AuthCon Recap

Hiya folks,

Authcon is in the books! I was the emcee for the one day conference in mid-May, previously mentioned. I had some serious fun introducing speakers, cracking corny auth jokes and opening with a skit about all the responsibilities any CIAM system bears.

I also did a 10 minute intro. I outlined three predictions about customer identity and access management for the next five years:

• Passwords are dying. Passkeys, magic links and other forms of login are better in so many ways. More secure with less friction.

• But, passwords will never die 100%, because they are widely supported. They are also the only forms of online authentication where the user has total control and doesn’t rely on any hardware or other service, so they meet certain use cases well. We need to keep securing them, and accept the tension.

• CIAM is just getting started as an industry; as the internet becomes more widely deployed, we'll need accounts for tasks as varied as scheduling a haircut and proving our identity to government agencies.

I also learned a ton. One of my favorite parts of this conference was a focus on lessons from practitioners. Whether it was a speaker from GitHub rolling out passkeys at scale, an Alteryx director discussing deploying a CIAM system to millions of users, or a GitLab talk showcasing best practices for deprecating tokens, the talks were full of real world lessons.

Of course, nothing teaches you like your own mistakes and experiments, but learning from the mistakes of others is a close second. Here are a few takeaways:

• B2B SSO is almost always SAML or OIDC. From the Alteryx talk: "single sign-on with SAML and OpenID Connect has met literally 100% of customer requests. We have not seen any requests for anything else."

• Finding a metric that mattered, support tickets opened to reset credentials, helped GitHub succeed in their MFA rollout. They used it to control how the rollout and determine its effectiveness.

• OAuth 2.1 is a reaction to all the complexity of the RFCs layered on top of OAuth 2.0, including issues with “optional” parameters and PKCE. The CTO of Pandium, Shon Urbas, dove into that when he talked about OAuth 2.0 and OAuth 2.1.

Here are the direct links to videos of the talks. There are a few sessions that were not recorded, including, unfortunately, the Gitlab and GitHub sessions.

Talks from practitioners:

• The Alteryx SaaS Journey: CIAM Options and Challenges

• How to Secure Smart Devices

Talks about standards:

• Login UX: How Browsers are Reshaping Customer Login

• What Is IPSIE?

• OAuth 2.0 Is a Mess—How OAuth 2.1 Tries to Fix It

Authorization talks:

• Fine-Grained Authorization: Developer Tradeoffs

• Lessons from Major Authorization Failures

General CIAM talks:

• How to Prevent Passwordless Login Friction in CIAM

• Building the Open Source Customer Identity Community Together

If you'd like to watch them all, here's the playlist.

This conference, with its focus on CIAM, helps propel the CIAM community as well as to share best practices we can all learn from.

Reply to this email if you’d like to know more about future Authcons.

Thanks,

Dan