Campfire Talk: Modern Web Authentication: Passwords are so 1960’s – Greg Bailey

Passwords were invented in the mid-1960’s (1961 depending on who you ask) by Fernando Corbató at MIT. Since then, they haven’t changed much, and that’s a problem. What’s worse, as security professionals, we’ve spent years making it an even bigger problem by implementing crazy password policies.

Luckily, there are some bright minds out there that have begun to think about how to make our lives easier and more secure in this new world of web auth. So what really happens when we grant consent to various organizations like Twitter, Facebook, and Google to authenticate for us?

In this talk, we will walk through the various modern authentication protocols, specifically OAuth and its cousin, OpenID Connect, including the various code flows (code flow being the most important), how they work, their history of vulnerabilities, and how we can protect them.

While just the mention of the acronym JSON scares people, we aim to simplify JSON Web Tokens, their implementation, their security implications, and how to secure them. We will discuss the various threats to JWTs, how they’ve changed, and how we might incorporate additional controls to protect them, including Iron.

Not to be left out, we will take a good look at removing the authentication from the user altogether, and relying on things like <gasp> Windows Hello 🙂 , Microsoft’s “passwordless” authentication mechanism.