It’s just two weeks out from the mega-event that is the RSA Conference. You, along with over 40,000 other security professionals and technologists, have (hopefully) squared away your travel plans and cleared your calendar. The last thing left to do is sift through the 24 topics and tracks containing dozens of sessions over six days of talks to build your own personalized agenda… Good luck!
To help lighten your analysis paralysis, we’ve put together a “NuID 101” mini-agenda with five RSAC sessions that touch on topics near and dear to us, like password storage, the future of authentication, cryptography, and decentralized identity.
Check out these five sessions to gain a better understanding of some of the challenges and innovations in authentication and digital identity today—and then stop by our booth #20 in the Early Stage Expo to chat about them!
This may seem like a strange session for a team that gives out t-shirts with “Stop. Storing. Passwords.” on the back to suggest.
While yes, our answer on how to meet the “increased pressure on storing a password securely” is simply not to, in this session Hoyt Kesterson will break down exactly why common password storage practices simply aren’t enough. And if your organization hasn’t yet made the transition to trustless authentication, Keterson’s guidance on password storage is sure to be some of the best available (if you’re reading this Hoyt, we would be honored to contribute to that guidance!).
After hearing from Keterson about the weaknesses of existing password-based authentication methods, this talk by Trusona founder Ori Eisen and Frank Abagnale of real-life “Catch Me If You Can” fame, will really hammer home the scale and severity of the password-breach problem.
Eisen and Abagnale’s illumination of the national security implications of password breaches is just one aspect of a broader phenomenon that our CTO wrote about last year. Nolan pointed out that passwords are not just a weak link in any particular organization, but are in fact a systemic vulnerability that transcends and interconnects otherwise unrelated organizations—something he coined “Enterprise Overflow.”
Moving on to a talk that is a bit more optimistic, in Topic 1 of this two-part session cryptographers Nigel Smart and John Kelsey will present their Ticket-Mediated Password Strengthening (TMPS) technique, which they published in a paper last year.
TMPS is a creative approach to addressing the risks of server-side password database compromise. With TMPS, rather than sending the user’s password to a server, it is used to derive a cryptographic key on their device and, through interacting with an authentication server, a set of one-time-use “tickets” that must be expended in each authentication attempt.
The server never learns anything about the user’s password, so a server-side breach does not lead to the Enterprise Overflow problem of existing password storage. Furthermore, because authentication attempts (and therefore password guessing attempts by an attacker) must be accompanied by an unused ticket, a would-be attacker is extremely limited in their ability to use common dictionary or brute force guessing strategies.
The practical viability and tradeoffs of TMPS are worth considering. Regardless, we think this is a great talk to attend to get thinking about new cryptographic approaches to password-based authentication.
Self-sovereign identity (SSI)—essentially synonymous with decentralized or blockchain-based identity—is the concept of a digital representation of identity which is decoupled from and not controlled by any centralized entity. For a better understanding, check out Christopher Allen’s formative article The Path to Self-Sovereign Identity.
This session with Verizon’s George Fletcher will provide a valuable perspective on the real-world adoption of SSI. Not only is Fletcher a veteran of the identity standards world, he will be able to share learnings from within a large legacy organization—a less common perspective in the cutting-edge space of SSI.
This last session is not actually a session, but we still think you should put it on your agenda! Launch Pad is RSA’s early-stage startup pitch event, where the top new security companies pitch their product to VC-judges and the RSA audience.
This event is special to us because last year NuID was selected to participate in the first-ever RSAC Launch Pad! You can see Ethan’s pitch on the Launch Pad event page.
The companies participating in Launch Pad this year may not strictly fit into a NuID 101 curriculum, but there’s no better place to learn about the future of security than from the teams who are out there building it.
Plus, the Launch Pad stage is right next to the Early Stage Expo where our kiosk will be, so you can stop by after the event and graduate to the NuID 200 level course!