News

Authlete sponsors Identiverse 2024

Authlete will share the best practices and latest trends in API security and digital identity standards

  • May 13, 2024

Authlete is proud to sponsor Identiverse 2024, which will take place at ARIA Resort & Casino in Las Vegas, Nevada on May 28-31, 2024.

The identity conference attracts over 3,000 attendees from more than 1,000 companies, providing opportunities for learning and collaboration for identity and security professionals and experts.

During the four-day conference, Authlete will exhibit (booth number 1306) and deliver presentations on a wide-range of topics, including verifiable credentials, open banking, and OAuth 2.0. Join us at our presentations as our experts share their thought-provoking insights and best practices.

Authlete members’ presentations are as follows:

  • Wednesday, May 29, 12:50 pm-1:05 pm, Tech Theater 2 (Pinyon)

Striking the Right Balance — Compliance, Security and User Experience

Ali Adnan, Co-founder, and Tatsuo Kudo, Japan Country Manager

Authentication and API authorization mechanisms have traditionally been combined into one system architecture, often through a managed service provided by a vendor. However, increasingly, identity and access management is required to accommodate the multiple facets of delivering new services, meeting the high expectations of customers for a seamless experience.

Authlete’s Ali Adnan and Tatsuo Kudo will explore a new approach to tackle this challenge. Sharing best practices from the financial industry, they will discuss how businesses can implement a fully compliant and secure API authorization mechanism, taking full control to provide a frictionless and on-brand user experience.

  • Wednesday, May 29, 3:10 pm-3:35 pm, Joshua 8

Federation Bubbles

Justin Richer, Principal Architect

Traditional federation agreements are relatively static. It takes some effort to onboard an IdP and RP to each other, but once that trust is established, it’s good until some exceptional event breaks the federation. But what about a more dynamic world, one where trust comes and goes based on context? What if users could be provisioned dynamically into a space based on trust from elsewhere? What if an isolated space could still function in a disconnected state and still have powerful security properties? What if these isolated spaces could reconnect to the network and provide audit capabilities and security signaling to other components throughout the wide ecosystem? And what if all of this could be built on a layer of trusted software that didn’t rely on pre-placing keys or accounts ahead of time?

This isn’t addressed by only using local accounts, or creating and distributing shards of a global truth. We need a world that expects things to move. Come to this talk to learn about Federation Bubbles, the proof of concept being built out on top of a suite of technology including OpenID Connect (OIDC), OAuth, SPIFFE, Verifiable Credentials, and more.

  • Thursday, May 30, 2:00 pm-2:25 pm, Joshua 5

High-security & interoperable OAuth 2: What’s the latest?

Daniel Fett, Security and Standardization Expert, and Joseph Heenan, CTO

OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has historically been difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last six years working to improve the state of the art and will present the latest developments in the field.

There are challenges when trying to achieve high security and interoperability with OAuth 2: There are many potential threats, some not part of the original OAuth threat model. For seamless authorizations, optionality must be minimized in OAuth itself and also in any extensions used. Seven years ago, the IETF OAuth working group began work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation (OIDF) has created FAPI1 and FAPI2 security profiles.

We will help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and security using techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS, discussing the benefits and potential disadvantages of each. We highlight the benefits for implementers and the role of conformance testing tools.

  • Thursday, May 30, 4:35 pm-5 pm, Joshua 1

Revolutionizing North American Banking

Joseph Heenan and Jean-Paul LaClair, Sr. Director of Product Financial Data Exchange (FDX)

Joseph and Jean-Paul LaClair, FDX’s Sr. Director of Product, will delve into the heart of revolutionizing North American banking, uncovering the keys to the rapid expansion of secure, privacy-preserving APIs through Open Banking standardization. And yes — without identity (and identity-centric) proposals like FDX or FAPI, delivering against the new regulations isn’t going to be possible.

This session will unveil the transformative power of Open Banking, a cornerstone in reshaping financial interactions to be not only more efficient but shielded with robust privacy measures. It’ll explore the dynamic interplay of innovation and security, revealing how standardized, privacy-preserving APIs are accelerating this revolution.

Dive into the critical role of collaborative efforts (like those occurring at FDX and OIDF) and regulatory frameworks in sculpting a consumer-centric future in banking. Understand how Open Banking isn’t just a fleeting trend but the prologue to a larger narrative of Open Data, poised to redefine our financial ecosystem. Prepare for a discussion that navigates the complex yet thrilling intersection of security and openness in financial services. Don’t just attend — come ready to engage, question, and redefine your understanding of how standards will enable an enhanced financial landscape.

  • Friday, May 31, 10:15 am-10:40 am, Joshua 3

Securing the Foundations of Verifiable Credential Ecosystems

Daniel Fett

As verifiable credentials are adopted at scale in ecosystems around the world, addressing security and privacy challenges is becoming increasingly important. In this talk, Daniel will discuss some of the most pressing issues around protocols and credential formats and how they can — or cannot — be addressed. Using the OpenID and IETF specifications as examples, he will discuss the challenges of establishing trust, mitigating replay and phishing attacks, avoiding linkability and tracking, securing cross-device flows, addressing confidentiality and (non-) repudiation, and more.

While some of these issues are well known in identity protocols, others only arise in the context of verifiable credentials. As an editor of the OAuth Security Best Current Practice draft, the Cross-Device Flow Best Current Practice draft, the SD-JWT and SD-JWT VC specifications, and a contributor to many other specifications in this area, Daniel will share his experiences and insights from moving from the world of OAuth and OpenID to the world of verifiable credentials.

To register for Identiverse 2024, visit the official conference website: www.identiverse.com.

We look forward to meeting you at our booth 1306 and presentations. If you would like to arrange a one-on-one meeting, please reach out to us.