Collaborate Disseminate
If a user configures 2FA, and then he logs in from a new location, should we send an email to inform him that he just signed in from a new location?
Even if it’s not common, unnecessary notifications can be annoying, and add fatigue.
If we… Continue reading 2FA and «Sign in from new location» email
I have a niche website programmed by a volunteer. Like pretty much every website it’s secured via TLS, and the main page doesn’t let you do much except login via username & password or request an account. Some users recently requested … Continue reading How to allow a user to login via client X.509 certificate or username/password?
I am exploring Self-Sovereign Identity (SSI) as a decentralized approach to identity management, similar to how Bitcoin addresses financial systems through blockchain (as verifiable data registry (VDR)). However, I am trying to understand … Continue reading Specific Security Risks in Decentralized Identity and Self-Sovereign Identity (SSI)
My requirement is to implement auto-login URLs for one-click authentication. We will generate an URL with a login token (e.g. https://my-company.com/autologin?token=${autoLoginToken}), which will act as a credential in our authentication.
… Continue reading Usage of OTPs in combination with long-lived auto login URLs
Suppose I have a domain whose name is example.com. example.com is maintained by other developers. Now suppose my job is to create a website named subdomain.example.com. Both websites are publicly accessible through public net.
After some t… Continue reading How can I keep a subdomain secure when its parent domain is not secure?
In this Help Net Security video, Tina Srivastava, MIT Lecturer and CEO of Badge, discusses a 20-year cryptography problem – using biometrics for authentication without storing a face/finger/voice print. This has massive implications for corporate… Continue reading Preventing credential theft in the age of AI
Circom is a circuit language capable of generating zero-knowledge proofs, which involves some input signals and output signals. If all the input and output signals during the generation of the zero-knowledge proof are public, meaning that … Continue reading The issue of public/private signals when generating zero-knowledge proofs with Circom [migrated]
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:
WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset
In this Help Net Security interview, Carla Roncato, VP of Identity at WatchGuard Technologies, discusses how companies can balance privacy, security, and usability in digital identity systems. She emphasizes modern techniques like biometrics and passke… Continue reading Simplifying decentralized identity systems for everyday use
I am using graphql and my login function is resolved using a promise. The username is an email address.
The steps in the logic are the following: –
Validate CRSF token else return generic response ("Invalid username or password"… Continue reading Preventing authentication (login) timing attacks in a nodejs application