Collaborate Disseminate
Whatsapp is rolling out passkeys. I don’t think backing up passkeys in a password manager is a good idea. I’d like to have device bound passkeys but they only allow me to create one. How should I be able to have it in different devices for… Continue reading Why whatsapp only let you create 1 passkey?
Disclaimer: question orignally posted here but i was encouraged to ask it in this stack instead.
Introduction part
I’m writing an application that requires authentication to be used, specifically the database and config file can only be re… Continue reading Login with roles without internet
I wrote a login backend with express.js to provide authentication (through LDAP) and authorization (through a database of authorized users for each app on mysql). This backend generates jwt and sends them back in the form of an http only c… Continue reading Should I validate json web tokens on my app backend or login backend?
Setting up MFA can seem daunting for consumers just beginning to clean up their security postures. In this Help Net Security video, Larry Kinkaid, Manager, Cybersecurity Consulting at BARR Advisory, shares tips for consumers who need simple, accessible… Continue reading What is multi-factor authentication (MFA), and why is it important?
My site’s users currently do not have any MFA options, but we’re planning to release this feature in the near future. We’ve already built support for TOTP and have it working internally, but some on my team think that it won’t be very user… Continue reading If I’m rolling out MFA to users, should I provide TOTP, SMS or both? [duplicate]
Say there is a frontend mobile app and a backend server (let’s call this service MyApp) which hosts an API for the mobile app to connect to. The backend server makes any needed requests to third party APIs and only send what’s needed to th… Continue reading Is it impossible to protect an API from data redistribution?
Cybersecurity layperson here.
I recently got an email from Facebook giving me an account recovery code that I didn’t request. I assume this means that someone else did request it, either because they have a similar Facebook login to me and… Continue reading How should I respond to an unrequested Facbook recovery code followed by an unexpected logout from the associated email account? [closed]
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
httpClientBuilder.setSSLContext(sslContext).se… Continue reading How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
When I’m talking with prospective clients, I like to ask: which department owns customer identity? Everyone immediately looks towards a different team. While every team touches customer identity at some point, the teams that own it differ from organiza… Continue reading Who owns customer identity?
EJBCA is open-source PKI and CA software. It can handle almost anything, and someone once called it the kitchen sink of PKI. With its extensive history as one of the longest-standing CA software projects, EJBCA offers proven robustness, reliability, an… Continue reading EJBCA: Open-source public key infrastructure (PKI), certificate authority (CA)