Hackfest 2024 - 16-bit Edition

Authentication: The Epic Saga of Tokens, Passwords, and Digital Fortresses
10-12, 15:30–16:20 (America/New_York), Track 1 (206b)
Language: English

What should Attendes expect:
Attendees will embark on a whirlwind tour through the ever-evolving landscape of authentication. By the end of this session, you'll be well-versed in the latest and greatest in authentication systems, from the grand protocols like SAML, OIDC, and OAuth to the shiny new standards of FIDO2 and Passkeys.

You’ll gain insights into the critical elements of choosing Passkey solutions tailored for both enterprise giants and nimble SMBs, learning what makes a solution robust and what pitfalls to avoid. Expect to dive into the current state of Multi-Factor Authentication (MFA), understanding not just its necessity but how to manage the extra friction it introduces.

We'll also explore the nuanced differences between hardware and mobile authenticators, helping you determine which type best fits your needs. Whether you're grappling with MFA's limitations or considering the right type of authenticator for your organization, you'll leave with practical knowledge, ready to tackle the biggest challenge in the world of cybersecurity.

Come for the insights, stay for the analogies and wit. It’s time to make authentication both secure and entertaining!


Abstract: Authentication: The Epic Saga of Tokens, Passwords, and Digital Fortresses

Intro: The Quest for the Holy Grail of Authentication
Imagine a world where passwords are dead, multi-factor authentication is a legend, and biometric systems reign supreme. Welcome to the present, where our quest for secure authentication has taken us from password-based dungeons to the glossy citadels of FIDO2 standards and Passkeys. This talk will navigate through the labyrinth of modern authentication systems, examining the heroes and villains of SAML, OIDC, OAuth, and the newly crowned kings of security: FIDO2 and Passkeys. Buckle up, as we embark on a journey to uncover what makes these systems tick and how they’re reshaping our digital lives.

What Is the Problem We Face with Current Prevalent Authentication Schemes?
Our current authentication schemes are like trying to secure a fortress with a squeaky drawbridge. They’re often plagued with issues such as weak password practices, lack of user education, and susceptibility to various attacks. We'll dissect why our traditional methods are struggling in the face of evolving threats and why it's high time to upgrade our defenses from a patchwork quilt to a fortified castle.

The Password Paradox: The Cost of Credential Compromise
Passwords are like the old, rusty locks on a high-security vault—easily picked and easily forgotten. We’ll delve into the staggering numbers behind password breaches: 15 billion credentials exposed in 2022 alone, and the average cost of a data breach hitting $4.45 million. The problem is real, with password-based attacks costing businesses billions annually and leaving users vulnerable to identity theft and fraud. Brace yourself for some alarming statistics and the high price of keeping those old locks.

Credentials Attacks in the Wild: A Rogue’s Gallery
From credential stuffing to phishing and password spraying, the dark web is rife with attacks targeting our digital identities. We’ll showcase the various types of credential attacks seen in the wild, including the infamous "password reuse" issue, where compromised credentials from one breach are used to exploit other accounts. Think of it as a rogues' gallery of the worst villains trying to infiltrate your digital kingdom.

The League of Extraordinary Protocols: SAML, OIDC, and OAuth
In the realm of single sign-on and federated identities, SAML, OIDC, and OAuth are the Gandalf, Aragorn, and Legolas of authentication protocols. We'll delve into their unique powers and quirks: SAML’s timeless charm, OIDC’s modern flair, and OAuth’s role as the gatekeeper of access. Discover why OAuth is the ultimate party guest, SAML the seasoned diplomat, and OIDC the cool new kid on the block. Spoiler alert: not everyone gets along perfectly in this Fellowship.

The Rise of FIDO2 and Passkeys: A New Hope
Forget about the old password-based rebellion. FIDO2 and Passkeys are the new Jedi of authentication, promising to vanquish phishing and password fatigue. We’ll explore how these shiny new standards are leading the charge against the dark forces of credential theft and social engineering. See how they promise a future where a simple biometric scan or hardware token could be your key to the digital kingdom. Yes, you can finally say goodbye to your cryptic password lists!

Portable Roaming Authenticator Devices: The Swiss Army Knife of Security
Picture a digital multitool with a secure display, a cryptographic engine, and a bad attitude towards phishing attacks. That’s what portable roaming authenticator devices offer. In this segment, we’ll discuss these little marvels of convenience and security, their superhero status in the realm of multi-factor authentication, and their limitations. Think of them as your personal security sidekick, ready to save the day—or at least your login attempts.

What to Consider When looking for Passkeys Solutions in the Enterprise
For enterprises, choosing a Passkey solution is akin to selecting the perfect knight for your order. Look for features that offer scalability, seamless integration, and robust management tools. Consider solutions that support various devices and ensure they come with a solid track record in security. This segment will guide you in picking a Passkey system that can handle the demands of a sprawling digital empire without missing a beat.

What to Consider When looking for Passkeys Solutions for Small and Medium Businesses
SMBs might not need a full battalion, but they still require a reliable guardian. For smaller businesses, focus on Passkey solutions that are cost-effective, easy to deploy, and user-friendly. This section will help you find a solution that balances security with simplicity, ensuring you get the protection you need without turning your login process into an epic quest.

Current State of MFA: Requirement or Just Extra Friction?
Multi-Factor Authentication (MFA) is like adding extra security guards to your castle gate—but does it slow down your guests too much? We’ll examine the state of MFA, exploring its necessity in today’s threat landscape and weighing the additional friction it introduces against its security benefits. Discover why MFA might be the unsung hero of modern security, even if it occasionally feels like it’s adding a few extra hurdles to your login process.

Weaknesses of MFA: Not All Heroes Wear Capes
Even MFA has its Achilles' heel. This segment will explore the weaknesses of MFA, such as its vulnerability to social engineering attacks, the potential for user errors, and issues with implementation. While MFA is a powerful tool, understanding its limitations will help you deploy it more effectively and avoid common pitfalls.

Differences Between Hardware Authenticators and Mobile Authenticators
Hardware and mobile authenticators each bring their own flair to the authentication party. Hardware authenticators are like the elite bodyguards of security, offering robust protection but requiring physical possession. Mobile authenticators, on the other hand, are the versatile, on-the-go champions, providing convenience at the cost of potential exposure. We'll compare these two types of authenticators, helping you decide which might be the best fit for your security needs.

The Future Frontier: Authentication Beyond the Horizon
As we look ahead, the future of authentication promises even more exciting advancements and challenges. What’s next in our quest for the ultimate security? Will AI and quantum computing become the next great disruptors? This closing segment will explore potential future trends, emerging technologies, and what we should be preparing for as we continue to evolve our digital defenses.


Are you releasing a tool? – no

Thierry, CTO and co-founder of Kelvin Zero, is a top-tier expert in secure IAM and data sharing networks. He likes diving deep in topics such as Authentication, Cryptography & Digital ID while while leading an elite team helping him innovate and envision the future of digital systems. Previously, Thierry honed his skills in CTI and malware analysis with the Government of Canada. He's a seasoned pro in safeguarding critical infrastructure and navigating the cyber threat landscape.