Loading Events

« All Events

  • This event has passed.
Event Series Event Series: Conference

Campfire Talk: Modern Web Authentication: Passwords are so 1960’s – Greg Bailey

October 20, 2023 @ 10:55 am 11:10 am MDT

Passwords were invented in the mid-1960’s (1961 depending on who you ask) by Fernando Corbató at MIT. Since then, they haven’t changed much, and that’s a problem. What’s worse, as security professionals, we’ve spent years making it an even bigger problem by implementing crazy password policies.

Luckily, there are some bright minds out there that have begun to think about how to make our lives easier and more secure in this new world of web auth. So what really happens when we grant consent to various organizations like Twitter, Facebook, and Google to authenticate for us?

In this talk, we will walk through the various modern authentication protocols, specifically OAuth and its cousin, OpenID Connect, including the various code flows (code flow being the most important), how they work, their history of vulnerabilities, and how we can protect them.

While just the mention of the acronym JSON scares people, we aim to simplify JSON Web Tokens, their implementation, their security implications, and how to secure them. We will discuss the various threats to JWTs, how they’ve changed, and how we might incorporate additional controls to protect them, including Iron.

Not to be left out, we will take a good look at removing the authentication from the user altogether, and relying on things like <gasp> Windows Hello 🙂 , Microsoft’s “passwordless” authentication mechanism.

“Greg Bailey is a Senior Technical Engineer at Counter Hack, where he manages cyber ranges, performs penetration testing, red team operations, and application assessments. In addition, Greg is an instructor at the SANS Institute and the principal consultant at Fox River Information Security.
Greg has over twenty years of experience in professional services, has created red teams at large financial institutions, taught government organizations around the world, played interim CISO and managed teams of incident handlers for MSPs.”