Description

This curriculum spans the breadth of authentication practices found in multi-workshop technical programs for enterprise IAM teams, covering the same depth of operational decision-making and cross-system integration challenges seen in large-scale identity governance and migration engagements.

Module 1: Foundations of Authentication in Enterprise Systems

Selecting between stateful sessions and stateless tokens based on application scalability requirements and infrastructure constraints.
Designing session expiration policies that balance user convenience with security exposure in high-risk applications.
Implementing secure cookie attributes (HttpOnly, Secure, SameSite) to mitigate client-side session theft in web applications.
Evaluating the impact of authentication latency on user experience in distributed systems with geographically dispersed users.
Integrating fallback authentication mechanisms for critical systems during identity provider outages.
Documenting authentication flow assumptions for audit readiness and third-party security assessments.

Module 2: Password-Based Authentication and Credential Management

Configuring password complexity rules that comply with NIST 800-63B guidelines while minimizing helpdesk call volume.
Implementing secure password reset workflows using time-limited, single-use tokens delivered via verified channels.
Deploying credential stuffing detection by monitoring and analyzing failed login patterns across user accounts.
Enforcing password rotation policies only after suspected compromise, in alignment with current security best practices.
Integrating breached password checks at registration and password change using services like Have I Been Pwned APIs.
Managing legacy system dependencies that require plaintext or reversibly encrypted passwords in hybrid environments.

Module 3: Multi-Factor Authentication (MFA) Deployment Strategies

Choosing between TOTP, WebAuthn, SMS, and push-based MFA based on user demographics and device availability.
Designing MFA exemption rules for service accounts and automated processes without weakening overall security posture.
Rolling out MFA incrementally using conditional access policies to minimize user disruption in large organizations.
Handling MFA enrollment for temporary or contract workers with time-bound access requirements.
Integrating hardware security keys into privileged access workflows for administrators and executives.
Monitoring MFA adoption rates and failure modes to identify usability issues or potential phishing resistance gaps.

Module 4: Federated Identity and Single Sign-On (SSO) Integration

Negotiating SAML attribute mappings between identity provider and service provider to ensure accurate user provisioning.
Configuring IdP-initiated versus SP-initiated login flows based on application usage patterns and user roles.
Managing certificate rotation for SAML and OIDC integrations without causing authentication outages.
Implementing just-in-time (JIT) provisioning for cloud applications while maintaining audit compliance.
Resolving user identity mismatches due to email address changes or duplicate accounts across directories.
Enforcing step-up authentication within SSO sessions when accessing high-privilege applications.

Module 5: API and Machine-to-Machine Authentication

Selecting between API keys, OAuth2 client credentials, and workload identity federation for backend services.
Rotating long-lived API keys using automated tooling and versioned credential endpoints.
Implementing short-lived access tokens with scoped permissions for microservices communication.
Securing service account keys in containerized environments using secrets management tools like HashiCorp Vault.
Logging and monitoring anomalous API call patterns indicative of compromised machine identities.
Enforcing mutual TLS (mTLS) for inter-service authentication in zero-trust network architectures.

Module 6: Adaptive Authentication and Risk-Based Access Control

Defining risk signals (IP reputation, device posture, geolocation) used to trigger step-up authentication challenges.
Calibrating risk scoring thresholds to minimize false positives while maintaining security efficacy.
Integrating endpoint detection and response (EDR) data into authentication risk decisions for device trust validation.
Designing fallback mechanisms when risk evaluation services are unavailable during login.
Auditing adaptive authentication decisions for compliance with regulatory requirements like SOX or HIPAA.
Managing user feedback loops for legitimate access blocked by risk-based policies.

Module 7: Authentication Governance and Lifecycle Management

Establishing account deprovisioning workflows synchronized with HR offboarding systems for timely access revocation.
Conducting regular access certification reviews for privileged authentication methods like break-glass accounts.
Documenting and versioning authentication architecture decisions for incident response and forensic investigations.
Enforcing role-based access control (RBAC) at the authentication layer to prevent privilege escalation.
Managing cryptographic key lifecycles for signing and encryption in identity protocols.
Coordinating authentication changes across multiple teams during mergers, acquisitions, or system consolidations.

Module 8: Emerging Authentication Technologies and Migration Planning

Evaluating passwordless authentication adoption using FIDO2 security keys and platform authenticators.
Planning phased migration from legacy protocols like LDAP bind authentication to modern standards.
Assessing biometric authentication integration in mobile applications with privacy and liveness detection requirements.
Testing interoperability of decentralized identity solutions with existing IAM infrastructure.
Designing backward compatibility layers during transitions from SAML to OIDC in complex application portfolios.
Measuring user support burden and training needs when introducing new authentication modalities enterprise-wide.