Collaborate Disseminate
My requirement is to implement auto-login URLs for one-click authentication. We will generate an URL with a login token (e.g. https://my-company.com/autologin?token=${autoLoginToken}), which will act as a credential in our authentication.
… Continue reading Usage of OTPs in combination with long-lived auto login URLs
As part of my project, I am trying to brute force a security code for an app using "Forgot my password" option. I understand that I can brute force username and password using Hydra. However, it looks like I cannot use hydra for … Continue reading How to brute force security code or One Time Password
Working at an educational institution and the learners are not allowed on the wifi and are getting the wifi password off the educators’ laptops or sharing it from the educators’ phone (I suspect one of the educator’s children to be involve… Continue reading OTP first time connection to wifi hotspot after normal password
I’m working on a mobile app where users can only log in using their email address and receive an OTP to verify their identity. I’m trying to figure out the best approach for allowing users to change their email address.
Here are the option… Continue reading How to securely change email address in a Mobile App with Email OTP Based Login
I’m trying to elaborate a login scenario with SMS verification code. Not sure whether it’s an attack vector or not.
Assume, we have a N = 3 digit code sent to a user mobile phone (3-digit code just for the sake of simplicity in calculation… Continue reading Is there an attack vector for SMS verification code using a bunch of parallel requests
I try to implement a secure user login in my .net application. The first password is hashed with argon2id. The salt and the hashed password is stored in a database. SSL encryption and HttpOnly Cookie is used.
Now i want to add a multifacto… Continue reading Whats the safest way to store 2fa/mfa secret key in database?
I’m building an authentication backend API that includes a resend OTP endpoint. The question is whether the API should check if the user is already verified before sending a new OTP. Specifically, if a user has already completed verificati… Continue reading Should OTP be resent during the sign-up process if the user is already verified?
Whenever I receive an OTP, the service always says "Never share this password." Why do they include this message?
Is it generic security advice to prevent people from being tricked into sharing access?
Is there some way that kno… Continue reading Why do OTP services always say "Never share this password"?
An application is logging wrong OTPs (but not correct OTPs). I asked the application developers to not log wrong OTPs because I do not see any benefits. However, they do not want to modify the application code, and are asking me (I have no… Continue reading What security risks do you see with wrong OTPs appearing in application logs?
I am designing a system that allows users to purchase my NFC cards and sign up for an account on my online SaaS website.
The System
For the sake of explanation, assume the website is hosted at domain test.com.
Think of this system as a &qu… Continue reading How to avoid non-in-person "handshakes" and spoofing due to compromised URL data on NFC card