Watch on YouTube
Watch on Vimeo
Jack Poller, founder and principal analyst of Paradigm Technica, discusses the evolution and challenges of authentication methods, particularly focusing on the limitations of traditional passwords. He explains that passwords, which have been used since ancient times, are fundamentally flawed because they are shared secrets that can be easily stolen or phished. Despite the implementation of multi-factor authentication (MFA) to enhance security by combining something you know (password) with something you have (a device) or something you are (biometrics), these methods still rely on shared secrets that can be compromised through social engineering tactics.
Poller introduces public key cryptography as a more secure alternative for authentication, which has been around since the 1970s but is relatively new in the context of identity and access management. Public key cryptography involves a pair of keys: a private key that encrypts data and a public key that decrypts it. This method ensures that the private key, stored in a secure vault within a trusted processor module (TPM), cannot be extracted or misused, even under duress. The TPM not only stores the keys securely but also performs the encryption and decryption processes, ensuring that the keys are never exposed.
He further elaborates on how the FIDO (Fast Identity Online) protocol leverages this technology to provide phishing-resistant authentication. When a user attempts to log in to a website, the site sends a challenge to the user’s device, which is then encrypted using the private key stored in the TPM. The encrypted response is sent back to the website, which decrypts it using the corresponding public key to verify the user’s identity. This method eliminates the risks associated with password reuse and phishing, making it a more secure and user-friendly solution. Poller emphasizes the importance of adopting passkeys offered by websites to enhance overall internet security.
Personnel: Jack Poller
Thank you for being part of the Tech Field Day community! Our mailing list is a great way to stay up to date on our events and technical content, and we appreciate your signup.
We promise that we’ll never spam you, send ads, or sell your information. This list will only be used to communicate with our community about our events and content. And we’ll limit it to no more than one message per week.
Although we only need your email address, it would be nice if you provided a little more information to help us get to know you better!
