In June 2017, the National Institute of Standards and Technology revised its SP 800-63 "Digital Identity Guidelines," which includes some juicy details about passwords and authentication for websites and online services. The prior guidelines, written in 2003, were overwhelmingly influential for security practices of major websites around the world during the last decade; you may recognize such popular messaging as "Your password must include a lowercase letter, an uppercase letter, a number and a special character" and "Your password has expired, please choose a new one"—practices which this year's revision has mercifully deprecated, may they never again rubify another password input.
This session will take a close look at the guidelines in NIST Special Publication 800-63B "Authentication and Lifecycle Management" as they relate to proper authentication and safekeeping of users' digital identities on a Drupal site. A few of the topics the session will cover are:
- How well does Drupal conform to the NIST guidelines?
- What contributed modules help improve your conformity?
- How should you configure your site for best effect?
- What exactly constitutes appropriate two-factor authentication, and at what point does your site need it?
Throughout the presentation we will be examining the actual text of the NIST document, since managers and clients seem more inclined to take me seriously when I reference an abstruse government technical manual in pdf format than when I link to a nice mobile-friendly blog post, no matter how well-written and accurate the latter may be.
This session might interest you if:
- You want to ensure that your websites appropriately safeguard and authenticate your users' identities
- You want to ensure that your websites don't counter-productively annoy your users
- You need to explain to your clients why they cannot get a list of all users' passwords
- You need to explain to your managers why you rage-pushed to prod at 2am to remove the site's antiquated password policies (I'm looking for functional testers of this use case)
- You are a security professional who can jump in to answer difficult audience questions
- You are fascinated by abstruse government technical manuals