1 / 11

Authentication

Discover the challenges of authentication, including the weaknesses of cookies, the complexities of client authentication, and the frustrations of locking and unlocking devices. Learn how a real authentication solution can address these issues and provide a seamless user experience.

mabelw
Download Presentation

Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Václav Šamša vsamsa@tdp.cz www.keyshieldsso.com Stillusing single user stufflikeexcelorkeepass?Askmewhyyou are in danger…

  2. Agenda • Authenticationis more challengingthanitlookslike: • Cookies and clients • Locking and unlocking • SLO - logout • Q/A • LDAP proxyaccounts, anyproxyaccounts ….

  3. Cookies and clients

  4. Cookies and clients • Cookies • are NOT designedforauthentication • are managed by the user or by thedeviceadministrator • each browser canbeconfigured in a differentway • each browser has owncookies • Cookie (token) authenticates https channel • guess – how many browsersthe user might use? • cookieisthecriticalweaknessof SAML and JWT

  5. Cookies and clients • Clientworks in a differentway: • clientauthenticatesthe user • client, not thesystem, knows, whoisthe user • clientsharestheuser‘s identity – Kerberos, NTLM, Nativemessaging, RadiusAccounting, NAC, variousAPIs • user needsonlyoneclientwithsomething, whichprovestheuser‘s identity in a trustedway

  6. Cookies and clients • Iftheclientis fast and efficientenough, bothSPs and IdPscanbedirectlyintegrated: • Not necessary to changeexistingsetup • IdPdoesn‘t use cookies • IdPtalks to theclientinstead • Thisistechnicaldebate, nothingelse. • Ask Simon if he knows, whatcan serve more than 10.000 authenticationrequests in a single second • Yes, itisroughly 600.000 per minute

  7. Locking and UNLOCKING User isrequired to protectanauthenticateddeviceanytime he orsheleaves Evenfor a shortwhile For Windows users, protectionis (windows_key plus L) Thisseems to be EASY But, unlockingisimplemented as yetanotherauthentication Again, again, again How many times a typical user leavesthecomputer in a day? Coffee, tea, meetings, lunch, smoking, prostate ….

  8. Locking and UNLOCKING • Users are enforced to: • use long and complexpasswords • waitforcertificateauthentication • use twochainedauthenticatons (usuallycalled 2FA) • changetheirpasswordsregularly • Thisiswhytheycomplain. Users COMPLAIN • Real authenticationsolutionmustofferfirststrongauthentication and many easy and efficientunlockings (security = onlyif done within a reasonable period)

  9. SLO - logout • Standard implementationneeds – browser • But browser isusually not available, whenthethe user: • Reset • Reboot • Close • Sleep • Disconnect • etc

  10. SLO - logout • Real AuthenticationSolution • should handle SLO fromthe server side • must track allthetrusteduser‘s identity proofs in thematteroftime • anythingolderthen maximum agemustbeinvalidated • Maximum ageshould not exceed 6 hours • or 8 hours, 12 hoursor a dayifusers are strongerthanyou

  11. Q/A

More Related