I’m thrilled to share the virtual stage at Disclosure tomorrow! Disclosure is a security conference that’s shaping up to have a super amazing schedule! The speaker lineup is fantastic—with talks ranging from cyber warfare to disinformation to social engineering (and much more!).
My talk is called “How to Think About OAuth Security”. I’ll be focusing on what makes OAuth secure and some holes in implementations that have previously left some gaps for attackers. Here’s a taste of the kinds of things I’ll be talking about tomorrow!
Revealing mobile app API keys
It’s a well-understood part of modern app development that trying to hide API keys in an app is a futile effort. But just a few years ago, Twitter made headlines when their mobile app’s API keys were leaked! We’ll talk about what happened and how OAuth evolved to address the need for mobile apps to securely log users in.
Stop relying on passwords
There are much better solutions than passwords on the modern internet. How has OAuth been adapting to the changes? Spoiler alert: OAuth never encouraged apps to handle passwords in the first place, so we’ll take a look at how OAuth is changing to address this.
What’s coming in OAuth 2.1?
You may have heard some rumblings about OAuth 2.1, an update to the spec that I and a few others are currently working on at the OAuth Working Group in the IETF. We’ll look at the significant changes coming in that version, highlight what isn’t changing, and talk about why now is a good time to publish an update to the spec!