuation and special characters just irritates the users and is very little help against password cracking. ● Good open source projects exist that implement this technique. See https://github.com/dropbox/zxcvbn and http://blog.cloudfoundry.org/2012/11/07/password-policy-in-cloud-foundry/ ● Not so good for mobile devices yet.
Password Anti-Pattern is STILL in Use If you actually read the User Agreement above, it's clear what the password anti-pattern really means. source: http://virtualsoul.org/blog/2012/10/11/password-anti-pattern-alive-and-well-at-a-financial-institution/
Password Problems are Even Misunderstood ● The problem was a key logger virus ● No password data was retrieved from Facebook, Yahoo, Google, etc. ● The article's advice for password length, character type, and uniqueness is not applicable to a key logger.
Beyond Passwords: Other Authentication Methods ● Password managers ● Smart Cards ● Multi-factor authentication systems ● SMS message and other call-backs ● The rise of FIDO However, the evolution of authentication methods remains an arms race. We need a way to manage changing authentication methods, and to manage the evolution of authentication effectively...
Federated Authentication: Add a Level of Indirection
Speaking of Computer Science... “There are two hard problems in computer science: cache invalidation, naming things, and off-by-one errors.” – various unattributed sources
Old-School Federated Authentication with SAML WebAppA SAML Identity Provider - IdP Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to SAML IdP.2. Joe logs in with method known only to IdP. IdP saves session with Joe (probably in a cookie) and redirects back to WebAppA with a SAML artifact. 3. WebAppA gets the SAML artifact. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the IdP – which already has a session with Joe so he is immediately redirected back with an artifact. 4. WebAppA exchanges the SAML artifact for a SAML assertion via the back channel. It trusts the SAML assertion from that IdP, sets up session with Joe (probably with a cookie) and grants access.
Modern, Cool Federated Authentication with OpenID Connect, and Delegated Authorization via OAuth2 WebAppA OIDC AuthZ Server - AS Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to OIDC Authorization Server.2. Joe logs in with method known only to AS. AS saves session with Joe (probably in a cookie) and redirects back to WebAppA with an OAuth2/OIDC authorization code. 3. WebAppA gets the OAuth2 authorization code. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the AS – which already has a session with Joe so he is immediately redirected back with an authorization code. 4. WebAppA exchanges the authorization code for an ID token (and an access token) via the back channel. It trusts the ID token from that AS, sets up session with Joe (probably with a cookie) and grants access.
Progress in Identity Evolution One identity (user account) per application External identities via LDAP External authentication via SAML External authentication and roles via OAuth2 and OpenID Connect External authorization We are here
Does Federated Authentication Need to be so Complex? ● I went to Starbucks and ordered a vente coffee with cream with my VISA debit card. ● The VISA network contacted my bank, which transmitted an authorization code to Starbucks. ● The authorization code was used to transfer funds to Starbucks from my account. ● I enjoyed the latte. ● I pointed a browser at my employee benefits site and selected our payroll provider, ADP. ● The benefits site presented a SAML artifact to ADP ● The artifact was used to retrieve an assertion which authorized access to my payroll information. ● I wish I made more money Teenagers, most adults, and supposedly tech-averse grandmothers have no problem understanding this. Programmers, technologists, and tech- executives claim this is too difficult.
Advantages of Federated Authentication ● Fewer numbers of identity and authentication sources means less exposure (but also higher value targets of those sources). ● Identity and authentication sources can specialize in security – no need for casual services like Gawker to handle passwords. ● Authentication methods can evolve with no change to applications. ● Varying authentication methods can be required for applications based on identity provider policy. ● Better user experience (longer lived single signon) with more control over revocation of access. ● Partitioned security space – authentication and role information is targeted to specific services. No password anti-pattern.
Future Directions ● Authentication policy – including step-up authentication, and re-authentication intervals. ● Continuous authentication and risk analysis. ● Shared signals. Remember why we authenticate... Photo by Angélica Portales, https://www.flickr.com/photos/frozen-in-time/
Shared Signals
Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
Conclusion to Introduction to Authentication ● Authentication definition and purpose: to get to authorization ● Authentication methods: evolve, passwords suck, other methods exist and are improving. ● Federated authentication: helps us handle authentication evolution, provides better security with better user experience. ● Emerging trends and future directions: continuous authentication, shared signals

Recommended

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Matthew Gerrior
 
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingStartup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic Testing
Matthew Gerrior
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET Journal
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 

Recommended

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Matthew Gerrior
 
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingStartup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic Testing
Matthew Gerrior
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET Journal
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Net
alsmola
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
Haggai Philip Zagury
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
Anant Shrivastava
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
Web Security
Web SecurityWeb Security
Web SecurityAli Habeeb
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
harshal_new_Resume
harshal_new_Resumeharshal_new_Resume
harshal_new_ResumeHarshal Chaudhari
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...
Sivalingam Thangavel, TOGAF 9, ITIL
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
CA Technologies
 
CIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to Know
CloudIDSummit
 
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CloudIDSummit
 
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CloudIDSummit
 

More Related Content

What's hot

Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
Haggai Philip Zagury
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
Alvaro Sanchez-Mariscal
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
Anant Shrivastava
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
SensePost
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
Stormpath
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...
Sivalingam Thangavel, TOGAF 9, ITIL
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 

What's hot (18)

Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
 
Web Security
Web SecurityWeb Security
Web Security
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
harshal_new_Resume
harshal_new_Resumeharshal_new_Resume
harshal_new_Resume
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 

Viewers also liked

"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
CA Technologies
 
CIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to Know
CloudIDSummit
 
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CloudIDSummit
 
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CloudIDSummit
 
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CloudIDSummit
 
CIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity SystemsCIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity Systems
CloudIDSummit
 
2014 07-19 id cloud summit
2014 07-19 id cloud summit2014 07-19 id cloud summit
2014 07-19 id cloud summitCloudIDSummit
 
CIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital RelationshipCIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital Relationship
CloudIDSummit
 
CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06
CloudIDSummit
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More Gain
CloudIDSummit
 
CIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for DessertCIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for Dessert
CloudIDSummit
 
CIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground UpCIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground Up
CloudIDSummit
 
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CloudIDSummit
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
CloudIDSummit
 
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CloudIDSummit
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
CloudIDSummit
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
CloudIDSummit
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CloudIDSummit
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
CloudIDSummit
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CloudIDSummit
 

Viewers also liked (20)

"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
 
CIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to Know
 
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
 
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
 
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
 
CIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity SystemsCIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity Systems
 
2014 07-19 id cloud summit
2014 07-19 id cloud summit2014 07-19 id cloud summit
2014 07-19 id cloud summit
 
CIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital RelationshipCIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital Relationship
 
CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More Gain
 
CIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for DessertCIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for Dessert
 
CIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground UpCIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground Up
 
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
 

Similar to CIS14: Authentication: Who are You? You are What You Eat

Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applicationsSupreme O
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
CA API Management
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
izzatisholehah
 
Session,Cookies and Authentication
Session,Cookies and AuthenticationSession,Cookies and Authentication
Session,Cookies and Authentication
Knoldus Inc.
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
Terrance Medina
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
tladesignz
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
Bertrand Carlier
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvcmagda3695
 

Similar to CIS14: Authentication: Who are You? You are What You Eat (20)

Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applications
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
Session,Cookies and Authentication
Session,Cookies and AuthenticationSession,Cookies and Authentication
Session,Cookies and Authentication
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
 

More from CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 

More from CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 

CIS14: Authentication: Who are You? You are What You Eat

  • 1. © 2014VMware Inc. All rights reserved. Introduction to Authentication Cloud Identity Summit Dale Olds olds@vmware.com Senior Staff Engineer, VMware July 2014
  • 2. An Introduction to Authentication ● Authentication definition and purpose ● Authentication methods ● Federated authentication ● Emerging trends and future directions
  • 3. 1. This presentation has been prepared for identity newbies. 2. All heckling is encouraged. 3. Advanced hecklers, please see #1.
  • 4. Definitions for Identity and Authentication Terms From Open ID Connect Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html
  • 5. A Few Definitions for Starters ● Entity – Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity. ● Identity – Set of attributes related to an Entity. ● Identifier – Value that uniquely characterizes an Entity in a specific context. ● Authentication – Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity.
  • 6. The Authentication Event The ceremony that establishes context and security (Pam's view) Something to get past quickly on the way to something else (my view)
  • 7. Why Do We Authenticate? ● Authentication is necessary for authorization. ● Authentication of a user is necessary to allow the user to DODO something. ● Authentication is the user in action ● Identity (user accounts) involves user information at rest ● Provisioning involves managing identity information by others. “If you don't eat your meat, you can't have any pudding. How can you have any pudding if you don't eat your meat?" Pink Floyd (via Gil)
  • 8. Why Do We Authenticate? Photo by Emily Carlin, https://www.flickr.com/photos/cuttingboard/ To get to authorization
  • 9. Authentication Methods, and the Problems with Passwords “Passwords are easy. Change is hard.” -- Jeff Bohren
  • 10. Protecting Password Data is Difficult Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving some password data necessary so a service can verify the password, making it a tasty target. ● It's an arms race with the birds that want to eat your lunch.
  • 11. Problems with Passwords: Password Hash Needs Salt Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving passwords in clear text is obviously dangerous if the password data is stolen. ● Save password hashes – non-reversible fingerprint of the password means raw passwords are not stored. ● Lookup tables, dictionary attacks and rainbow tables can be used to efficiently crack large amounts of hashed passwords. ● Using a unique, large salt value with each hash renders rainbow tables much less effective. ● CPU/GPU capabilities have greatly increased. Brute force cracking of passwords is feasible. ● Use hash algorithms such as Bcrypt to blunt increase in CPU capability, and get users to use larger passwords. ● And so it goes.
  • 12. Problems with How Users Choose Passwords Users use the same password for multiple sites. Even “low value” sites share password with “high value” sites.
  • 13. Passwords Should be Easy to Remember, Hard to Crack Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Four short words are easy to remember, and hard to crack. ● Password policy for punctuation and special characters just irritates the users and is very little help against password cracking. ● Good open source projects exist that implement this technique. See https://github.com/dropbox/zxcvbn and http://blog.cloudfoundry.org/2012/11/07/password-policy-in-cloud-foundry/ ● Not so good for mobile devices yet.
  • 14. Password Anti-Pattern is STILL in Use If you actually read the User Agreement above, it's clear what the password anti-pattern really means. source: http://virtualsoul.org/blog/2012/10/11/password-anti-pattern-alive-and-well-at-a-financial-institution/
  • 15. Password Problems are Even Misunderstood ● The problem was a key logger virus ● No password data was retrieved from Facebook, Yahoo, Google, etc. ● The article's advice for password length, character type, and uniqueness is not applicable to a key logger.
  • 16. Beyond Passwords: Other Authentication Methods ● Password managers ● Smart Cards ● Multi-factor authentication systems ● SMS message and other call-backs ● The rise of FIDO However, the evolution of authentication methods remains an arms race. We need a way to manage changing authentication methods, and to manage the evolution of authentication effectively...
  • 17. Federated Authentication: Add a Level of Indirection
  • 18. Speaking of Computer Science... “There are two hard problems in computer science: cache invalidation, naming things, and off-by-one errors.” – various unattributed sources
  • 19. Old-School Federated Authentication with SAML WebAppA SAML Identity Provider - IdP Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to SAML IdP.2. Joe logs in with method known only to IdP. IdP saves session with Joe (probably in a cookie) and redirects back to WebAppA with a SAML artifact. 3. WebAppA gets the SAML artifact. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the IdP – which already has a session with Joe so he is immediately redirected back with an artifact. 4. WebAppA exchanges the SAML artifact for a SAML assertion via the back channel. It trusts the SAML assertion from that IdP, sets up session with Joe (probably with a cookie) and grants access.
  • 20. Modern, Cool Federated Authentication with OpenID Connect, and Delegated Authorization via OAuth2 WebAppA OIDC AuthZ Server - AS Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to OIDC Authorization Server.2. Joe logs in with method known only to AS. AS saves session with Joe (probably in a cookie) and redirects back to WebAppA with an OAuth2/OIDC authorization code. 3. WebAppA gets the OAuth2 authorization code. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the AS – which already has a session with Joe so he is immediately redirected back with an authorization code. 4. WebAppA exchanges the authorization code for an ID token (and an access token) via the back channel. It trusts the ID token from that AS, sets up session with Joe (probably with a cookie) and grants access.
  • 21. Progress in Identity Evolution One identity (user account) per application External identities via LDAP External authentication via SAML External authentication and roles via OAuth2 and OpenID Connect External authorization We are here
  • 22. Does Federated Authentication Need to be so Complex? ● I went to Starbucks and ordered a vente coffee with cream with my VISA debit card. ● The VISA network contacted my bank, which transmitted an authorization code to Starbucks. ● The authorization code was used to transfer funds to Starbucks from my account. ● I enjoyed the latte. ● I pointed a browser at my employee benefits site and selected our payroll provider, ADP. ● The benefits site presented a SAML artifact to ADP ● The artifact was used to retrieve an assertion which authorized access to my payroll information. ● I wish I made more money Teenagers, most adults, and supposedly tech-averse grandmothers have no problem understanding this. Programmers, technologists, and tech- executives claim this is too difficult.
  • 23. Advantages of Federated Authentication ● Fewer numbers of identity and authentication sources means less exposure (but also higher value targets of those sources). ● Identity and authentication sources can specialize in security – no need for casual services like Gawker to handle passwords. ● Authentication methods can evolve with no change to applications. ● Varying authentication methods can be required for applications based on identity provider policy. ● Better user experience (longer lived single signon) with more control over revocation of access. ● Partitioned security space – authentication and role information is targeted to specific services. No password anti-pattern.
  • 24. Future Directions ● Authentication policy – including step-up authentication, and re-authentication intervals. ● Continuous authentication and risk analysis. ● Shared signals. Remember why we authenticate... Photo by Angélica Portales, https://www.flickr.com/photos/frozen-in-time/
  • 26. Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
  • 27. Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
  • 28. Conclusion to Introduction to Authentication ● Authentication definition and purpose: to get to authorization ● Authentication methods: evolve, passwords suck, other methods exist and are improving. ● Federated authentication: helps us handle authentication evolution, provides better security with better user experience. ● Emerging trends and future directions: continuous authentication, shared signals