1Password at RSA Conference

1PASSWORD

Jeffrey Goldberg by Jeffrey Goldberg on

We’d never been to an RSA Conference until March 2019. We had a great time meeting and learning from customers and curious alike as well as from the formal conference.

I’ve been to plenty of other security conferences, ranging from the fairly commercial to the highly academic. But RSA Conference (RSAC) 2019 is by far the largest. I only saw a small slice of it, but by far my favorite thing was getting to meet so many of you face to face. I’m sure that that goes for my fellow Bits, Rob and Jay who were also in San Francisco last week (March 3–8).

You came and said, “hi”

We hear from 1Password users and those who are curious about it all the time, but there is something special about that happening in person. That made it a very special week, and it really does give us a chance to feel the love. I wish every one of us could have been there to experience that.

And thanks for finding us

We also learned a great deal about exhibiting at such an event. For most of our thirteen year existence, we grew by word of mouth. Marketing though things like conference booths is new to us (though some people who stopped by did remind me of our old Macworld presence in the old days.) A lot of people, when they found us, said “I’ve been looking all over for you” or “so this is where you are”. We’ll need to consider whether we spend the big bucks to be more centrally located or just work harder to get our location out to people next time around.

We also learned some more mundane things about just how slow US customs can be when shipping things from our home in Canada. This prevented us from having more chairs or stools so that we and others could sit and chat. (Ok, maybe that is just me. Jay and Rob seemed fine on their feet all day, but I’ve got more years behind me than they do combined.)

The very latest in information security

Naturally, at a conference focused on security I took the opportunity to learn about and get hands on experience with some of the very latest technology in cryptography. In particular, I and other conference goers had the opportunity to encrypt and decrypt a message using a three rotor German Army Enigma machine [Get details of actual machine]

Playing with an Enigma

The Enigma (in numerous variants) was quite famously broken more than three quarters of a century ago by Polish and British mathematicians along with feats of electro-mechanical engineering in the UK and US.

Perhaps the Enigma doesn’t really count as the latest in cryptographic design, but I was also fortunate enough to be able to spend some time in the cryptology track at RSA to hear about some of the latest research. For 1Password we use well-established and vetted cryptographic tools and algorithms, but it is fascinating to learn about current approaches to various problems even if they won’t have any direct impact in what we do with 1Password.

Spreading the Usable Security message

One of the most exciting things at this RSA was the day long seminar Monday on Security, Privacy and Human Behavior. Although I was personally familiar with much of the research presented that day, it was wonderful to see that brought to the wider security community. Thankfully there is growing recognition that usability is part of security and not something that just gets tacked on later. (At 1Password we’ve known this from our founding at is is central to what we do.)

Why speculate when you can study?

I would particularly encourage anyone developing systems that humans interact with to watch Professor Lorrie Cranor’s opening remarks even if she did poke fun at business cards like mine. Although the world now recognizes that blaming the user for security and privacy failures is wrong and inappropriate, learning what is right and appropriate takes careful and systematic study. Indeed, it is easy to speculate and theorize about how people will understand and behave when confronted with a system, even well-founded theorizing isn’t enough. Thorough studies of real people are needed to get it right. This was most clearly illustrated by Dr Sunny Consolvo’s summary of work at Google on the effectiveness of browser warnings, but it was a lesson to be learned from all of the research presented.

I certainly have a history of theorizing about how people may (dangerously) misunderstand the security properties of MFA; and so it was fantastic for me to see the research by Professor L. Jean Camp and her student Sanchari Das on “Why Johnny Can’t Use MFA”. Although our concerns may differ, we all want to better understand people’s understanding so that they can make better security decisions.

Studying secret behavior

Studying people is hard enough in the first place, and when we are trying to study something that people are supposed to keep secret it is even harder. But Professor Lujo Bauer gave a brief rundown of how that has been done, and why we have reason to believe that the research techniques produce meaningful results. By comparing laboratory studies, on-line crowd working tasks, and actual passwords, it is possible to verify that the kinds of experiments that researchers conduct do get the same sorts of results as when they can examine real-world usage. But still, we must assume that actual attackers have an even better understanding of password choice, as they have data that the rest of us don’t.

Rationality and Security

People may be irrational when it comes to their security choices and behaviors, but we are not as irrational as we might first appear. Professor Laura Brandimarte was among those whose research demonstrate that we as humans may be responding more rationally to threats to our security and privacy than it might appear. This is very welcome news, as it suggests that helping people better understand the risks and providing them with less burdensome tools will work. We just need to look at what people do using the approaches and insights that come from Behavioral Economics and research on Judgement and Decision Making.1 And where we humans do behave irrationally, we tend to do so in systematic ways.

The rest of the week

I see that I haven’t progressed past Monday, the first day of the conference. And so I will try to be briefer for any readers still with me.

Zero Knowledge Proofs and authentication

There was a really nice talk by Karla Clarke and Rajan Behal on Zero-Knowledge (ZK) Proofs – Privacy-Preserving Authentication. The basic idea that they were trying to bring to a wider audience was that it is possible to prove knowledge of a secret without revealing the secret. We have already been doing that with our authentication with 1Password through our use of the Secure Remote Password (SRP) protocol. Later that same day and quite independently, someone came to our booth and told us that people shouldn’t be sending secrets to servers and that we should all be using this cool thing called “SRP.” He was pleased (and a bit surprised, I believe) to learn that we have been doing so for years.

Secure development

[tinfoil talk]

Understanding threats

[STRIDE talk]


  1. The subtle differences between research in Behavioral Economics versus Judgement and Decision Making may be deceptive. (Editors, please leave this in. It is an inside joke, but I like it want to make it even if nobody other than a small handful of people appreciate it.) [return]

Defender Against the Dark Arts

Jeffrey Goldberg - Defender Against the Dark Arts Jeffrey Goldberg - Defender Against the Dark Arts

Tweet about this post

Continue Reading