Insecurity protocols: an overview of modern authentication
Eric Chiang
BSidesSF 2024 · Day 1
This talk, "Insecurity protocols: an overview of modern authentication," delivered by Eric Chiang at BSidesSF 2024, provides a comprehensive and often critical "whirlwind" tour of various authentication protocols, ranging from the widely adopted to the notoriously complex. Chiang, who works at Google and has a background in device identity and as a co-lead for the OAuth special interest group in Kubernetes, offers a candid assessment of each protocol's design, common pitfalls, and security implications. The presentation aims to highlight the inherent complexities and often overlooked vulnerabilities within these systems, emphasizing that perceived similarities between protocols can mask vast differences in their security posture and implementation difficulty.
AI review
This talk delivers a no-nonsense, rapid-fire dissection of modern authentication protocols, from the perpetually flawed JWTs and the XML nightmare of SAML to the elegant design of FIDO2 and the practical challenges of Passkeys and TPMs. Chiang pulls no punches, exposing common implementation pitfalls, historical vulnerabilities like 'alg: none,' and the inherent complexities that make these protocols so difficult to secure. It's a refreshing dose of reality for anyone tired of marketing hype.