SlideShare uma empresa Scribd logo

CIS14: Authentication: Who are You? You are What You Eat

CloudIDSummit
CloudIDSummit

Dale Olds, VMware A pinch of authentication theory and methods, a taste of the sweet and the bitter of the much maligned password, and then larger portions of federated authentication protocols from SAML to OpenID Connect, clearing up along the way some confusion between federated authentication and tokens used for delegated authorization.

Tecnologia
1 de 28
Baixar para ler offline
© 2014VMware Inc. All rights reserved. Introduction to Authentication Cloud Identity Summit Dale Olds olds@vmware.com Senior Staff Engineer, VMware July 2014
An Introduction to Authentication ● Authentication definition and purpose ● Authentication methods ● Federated authentication ● Emerging trends and future directions
1. This presentation has been prepared for identity newbies. 2. All heckling is encouraged. 3. Advanced hecklers, please see #1.
Definitions for Identity and Authentication Terms From Open ID Connect Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html
A Few Definitions for Starters ● Entity – Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity. ● Identity – Set of attributes related to an Entity. ● Identifier – Value that uniquely characterizes an Entity in a specific context. ● Authentication – Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity.
The Authentication Event The ceremony that establishes context and security (Pam's view) Something to get past quickly on the way to something else (my view)
Why Do We Authenticate? ● Authentication is necessary for authorization. ● Authentication of a user is necessary to allow the user to DODO something. ● Authentication is the user in action ● Identity (user accounts) involves user information at rest ● Provisioning involves managing identity information by others. “If you don't eat your meat, you can't have any pudding. How can you have any pudding if you don't eat your meat?" Pink Floyd (via Gil)
Why Do We Authenticate? Photo by Emily Carlin, https://www.flickr.com/photos/cuttingboard/ To get to authorization
Authentication Methods, and the Problems with Passwords “Passwords are easy. Change is hard.” -- Jeff Bohren
Protecting Password Data is Difficult Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving some password data necessary so a service can verify the password, making it a tasty target. ● It's an arms race with the birds that want to eat your lunch.
Problems with Passwords: Password Hash Needs Salt Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving passwords in clear text is obviously dangerous if the password data is stolen. ● Save password hashes – non-reversible fingerprint of the password means raw passwords are not stored. ● Lookup tables, dictionary attacks and rainbow tables can be used to efficiently crack large amounts of hashed passwords. ● Using a unique, large salt value with each hash renders rainbow tables much less effective. ● CPU/GPU capabilities have greatly increased. Brute force cracking of passwords is feasible. ● Use hash algorithms such as Bcrypt to blunt increase in CPU capability, and get users to use larger passwords. ● And so it goes.
Problems with How Users Choose Passwords Users use the same password for multiple sites. Even “low value” sites share password with “high value” sites.
Passwords Should be Easy to Remember, Hard to Crack Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Four short words are easy to remember, and hard to crack. ● Password policy for punctuation and special characters just irritates the users and is very little help against password cracking. ● Good open source projects exist that implement this technique. See https://github.com/dropbox/zxcvbn and http://blog.cloudfoundry.org/2012/11/07/password-policy-in-cloud-foundry/ ● Not so good for mobile devices yet.
Password Anti-Pattern is STILL in Use If you actually read the User Agreement above, it's clear what the password anti-pattern really means. source: http://virtualsoul.org/blog/2012/10/11/password-anti-pattern-alive-and-well-at-a-financial-institution/
Password Problems are Even Misunderstood ● The problem was a key logger virus ● No password data was retrieved from Facebook, Yahoo, Google, etc. ● The article's advice for password length, character type, and uniqueness is not applicable to a key logger.
Beyond Passwords: Other Authentication Methods ● Password managers ● Smart Cards ● Multi-factor authentication systems ● SMS message and other call-backs ● The rise of FIDO However, the evolution of authentication methods remains an arms race. We need a way to manage changing authentication methods, and to manage the evolution of authentication effectively...
Federated Authentication: Add a Level of Indirection
Speaking of Computer Science... “There are two hard problems in computer science: cache invalidation, naming things, and off-by-one errors.” – various unattributed sources
Old-School Federated Authentication with SAML WebAppA SAML Identity Provider - IdP Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to SAML IdP.2. Joe logs in with method known only to IdP. IdP saves session with Joe (probably in a cookie) and redirects back to WebAppA with a SAML artifact. 3. WebAppA gets the SAML artifact. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the IdP – which already has a session with Joe so he is immediately redirected back with an artifact. 4. WebAppA exchanges the SAML artifact for a SAML assertion via the back channel. It trusts the SAML assertion from that IdP, sets up session with Joe (probably with a cookie) and grants access.
Modern, Cool Federated Authentication with OpenID Connect, and Delegated Authorization via OAuth2 WebAppA OIDC AuthZ Server - AS Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to OIDC Authorization Server.2. Joe logs in with method known only to AS. AS saves session with Joe (probably in a cookie) and redirects back to WebAppA with an OAuth2/OIDC authorization code. 3. WebAppA gets the OAuth2 authorization code. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the AS – which already has a session with Joe so he is immediately redirected back with an authorization code. 4. WebAppA exchanges the authorization code for an ID token (and an access token) via the back channel. It trusts the ID token from that AS, sets up session with Joe (probably with a cookie) and grants access.
Progress in Identity Evolution One identity (user account) per application External identities via LDAP External authentication via SAML External authentication and roles via OAuth2 and OpenID Connect External authorization We are here
Does Federated Authentication Need to be so Complex? ● I went to Starbucks and ordered a vente coffee with cream with my VISA debit card. ● The VISA network contacted my bank, which transmitted an authorization code to Starbucks. ● The authorization code was used to transfer funds to Starbucks from my account. ● I enjoyed the latte. ● I pointed a browser at my employee benefits site and selected our payroll provider, ADP. ● The benefits site presented a SAML artifact to ADP ● The artifact was used to retrieve an assertion which authorized access to my payroll information. ● I wish I made more money Teenagers, most adults, and supposedly tech-averse grandmothers have no problem understanding this. Programmers, technologists, and tech- executives claim this is too difficult.
Advantages of Federated Authentication ● Fewer numbers of identity and authentication sources means less exposure (but also higher value targets of those sources). ● Identity and authentication sources can specialize in security – no need for casual services like Gawker to handle passwords. ● Authentication methods can evolve with no change to applications. ● Varying authentication methods can be required for applications based on identity provider policy. ● Better user experience (longer lived single signon) with more control over revocation of access. ● Partitioned security space – authentication and role information is targeted to specific services. No password anti-pattern.
Future Directions ● Authentication policy – including step-up authentication, and re-authentication intervals. ● Continuous authentication and risk analysis. ● Shared signals. Remember why we authenticate... Photo by Angélica Portales, https://www.flickr.com/photos/frozen-in-time/
Shared Signals
Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
Conclusion to Introduction to Authentication ● Authentication definition and purpose: to get to authorization ● Authentication methods: evolve, passwords suck, other methods exist and are improving. ● Federated authentication: helps us handle authentication evolution, provides better security with better user experience. ● Emerging trends and future directions: continuous authentication, shared signals

Recomendados

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Matthew Gerrior
 
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingStartup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingMatthew Gerrior
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication ConceptsCharles Southerland
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET Journal
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 

Recomendados

Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...
Startup Institute NY (Summer 2016) - Authentication, Validation, and Basic Te...Matthew Gerrior
 
Startup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingStartup Institute NY - Authentication, Validation, and Basic Testing
Startup Institute NY - Authentication, Validation, and Basic TestingMatthew Gerrior
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication ConceptsCharles Southerland
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET Journal
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Top Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.NetTop Ten Tips For Tenacious Defense In Asp.Net
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0Haggai Philip Zagury
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Alvaro Sanchez-Mariscal
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woesSensePost
 
Web Security
Web SecurityWeb Security
Web SecurityAli Habeeb
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
harshal_new_Resume
harshal_new_Resumeharshal_new_Resume
harshal_new_ResumeHarshal Chaudhari
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Sivalingam Thangavel, TOGAF 9, ITIL
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the EnterpriseCA Technologies
 
CIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCloudIDSummit
 
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CloudIDSummit
 
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCloudIDSummit
 

Mais conteúdo relacionado

Mais procurados

Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Alvaro Sanchez-Mariscal
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woesSensePost
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Sivalingam Thangavel, TOGAF 9, ITIL
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 

Mais procurados (18)

Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015Stateless authentication for microservices applications - JavaLand 2015
Stateless authentication for microservices applications - JavaLand 2015
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
 
Web Security
Web SecurityWeb Security
Web Security
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
harshal_new_Resume
harshal_new_Resumeharshal_new_Resume
harshal_new_Resume
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...Safeguard our website and prevents from bad internet bots and scripts to expl...
Safeguard our website and prevents from bad internet bots and scripts to expl...
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 

Destaque

"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the EnterpriseCA Technologies
 
CIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCloudIDSummit
 
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CloudIDSummit
 
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCloudIDSummit
 
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCloudIDSummit
 
CIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity SystemsCIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity SystemsCloudIDSummit
 
2014 07-19 id cloud summit
2014 07-19 id cloud summit2014 07-19 id cloud summit
2014 07-19 id cloud summitCloudIDSummit
 
CIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital RelationshipCIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital RelationshipCloudIDSummit
 
CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06CloudIDSummit
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCloudIDSummit
 
CIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for DessertCIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for DessertCloudIDSummit
 
CIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground UpCIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground UpCloudIDSummit
 
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...CloudIDSummit
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...CloudIDSummit
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICloudIDSummit
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CloudIDSummit
 

Destaque (20)

"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
"Zero-Touch" Authentication: Consumer Trends That will Transform the Enterprise
 
CIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to KnowCIS14: PingOne IDaaS: What You Need to Know
CIS14: PingOne IDaaS: What You Need to Know
 
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the Sta...
 
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer TokensCIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens
 
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
 
CIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity SystemsCIS14: Spinning New Threads with Existing Identity Systems
CIS14: Spinning New Threads with Existing Identity Systems
 
2014 07-19 id cloud summit
2014 07-19 id cloud summit2014 07-19 id cloud summit
2014 07-19 id cloud summit
 
CIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital RelationshipCIS14: NSTIC: Identity Enables a New Digital Relationship
CIS14: NSTIC: Identity Enables a New Digital Relationship
 
CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06CIS14: Handling Identity in AllJoyn 14.06
CIS14: Handling Identity in AllJoyn 14.06
 
CIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More GainCIS13: Identity Tech Overview: Less Pain, More Gain
CIS13: Identity Tech Overview: Less Pain, More Gain
 
CIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for DessertCIS14: Authorization: It's What's for Dessert
CIS14: Authorization: It's What's for Dessert
 
CIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground UpCIS14: Identity at Scale: Building from the Ground Up
CIS14: Identity at Scale: Building from the Ground Up
 
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
CIS14: Case Study: Using a Federated Identity Service for Faster Application ...
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
CIS14: NSTIC - Identity and Access Management Collaborative Approaches to Nov...
 
CIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST APICIS14: Early Peek at PingFederate Administrative REST API
CIS14: Early Peek at PingFederate Administrative REST API
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
 

Semelhante a CIS14: Authentication: Who are You? You are What You Eat

Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applicationsSupreme O
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...PROIDEA
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...izzatisholehah
 
Session,Cookies and Authentication
Session,Cookies and AuthenticationSession,Cookies and Authentication
Session,Cookies and AuthenticationKnoldus Inc.
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done righttladesignz
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvcmagda3695
 

Semelhante a CIS14: Authentication: Who are You? You are What You Eat (20)

Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Securing web applications
Securing web applicationsSecuring web applications
Securing web applications
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"..."Inter- application vulnerabilities. hunting for bugs in secure applications"...
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
Session,Cookies and Authentication
Session,Cookies and AuthenticationSession,Cookies and Authentication
Session,Cookies and Authentication
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
Sea surfing in asp.net mvc
Sea surfing in asp.net mvcSea surfing in asp.net mvc
Sea surfing in asp.net mvc
 

Mais de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Mais de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Último

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Último (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

CIS14: Authentication: Who are You? You are What You Eat

  • 1. © 2014VMware Inc. All rights reserved. Introduction to Authentication Cloud Identity Summit Dale Olds olds@vmware.com Senior Staff Engineer, VMware July 2014
  • 2. An Introduction to Authentication ● Authentication definition and purpose ● Authentication methods ● Federated authentication ● Emerging trends and future directions
  • 3. 1. This presentation has been prepared for identity newbies. 2. All heckling is encouraged. 3. Advanced hecklers, please see #1.
  • 4. Definitions for Identity and Authentication Terms From Open ID Connect Core 1.0, http://openid.net/specs/openid-connect-core-1_0.html
  • 5. A Few Definitions for Starters ● Entity – Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity. ● Identity – Set of attributes related to an Entity. ● Identifier – Value that uniquely characterizes an Entity in a specific context. ● Authentication – Process used to achieve sufficient confidence in the binding between the Entity and the presented Identity.
  • 6. The Authentication Event The ceremony that establishes context and security (Pam's view) Something to get past quickly on the way to something else (my view)
  • 7. Why Do We Authenticate? ● Authentication is necessary for authorization. ● Authentication of a user is necessary to allow the user to DODO something. ● Authentication is the user in action ● Identity (user accounts) involves user information at rest ● Provisioning involves managing identity information by others. “If you don't eat your meat, you can't have any pudding. How can you have any pudding if you don't eat your meat?" Pink Floyd (via Gil)
  • 8. Why Do We Authenticate? Photo by Emily Carlin, https://www.flickr.com/photos/cuttingboard/ To get to authorization
  • 9. Authentication Methods, and the Problems with Passwords “Passwords are easy. Change is hard.” -- Jeff Bohren
  • 10. Protecting Password Data is Difficult Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving some password data necessary so a service can verify the password, making it a tasty target. ● It's an arms race with the birds that want to eat your lunch.
  • 11. Problems with Passwords: Password Hash Needs Salt Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Saving passwords in clear text is obviously dangerous if the password data is stolen. ● Save password hashes – non-reversible fingerprint of the password means raw passwords are not stored. ● Lookup tables, dictionary attacks and rainbow tables can be used to efficiently crack large amounts of hashed passwords. ● Using a unique, large salt value with each hash renders rainbow tables much less effective. ● CPU/GPU capabilities have greatly increased. Brute force cracking of passwords is feasible. ● Use hash algorithms such as Bcrypt to blunt increase in CPU capability, and get users to use larger passwords. ● And so it goes.
  • 12. Problems with How Users Choose Passwords Users use the same password for multiple sites. Even “low value” sites share password with “high value” sites.
  • 13. Passwords Should be Easy to Remember, Hard to Crack Source: http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html ● Four short words are easy to remember, and hard to crack. ● Password policy for punctuation and special characters just irritates the users and is very little help against password cracking. ● Good open source projects exist that implement this technique. See https://github.com/dropbox/zxcvbn and http://blog.cloudfoundry.org/2012/11/07/password-policy-in-cloud-foundry/ ● Not so good for mobile devices yet.
  • 14. Password Anti-Pattern is STILL in Use If you actually read the User Agreement above, it's clear what the password anti-pattern really means. source: http://virtualsoul.org/blog/2012/10/11/password-anti-pattern-alive-and-well-at-a-financial-institution/
  • 15. Password Problems are Even Misunderstood ● The problem was a key logger virus ● No password data was retrieved from Facebook, Yahoo, Google, etc. ● The article's advice for password length, character type, and uniqueness is not applicable to a key logger.
  • 16. Beyond Passwords: Other Authentication Methods ● Password managers ● Smart Cards ● Multi-factor authentication systems ● SMS message and other call-backs ● The rise of FIDO However, the evolution of authentication methods remains an arms race. We need a way to manage changing authentication methods, and to manage the evolution of authentication effectively...
  • 17. Federated Authentication: Add a Level of Indirection
  • 18. Speaking of Computer Science... “There are two hard problems in computer science: cache invalidation, naming things, and off-by-one errors.” – various unattributed sources
  • 19. Old-School Federated Authentication with SAML WebAppA SAML Identity Provider - IdP Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to SAML IdP.2. Joe logs in with method known only to IdP. IdP saves session with Joe (probably in a cookie) and redirects back to WebAppA with a SAML artifact. 3. WebAppA gets the SAML artifact. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the IdP – which already has a session with Joe so he is immediately redirected back with an artifact. 4. WebAppA exchanges the SAML artifact for a SAML assertion via the back channel. It trusts the SAML assertion from that IdP, sets up session with Joe (probably with a cookie) and grants access.
  • 20. Modern, Cool Federated Authentication with OpenID Connect, and Delegated Authorization via OAuth2 WebAppA OIDC AuthZ Server - AS Browser WebAppB WebAppC 1. Joe starts at WebAppA but is not logged in, gets redirected to OIDC Authorization Server.2. Joe logs in with method known only to AS. AS saves session with Joe (probably in a cookie) and redirects back to WebAppA with an OAuth2/OIDC authorization code. 3. WebAppA gets the OAuth2 authorization code. 5. When Joe accesses WebAppB or WebAppC, they redirect him to the AS – which already has a session with Joe so he is immediately redirected back with an authorization code. 4. WebAppA exchanges the authorization code for an ID token (and an access token) via the back channel. It trusts the ID token from that AS, sets up session with Joe (probably with a cookie) and grants access.
  • 21. Progress in Identity Evolution One identity (user account) per application External identities via LDAP External authentication via SAML External authentication and roles via OAuth2 and OpenID Connect External authorization We are here
  • 22. Does Federated Authentication Need to be so Complex? ● I went to Starbucks and ordered a vente coffee with cream with my VISA debit card. ● The VISA network contacted my bank, which transmitted an authorization code to Starbucks. ● The authorization code was used to transfer funds to Starbucks from my account. ● I enjoyed the latte. ● I pointed a browser at my employee benefits site and selected our payroll provider, ADP. ● The benefits site presented a SAML artifact to ADP ● The artifact was used to retrieve an assertion which authorized access to my payroll information. ● I wish I made more money Teenagers, most adults, and supposedly tech-averse grandmothers have no problem understanding this. Programmers, technologists, and tech- executives claim this is too difficult.
  • 23. Advantages of Federated Authentication ● Fewer numbers of identity and authentication sources means less exposure (but also higher value targets of those sources). ● Identity and authentication sources can specialize in security – no need for casual services like Gawker to handle passwords. ● Authentication methods can evolve with no change to applications. ● Varying authentication methods can be required for applications based on identity provider policy. ● Better user experience (longer lived single signon) with more control over revocation of access. ● Partitioned security space – authentication and role information is targeted to specific services. No password anti-pattern.
  • 24. Future Directions ● Authentication policy – including step-up authentication, and re-authentication intervals. ● Continuous authentication and risk analysis. ● Shared signals. Remember why we authenticate... Photo by Angélica Portales, https://www.flickr.com/photos/frozen-in-time/
  • 26. Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
  • 27. Shared Signals White Paper at the Open Identity Exchange http://oixuk.org/wp-content/uploads/2014/04/The-Shared-Signals-Model-1.pdf
  • 28. Conclusion to Introduction to Authentication ● Authentication definition and purpose: to get to authorization ● Authentication methods: evolve, passwords suck, other methods exist and are improving. ● Federated authentication: helps us handle authentication evolution, provides better security with better user experience. ● Emerging trends and future directions: continuous authentication, shared signals