Speaking
If you want to get in contact about speaking engagements, please email me at [email protected]. Travel & expenses are requested to offset my employer's loss of a resource.
I usually speak about or run workshops on IdentityServer and OAuth, but I also enjoy talking about ASP.NET Core, authentication, FIDO2, and Engineering Management.
2022
DDD South West
Let’s stop blaming our users for getting hacked when it is our problem to solve
Users cannot secure your web applications through password choice alone. We cannot blame them for this; it is not their problem to solve. It is ours, as security/identity professionals and software developers. FIDO2 offers a realistic solution in the form of frictionless, possession-based authentication, and you will often see it touted as the next big thing, but can we look past the clickbait and sensationalism that surrounds security reporting and figure out a pragmatic choice for protecting our users?
In this talk we’ll look at: why passwords are so pervasive; if SMS OTP really is all that bad; how phishing attacks are now one of the biggest threats to your applications; how you can make phishing trivial using evilginx, even defeating 2FA methods such as TOTP and push notifications; spooky biometrics; and how you can use WebAuthn and FIDO2 authenticators to negate phishing.
Software Design & Development (SDD)
Stop blaming your users for bad passwords
Users cannot secure your web applications through password choice alone. We cannot blame them for this; it is not their problem to solve. It is ours, as security/identity professionals and software developers. FIDO2 offers a realistic solution in the form of frictionless, possession-based authentication, and you will often see it touted as the next big thing, but can we look past the clickbait and sensationalism that surrounds security reporting and figure out a pragmatic choice for protecting our users?
In this talk we’ll look at: why passwords are so pervasive; if SMS OTP really is all that bad; how phishing attacks are now one of the biggest threats to your applications; how you can make phishing trivial using evilginx, even defeating 2FA methods such as TOTP and push notifications; spooky biometrics; and how you can use WebAuthn and FIDO2 authenticators to negate phishing.
Software Design & Development (SDD)
How to build a modern SSO stack with ASP.NET Core
Microsoft’s advice for building your own authentication system is “Don’t. Use a cloud service”. This can be good advice for some projects; however, more and more companies are finding that the pricing, feature set, and vendor lock-in just doesn’t work for them.
Doing authentication and SSO yourself can be a daunting task, but using the building blocks in ASP.NET Core and popular OSS projects, a small development team can build a secure in-house SSO solution.
In this talk, I’m going to show you the building blocks and patterns necessary for building your own SSO solution using: user storage with ASP.NET Identity, modern password hashing, better MFA with FIDO2, and secure SSO with OpenID Connect best practices and IdentityServer.
2020
NDC Oslo
Let’s stop blaming our users for getting hacked when it is our problem to solve
Users cannot secure your web applications through password choice alone. You cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.
Typical 2FA implementations such as TOTP and push notification have had some success, but they can be frustrating to use and are still vulnerable to basic phishing techniques. OWASP and NIST are now recommending FIDO2, which offers a realistic solution in the form of frictionless, possession-based authentication that has inbuilt anti-phishing techniques. But what does FIDO2 look like to a developer and how does it actually work?
In this talk, I’m going to look at: why common 2FA mechanisms aren’t up to scratch; how to phish your friends using Evilginx; spooky biometrics; and how to use WebAuthn and FIDO2 to protect your users.
Recording2019
European Identity & Cloud Conference (EIC)
Open Source Identity: Building Your Own Enterprise Identity Platform
“It’s okay; we’ll build it ourselves.” When discussing identity, it sounds insane, but is it? At first glance, sure; however, after four years of implementing OAuth and OpenID Connect providers for customers big and small, I can confidently say that it’s not as crazy as it seems.
Over the past few years, there has been a growing number of software developers entering the identity space, both integrating client applications and even eschewing the major identity platforms and implementing the specifications for themselves. Surely some of them must be doing something right.
In this talk, I'm going to discuss why some companies are doing it themselves, the benefits they are receiving as a result, and clear up some common misconceptions of “doing it yourself”. We’ll even see just how easy it is for developers to create an OAuth and OpenID Connect conforming platform.
Software Design & Development (SDD)
Leaving passwords behind
We all know passwords are bad, just look at the number of security breaches and the need for services such as haveibeenpwned and pwnedpasswords. So what’s the alternative? There are dramatic articles telling us that common 2FA techniques are phishable. Should we therefore disregard them? Is there even an unphishable way to authenticate? Should we all just up sticks and move to the Blockchain? In this talk I’m going to move past the rhetoric and sensationalism surrounding passwords and authentication, taking a pragmatic look at the past, the present, and the future of user authentication. Topics will include: evolution of passwords, storing passwords & what that really means, MFA, Phishing & MFA phishing, secrets and ciphers, spooky biometrics, and FIDO2.
2018
Pluralsight LIVE
SSO for your Fridge - IoT Security with the OAuth Device Flow
OAuth is well established as the go-to protocol for API Security, but there are still a few application types which struggle to securely fit into the OAuth story. This includes devices where input is tricky, such as inputting a 20-character password using your TV remote on an A to Z keyboard. Or devices where there is no browser, where the dreaded Resource Owner Password Credential grant type still reigns king. Finally, there is a solution, with the all-new Device flow for OAuth, specially designed for these pesky browserless platforms or devices with limited input methods. In this talk, we'll see the device flow in action and look at how it is an improvement on existing solutions using real-world scenarios where it should be used.
DevSum
Secure Authorization for your Printer – The OAuth Device Flow
DotNet
"Auth Vader: You are unwise to lower your defences!" - Modern Authentication using IdentityServer 4 and ASP.NET Core
European Identity & Cloud Conference (EIC)
Lessons Learned from Integrating with Blockchain Identity Providers
Distributed ledgers and self-sovereign identity are a match made in heaven, and there are many products out there already that implement this concept readily available to developers and consumers alike.
After integrating with some of these providers, both manually and using client libraries, it’s clear that there’s a high variance in implementation quality, but at the same time some commonality in design decisions.
In this talk, we’re going to take a look at some of the common functionality of these providers, what they’re getting wrong from an integrator's perspective, and what we can learn from them moving forward.
European Identity & Cloud Conference (EIC)
Authorization for the IoT: The OAuth Device Flow
OAuth is well established as the go to protocol for API security, but there are still a few application types out there that struggle to securely fit into the OAuth story. This includes devices where user input is tricky, where data entry uses a tv remote control, and everyone gets to see you slowly type in your password. Or devices where there is no browser, where the dreaded Resource Owner Password Credentials grant type still reigns.
Finally, there is a solution, with the all new Device flow for OAuth, specially designed for browserless platforms or devices with limited input methods. In this talk we’ll see the device flow in action by extending IdentityServer 4, an open source OpenID Connect and OAuth written in .NET, and look at how it is an improvement on existing solutions using real world scenarios where it should be used.
2017
Progressive .NET Tutorials
Modern Authentication for ASP.NET Core with IdentityServer 4
As software developers, we work in one of the most rapidly changing industries available, and in recent years this has been doubly true when we talk about security. Nowadays we have to accommodate a variety of client applications, hosted on any device and anywhere in the world and this means we must take a closer look at how we handle authentication and authorization when dealing with our protected resources.
In this tutorial, we'll be looking at the basics of claims-based identity and access control, OAuth and OpenID Connect, and how IdentityServer can simplify all of this for you. We’ll finish the tutorial with a working installation of IdentityServer, running on .NET Core and Linux, protecting APIs and authenticating users. Whilst we'll primarily use ASP.NET Core throughout this tutorial, the final IdentityServer implementation can work with any application on any stack.
Software Design & Development (SDD)
Introduction to AdminUI & IdentityExpress
AdminUI is the first supporting product for the IdentityServer project, brought to you by Rock Solid Knowledge and the IdentityServer team. AdminUI brings out of the box features such as user & claim management and simplified IdentityServer configuration management, removing specification specifics when handling OAuth and OpenID Connect configurations. In this talk we'll walkthrough the major features of the AdminUI product and how it can help both new and existing IdentityServer projects.
At the end of the talk we will also have a sneak peek at the feature set for our next product: IdentityExpress. This is a turnkey solution of IdentityServer, bringing .NET’s favourite OpenID Connect Provider to the main stream, without the need for intricate knowledge of the framework or authentication protocols.
Software Design & Development (SDD)
Migrating an ASP.NET MVC Application to ASP.NET Core
Some of the most understated improvements in ASP.NET Core are those found ASP.NET Core MVC. With ASP.NET Core we have new tools available for web development: we now have access to web development standards such as bower, npm and gulp, we have simplified resource caching, versioning and failover, and new approaches to partial views previously unavailable to us. In this session we will take an existing ASP.NET MVC application and migrate it to ASP.NET Core from ‘new project’ in Visual Studio to feature parity.
User Groups
- 2021 - University of West England (UWE): Guest Lecture
- 2018 - Bristol & Bath Cybersecurity Meetup
- 2017 - .NET Bournemouth: SPA Identity & Access Control with OpenID Connect & IdentityServer4
- 2017 - .NET South West: SPA Identity & Access Control with OpenID Connect & IdentityServer4
- 2017 - umBristol: Modern Authentication using OpenID Connect and IdentityServer4
- 2016 - Shropshire Devs: Introduction to OpenID Connect and IdentityServer