Avoiding Credential Chaos: Authenticating With No Secrets
Unknown
BSides Las Vegas 2025 · Day 1
Chitra Dhar Rajan and Steve Jarvis deliver a paired talk that reframes enterprise authentication and automation around a deliberately provocative **golden rule**: **“Thou shalt not have the burden of any secrets.”** They immediately qualify it: if secrets must exist for **bootstrapping** or similar, they belong in **HSM** or **KMS** with **automated rotation** as routine operations work—not as a panic response after incidents. The session is structured as a journey from a “red bad / blue good” current-state diagram of an imaginary company to a target state where engineers, **CI/CD**, services, and cross-cloud workloads rely on **federated identity**, **short-lived tokens**, and **PKI** rather than long-lived passwords and API keys. The speakers anchor motivation in breach economics (citing **Thomson Reuters** figures described as a **global average** data breach cost around **$4.88 million** in **2024** and a higher US average around **$10 million**) and the observation that many breaches involve **lost, stolen, or harvested credentials**.
AI review
A competent, practitioner-grade tour of modern identity patterns—WebAuthn, GitHub OIDC federation, private-key JWTs, and IRSA/Cognito cross-cloud glue—with a live misconfiguration demo that is worth the price of admission.