Authentication Design & Management
1 Day Masterclass or
7 Hours Self Paced Video
The Why: To provide a virtual workshop for industry leaders, practitioners and consultants looking to develop authentication systems for both B2E, B2C and IoT/Machine ecosystems.
For Who: Your Current Role: Information leader, CISO, identity architect, security architect, CIO, digital consultant
Pre-Reqs: Infrastructure understanding, digital concepts, basic security, basic identity. This is a no-code course.
The What: 6 modules of deep dive learning content – covering standards, design planning, deployment use cases and measurement.
~7 hours of video material.
Authentication Design & Management Part 1
Part 1 focuses on the basics of authentication – something you know, something you are and something you have – and some assumptions and first principles regarding authentication protocol design.
The differences between something you know, something you are and something you have – and how MFA combines two from the three.
We also look at authorization and assurance.
We analyse the concept of entity authentication, an authentication protocol (with messages, flows, actions and assumptions) before tackling the problem of freshness and replay prevention.
Static (Passwords and PINs)
The problems with passwords – user and service side. Password vulnerabilities and storage. PIN guessing. Basic counter measures.
A look at the concept of one time passwords – generated service side and user side, as well a look at magic links.
Possession (Phones & Cards)
An introduction to possession factors such as CAC/PIV cards, phones as a token and USB security keys.
An introduction to biometrics – characteristics, cross over error rates, template storage considerations and the difference between morphological and behavioural.
Pre Authentication (Proofing and Identity Storage)
What needs to happen before authentication an take place? Registration and proofing are introduced along with identity profile storage considerations.
Post Authentication (Sessions and Tokens)
What happens post authentication? We discuss session management and how tokens can be issued including SAML, OIDC and basic web cookies.
Credential Life Cycle
Credentials – in the form of private keys – need to be created, issued and revoked during their association and binding to an identity.
Authentication Design & Management Part 2
Part 2 focuses on the industry standards that exist with respect to authentication – providing a high level view of their components, usage and vulnerabilities. Part 2 also takes a look at deployment design considerations for B2E, B2C and IoT/Machine based environments.
A look at some of the established, current and emerging standards and projects that pertain to authentication including:
FIDO, FIDO2/WebAuth/Passkeys, NIST 800-63-B, PSD2-SCA, OATH (TOTP/HOTP), Kerberos, RADIUS, OIDC, SAML, OWASP and Mitre Att&ck.
A discussion of IoT based authentication for consumer, SCADA, smart city and home automation. Considerations, security threats, design planning.
A recent rise in API, devops and machine based identity has driven new architecture patterns regarding possession based infrastructure authentication.
A top down look at business objectives and how that integrates with authentication strategies and tactics for B2E and B2C ecosystems.
B2E Workforce Use Cases
A review of the main use cases facing an enterprise workforce authentication solution such as MFA consolidation and the integration with zero trust architectures.
B2C Consumer Use Cases
A review of the main use cases facing consumer identity projects including proofing, self service and passwordless authentication.
Metrics and Measurement
How to measure authentication project success, by looking at coverage, performance and effectiveness models.
A look at emerging trends within authentication such as continual, contextual and adaptive controls and the rise of phishing resistance.