Non-binary authentication

Presented at ToorCon San Diego 16 (2014), Oct. 26, 2014, 11 a.m. (20 minutes)

The “binary” authentication model of “logged in or not logged in” is too simplistic. This leads to endless design compromises, either making applications hard to use, or insecure, or often both. Some of the most forward-thinking sites and services are moving to a more granular and nuanced model, where individual actions are evaluated for authorization based on risk, informed by a variety of inputs (previous actions, IP, recent history, various forms of authentication by the user), and different levels of additional authentication requested only when necessary. We describe a general framework for this kind of authentication model, and security and usability improvements, and how you can use this to protect your services as an application developer, sysadmin, or security consultant.

Presenters:

• Ryan Lackey
  Ryan Lackey (octal) got started in computer security when he ordered the Rainbow Books from NSA back in 1993 after seeing them referenced on the cypherpunks mailing list. Since then, he’s founded an offshore datahaven, worked on anonymous electronic cash, worked in warzones to deploy and operate satellite communications networks, built and sold a trusted computing startup, and is now at CloudFlare, the edge network performance and security company.

Similar Presentations:

• GrrCON 2014 / Security for the People: End-User Authentication Security on the Internet
• ekoparty 14 (2018) / Knocking Down the Big Door (Breaking Authentication and Segregation of Production & Non-Production Environments)
• DEF CON 19 (2011) / My password is: #FullOfFail! - The Core Problem with Authentication and How We Can Overcome It