On January 25, the Cyber Threat Alert Level was evaluated and is remaining at Blue (Guarded) due to vulnerabilities in Sophos, Apple, Google, and VMware products.
In this article, Moriarty interviews Justin Richer, an internet security expert with over two decades of experience, and author of “OAuth2 In Action,” as well as many OAuth (Open Authorization) extensions. Together they take a deep dive into authentication, authorization, federation, and related technologies.
Moriarty: Strong authentication and dynamic authentication are intrinsic to a zero trust architecture as these measures reduce the chance of an attacker gaining a foothold on your network, moving laterally, or surviving a reauthentication request. It’s not as simple to just deploy these technologies as there are many to choose from and there are lots of deployment considerations to ensure the expected security gains are met. Let’s say an organization has selected a multi-factor authentication (MFA) solution that meets their needs ( ). They are considering an authorization framework.
Richer: OAuth is a powerful security framework that allows software to act on the behalf of users without exposing their credentials to the software. OAuth is a fairly loose collection of related protocols that are applicable in different environments, and the first choice to be made is which pieces to deploy. The OAuth working group is currently drafting OAuth 2.1 that pulls together many of the best practices from the last decade of experience with this protocol family. In OAuth 2.1, if there is a user involved in the delegation process, the recommendation is to use the Authorization Code Grant with the Proof Key for Code Exchange extension (PKCE). If there is no user involved with the delegation process, the recommendation is to use the Client Credentials Grant. Other grant types and extensions are available for specific applications and use cases, but these two cover the majority of cases.