Collaborate Disseminate
Assume I have a password manager that stores the credentials for a login to a 3rd party service. In this credentials the username, password and a TOTP-seed is stored and the current TOTP-token is displayed at all times and refreshed accord… Continue reading Using Password Managers to store multiple factors, would this reduce security?
When using Google SSO, does this count as only one factor of authentication or as many factors as I use for my google account?
If it counts as a single factor, would this be "something I have" in the sense that I have access to t… Continue reading Using SSO, does this count as only one authentication factor?
Assuming I use AWS to host a service with quite sensitive personal data, is it possible to hide traffic and stored data from amazon?
I would assume the answer is no. I think I need to provide all the keys, especially the private SSL-key, t… Continue reading Using AWS: Is it possible to hide the traffic from amazon?
I am currently trying to get an understanding of multi factor authentication. The biggest issue so far: When does "something you have" NOT get reduced to "something you know"? I want to have a "posession"-fact… Continue reading When does ‘something you have’ NOT become ‘something you know’?
Assuming I am using a cloud storage provider like Google Drive, how do I know that data hasn’t been lost, deleted, modified or created by the service provider? I think the answer is that it is not possible unless you know exactly what the … Continue reading Cloud storage data integrity without trusting the server
I noticed that the module cookie-parser in NodeJs sends back cookies that have the "secure" attribute set, even in an unsecured http response. They have specified this behavior in their readme, or at least in the readme of a depe… Continue reading Should the server send ‘secure’ cookies on unsecured http response?
When using 2-factor-authentication using plain TOTP, the secret is stored on both the client and the server. This in turn means, that anyone with access to the database (and a key for it) knows the 2fa-secret of all the users. Why is this … Continue reading Using Public Key Cryptography for improving 2FA?
In the case of a password hashing function like Argon2, I know that when a weakness is found, you use another password hashing function, wrap it around the existing hashes and calculate the hash of the password directly when the user logs … Continue reading PAKE – What to do when a weakness is found?
In a talk from Moxie Marlinspike he mentioned that Signal does not intend to release a web application because they are impossible to audit. The javascript code is retrieved on each page load, so it would be trivial to send malicious code … Continue reading Does End-To-End-Encryption in Web Applications require trust?
I understand that, when storing data on the cloud or something else that might get leaked to the public, the security margin should be at least 128 bit, 256 bit should be used for data that should stay secure over 20-30 years.
If I use a s… Continue reading How much entropy is needed for encrypting data locally?