Event info can be found HERE.

There will be no proceedings (academic papers) this time, due to time/organisational constraints. Sorry about that, hopefully we’ll get back on track in 2019 with proceedings.

Things have changed.
Webauthn looks promising, and Google has just revealed that not a single employee account there has been succesfully phished after making U2F auth mandatory with Yubikeys. NIST SP800-63B is slowly making it into people’s minds, policies & maybe even implementations. Camp biometrics has been fairly quiet after people complained about Face ID with iPhone X. Everyone should run HTTPS only now, which will without doubt also increase security for passwords. And PGP finally seems dead to most humans. Still love the Facebook support for PGP though. Some genius work related to password security in there that nobody can match today imho.

Things haven’t changed.
We keep on blaming the users for “bad passwords”. Media articles, not to mention product vendors, are promoting magic black boxes filled with magic unicorns that solves all your problems, and of course: PASSWORDS WILL GO AWAY ANYTIME SOON NOW.

WHAT do we want?
We want talks focusing especially on improving usability of passwords and digital authentication, while also preserving or increasing security & privacy for the users. We want talks on how we can convince the world into adopting the best practice recommendations – requirements – as given by NIST SP800-63B.

Turning the web into HTTPS only? Easy-peasy, compared to convincing the majority of the earth’s population into using passphrases or convince vendors not to ship products with default or hardcoded passwords, leaving it to the customer to fix their own security. But hey, we’re open to your suggestions!

We want talks that will suggest how we can provide usable password reset & account recovery options to users when email is considered insecure and SMS shouldn’t be used anymore for the same reason.

We want talks that focus on the economy of adding 2-factor authentication to any organisation or service, knowledge from deployment and maintenance, and measured against known or estimated losses without 2FA. Or should every single IoT device in your home require passphrases and Webauthn to work?

We want talks on how to do breach notifications properly (Yay #GDPR!), as most of what we’ve seen isn’t exactly top-notch. Unless of course you fully trust anyone saying “trust us”, with no explanation or proof given. After all, we want to know how our passwords are stored, right?

For those into psychology, or perhaps sales & marketing (…), we’d like a talk on making lasting changes to people’s behavior, and if you think we can ever turn people voluntarily from passwords to passphrases. You know: if you’ve convinced a country to stop smoking, we’d like to hear your story.

Last but not least: a friend of mine challenged me with this question:
“Do you have any suggestions on how to teach easy and usable password security to illeterate immigrants & asylum seekers? Because today they are given iPads or laptops in order to learn how to read and write our language, but first they need to learn to spell their username and their password. And they have the same, or an even higher need of privacy & protection than most of us in some cases, coming from countries where ‘democracy’ isn’t a well-known word.”

Oh, and as usual we’re interested in all the other topics as well. Just don’t send us a proposal on using Blockchain crypto for improving 2-factor authentication over email with SMS as alternate response channel. It will be rejected.

WHO do we want?
More than ever before, we want more women to talk. In fact we are aiming for 50/50 male/female speakers on stage. Some of the best talks we’ve had through the years since our start in december 2010 has been women, while the vast majority of speakers were male. We need, and we want to see more women in the security industry, and I personally know great talent out there.

We have no requirement for original talks, 0-days, or juicy security revelations, as we know very well that a good message needs to be repeated many times if we want to change the world.

What we do not want is product pitches, marketing/sales representatives, brochures or magic unicorns. We discuss problems and possible solutions.The audience is the toughest available anywhere in the world, so whatever brilliant idea you’ve got, you are pretty much guaranteed very valuable feedback.

WHEN do we want it?
We want your idea for a talk ASAP. Talks will be 20-25-30 minutes at most, so your introduction will be short, with Q&A in the many breaks for coffee, snacks and the occasional track changes.

WHERE do we want it?
Send your talk idea/proposal/slides/paper/submission to [email protected]

WHAT do we need from you?
In addition to a suggested talk title and a short abstract, we need your name, email and phone number. If you have presented at other conferences, at work or at school we’d like to hear about it of course. Don’t worry, there is room for changing the details as long as the overall concept of the talk doesn’t change.

If you can add additional information like Twitter handle, personal blog, mother’s maiden name, name of your first pet and favorite artist we’ll take that too. Oh, and a short bio is always appreciated. People will usually Google you anyway.

More importantly though is your consent for us to make a recording of your talk. This conference is about sharing knowledge, and the Internet has proven itself as a pretty good place for doing just that.

Please feel free to contact us on Twitter (open DMs), by email ([email protected]) or through other channels where you can find me. There’s only one Per Thorsheim in the world, so I can’t really hide that well online.