Satisfying compliance requirements with passwordless credentials

Presented at Blue Team Con 2022, Aug. 27, 2022, 10:45 a.m. (50 minutes)

Do you want to know how FIDO2 measures up against FedRamp High? Does it satisfy NIST Authentication Assurance Level 2 or 3? Learn how to interpret the standards and regulations and how you can map the various common credentials in the ecosystem to them, also learn how you can show compliance to your auditor when you use new passwordless credentials like FIDO2 keys.

Recent cyber-attacks are driving governments and regulated industries around the world to improve their Cybersecurity and ensure that baseline security practices are in place. Requiring MFA is no longer enough, there is a need to make sure it is a phishing resistant MFA. In this session we'll explain NIST Special Publication 800-63-3 "Digital Identity Guidelines" pivotal role in shaping Identity regulation in US and around the world, we'll dive into the requirements for meeting the various Authentication Assurance Levels and explain why not all MFA methods are created equal.

Presenters:

• Ehud Itshaki - Principal Program Manager, Microsoft
  Ehud Itshaki is a Principal Program Manager and an architect in the Azure Active Directory Customer Success Team. Ehud works closely with customers who are deploying Azure AD Identity scenarios to help them design and implement their solutions to their employees or consumers smoothly and securely. He is a 16-year veteran of Microsoft with vast experience in security and Identity. Currently focused on meeting regulatory requirements for highly regulated industries and Government. Areas of focus include but are not limited to NIST, FedRAMP, DoD SRG, CMMC, CJIS, IRS 1075, EPCS, EO 14028, etc.

Similar Presentations:

• CircleCityCon 10.0 (2023) / A World Without Passwords
• DerbyCon 8.0 Evolution (2018) / Two-Factor, Too Furious: Evading (and Protecting) Evolving MFA Schemes
• BSidesSF 2019 / Navigating Passwordless Authentication with FIDO2 & WebAuthn