Name: Understanding CIBA - What it is and how it works
Start: 2023-01-11T09:48:00Z
End: 2023-01-11T09:48:46.000Z
Location: BrightTALK

Curity is a leading provider of IAM and API security technology that enables user authentication and authorization for a wide range of digital services. The Curity Identity Server is highly scalable, and handles the complexities of the leading identity standards, making them easier to use, customize and deploy. Today, the Curity Identity Server is the most complete OAuth and OpenID Connect server, and we enjoy the trust of large organizations in most industries, including financial services, telecom, retail, gaming, energy, and government services across many countries.

In the last few years, browser security has been strengthened by the introduction of same site cookies. This improves web application security and helps prevent unwelcome user tracking. Yet this prevents some types of web integration and some older OAuth flows from working.

To be productive, organizations therefore need to understand up-to-date cookie best practices. This knowledge enables early planning of deployments and ensures reliable navigation between application

In this webinar, our identity experts Daniel Lindau and Gary Archer will explain:

What causes third party cookies to be dropped?
Which OAuth flows you should no longer use, and the alternative options
How to make use of the strongest same site cookies, for web application use cases

The Way the Cookie Crumbles - Security after Third Party Cookie Deprecation

Security is becoming increasingly crucial for business success and growth. This puts teams under extra pressure to ensure that chosen solutions and methods are up-to-date and answer the challenges of the modern digital world. Utilizing the OAuth and OpenID Connect security standards allows you to protect applications and APIs with modern, scalable authentication and authorization technologies.

To cater to evolving identity and access management (IAM) needs, OAuth and OpenID Connect are constantly updated to provide state-of-the-art specifications. To leverage these standards to their full potential, organizations need to stay up to date with changes and adapt systems accordingly.

This webinar will give an overview of the most important revisions and enhancements for the OAuth and OpenID Connect protocols:

- OAuth 2.1
- FAPI 2.0 Security Profile
- SIOPv2 and verifiable credentials

Next Generation OAuth and OpenID Connect

A paradigm shift is upon us. It will put users in control of who they share their identity data with. By certifying this identity data as a “credential” which is storable in a user-controlled, digital wallet (e.g., an app on a smartphone), users can present these credentials to systems which require authentication and access. The credentials can contain everything from eID data to privacy-preserving information unrelatable to a particular user (e.g., age or nationality). Credentials can also be such things as coupons, vouchers, boarding passes, physical access passes, etc.

In this webinar, Curity’s CEO, Travis Spencer, and CTO, Jacob Ideskog, will discuss:

- How this paradigm shift can benefit society and organizations
- How to connect decentralized identity and verifiable credentials with API security
- When you should start experimenting with this nascent technology

Decentralized Identity and Verifiable Credentials

Start your identity and access management journey right. 

In this talk, we'll discuss the following: 
- The complexities of identity and access management and how to solve them;
- Some of the business and security challenges that companies face and how to address them by leveraging OAuth and OpenID Connect standards; 
- How the free Community Edition of the Curity Identity Server can be of use.

Getting Started with Identity and Access Management

APIs and microservices are exposed to multiple threats, including unauthorized access and escalation of privilege. Using a Zero Trust approach with its principle “Trust no one” effectively addresses these threats and secures systems.

To implement a Zero Trust approach for APIs, you should apply authentication and authorization to every API request from clients, both inside and outside the network. A secure token design is also needed so that web and mobile clients receive confidential API credentials.

OAuth 2.0 enables you to meet all of these requirements with only simple code. The token-based design is scalable to many microservices and has a high-performance potential.

Join us in this talk to learn how to:

Write secure API code, which validates JWTs, then uses claims-based authorization
Ensure privacy by issuing confidential tokens to internet clients
Keep API code simple by using your API gateway to deliver JWTs to APIs
Enable business authorization by issuing custom claims
Develop and test productively with user-level access tokens

How to Implement Zero Trust and API Security

Open banking continues to be a topic of interest in financial services across the globe. Organizations need to adapt to regulatory and customer demands for access to sensitive data.  This is primarily driven by APIs, and they need to achieve an extremely high-security standard to protect the sensitive data being exchanged. This webinar will dig into the OpenID protocol for creating safe APIs: The Financial-grade API (FAPI) profile. 

During the webinar, we:

- Give an update on the standards
- Do a short overview of CIBA 
- Look at newer specs incorporated into FAPI — PAR, JAR, JARM
- Explore what’s coming next — FAPI 2 and RAR

Financial-Grade APIs Now and in the Future

When it comes to user experience and infrastructure management, Single Page Applications (SPA) are great, but securing them can be difficult. Since SPAs require access tokens to call APIs, it is challenging to store these in the browser securely. The solution to this problem is an advancement of the common Backend for Frontend (BFF) design pattern. In this expanded form, called the Token Handler, the lightweight back-end component simplifies the security of the SPA using a BFF to ease the OAuth integration.

The Token Handler, a BFF for OAuth and SPAs, is an architecture where web applications transfer the handling of OAuth to a utility API. This trusted agent is able to perform more secure interactions with the OAuth authorization server and store access tokens in a safe manner. It exposes these to the SPA using robust browser security techniques. Using the Token Handler pattern maintains the usability and deployment benefits of a SPA architecture without compromising security.

In this webinar, we discuss challenges confronting SPAs developers and operators, how OAuth can be used correctly and incorrectly in SPAs, and how these challenges and errors can be overcome using the Token Handler pattern.

Hardening Single Page Application Security

Using multi-factor authentication (MFA) significantly reduces the risk of user accounts being compromised due to password theft. Today MFA is considered best practice and helps protect both users and organizations from cybercriminals.

But it is not necessarily a one-size-fits-all scenario, and many aspects should be considered. The first question to ask yourself is, who or what are you trying to protect?

In this webinar, we discuss different approaches to multi-factor authentication, including:

- Always-On MFA
- Opt-in MFA
- Step-up Authentication
- Time-sensitive Re-authentication

Viewers will gain a comprehensive understanding of multi-factor authentication including user experience and reliability best practices, different use cases, and other things to consider when choosing a particular approach or authenticator.

The Flavors of Multi-Factor Authentication

PSD2 and the Financial-grade API (FAPI) from the OpenID Foundation have helped popularize mobile app authenticator flows. Common patterns and specifications like App2App authorization and Client-initiated Back Channel Authentication (CIBA) have emerged from the increased demand. The shortcoming with these is that they do not specify how the actual authentication will occur. As a result, implementations often create tightly coupled solutions between a particular client app and the authenticator app. This scenario leads to an ineffective solution that is harder to change over time, and it is more challenging to create rich authentication workflows. Instead, the authentication server on the back end needs to drive the authentication. This should be exposed via a hypermedia API that allows the clients to render native screens, collect input from the users, and authenticate using the mechanism and flows defined by the server.

In this webinar we will:

- Explain how you can use a hypermedia API to drive clients to log in users using any technique stipulated by the OpenID Connect Provider or OAuth Authorization Server;
- Discuss why hypermedia is the ideal architectural pattern for creating such an API;
- Show how you can use hypermedia in a way that conforms to FAPI and local regulations like PSD2 and GDPR to fulfill not only App2App login but other pertinent login scenarios;
- Touch on the security issues raised by such an API; and
- Recommend resources where you can learn more about the API and these workflows.

App2App Login with Authentication Workflows

A Zero-Trust Architecture is a token based architecture. The security of a token based architecture is as strong as its tokens. In the end, the security of a token depends on the signature or, more specifically, the algorithm used to generate the signature. The choice of a signature algorithm and its parameters makes up a significant part of the security of a token-based system. This webinar aims to bring some light to the confusion concerning common signature algorithms.

During the webinar, we will:
- Explain the basics and characteristics of three public key signature algorithms; RSA, Elliptic Curves Digital Signature Algorithm (ECDSA), and Edwards-curve Digital Signature Algorithm (EdDSA)
- Discuss EdDSA in detail and outline why it is the best choice

An Engineer’s Guide to Signature Algorithms and EdDSA

Identity and access management (IAM) aims to give digital entities the right access to the right resources at the right time. One challenge is to identify users based on the digital entity, e.g. when they have several accounts or authentication methods. Another challenge is to meet requirements from business and compliance that may differ depending on various variables. Consequently, simple authentication - if its passwords or passwordless, one or multiple factors - is not enough.

The Curity Identity Server provides authentication actions that allow for a highly customizable flow that covers different aspects of IAM. Authentication actions can operate on and manipulate data created during and after authentication. They are therefore an essential building block for a user-friendly and secure authentication process.

Participants will learn how to:

- Prevent duplication of user accounts by using account linking techniques;
- Return custom claims from authentication to applications after login completes;
- Exclude high privilege claims from access tokens unless strong authentication was used;
- Improve the login user experience using authentication action flows.

Orchestrating Secure User Login with Authentication Actions

Financial-grade security is important not only for the financial sector. This level of security is also necessary for other industries, such as healthcare, insurance, energy, government and others. There are various aspects of OAuth and OpenID Connect that can be used to achieve financial-grade APIs as well as to meet regulatory requirements (like HIPAA, PSD2 & Open Banking).

During the webinar we look at:
- What financial-grade APIs are
- Why this level of security is important
- The dangers of bearer tokens and how tokens can be tied to a client
- How different aspects of OAuth and OpenID Connect can be used to achieve high security and privacy.

Financial Grade APIs Using OAuth & OpenID Connect

Allowing app users to smoothly and securely authenticate has long been a challenge. A standards-based way to address this is to use Client Initiated Backchannel Authentication (CIBA) from the OpenID Foundation. It’s a great addition to the developer toolbox because it can be used in many different scenarios and use cases to provide financial-grade API security.

CIBA is an authentication flow that extends OpenID Connect and defines a decoupled flow where authentication can be initiated on one device and carried out at another. It lets people use their mobile devices to authenticate and approve transactions. This webinar will give you an overview of the standard, show you how it works, and how you can implement it.

Understanding CIBA - What it is and how it works

Identity Management

Authentication

Security

OpenID

APIs

CIBA

Access Management

OAuth

FAPI

Open Banking

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Understanding CIBA - What it is and how it works

Presented by

About this talk

Curity