Collaborate Disseminate
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:
WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset
From family tree to jail cell? A hacker is alleged to have exploited information on genealogy websites to steal millions from public companies. Meanwhile, Kaspersky’s US customers are wondering – what on earth is UltraAV?
All this and more is disc… Continue reading Smashing Security podcast #387: Breaches in your genes, and Kaspersky switcheroo raises a red flag
A London-based man is facing extradition to the United States after allegedly masterminding a scheme to hack public companies prior to their earnings announcements and use the secrets he uncovered to make millions of dollars on the stock market.
I was about to signup for ebanking solution, but then noticed their instructions for forgotten password are: Create a new account.
So there’s no option to reset your password, just a suggestion to create a new account. No mention of what h… Continue reading Strange way of handling forgotten password
I’m developing a multi-platform application using Flutter, which involves sensitive user data and requires both online and offline accessibility. To enhance security and usability, I am considering implementing a local password recovery me… Continue reading Is local password recovery for each device a viable security approach?
It is a security problem to allow that two different user accounts have the same email address?
If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email with list of the usernames of all associ… Continue reading Is there a problem allowing two accounts to have the same recovery email?
It is a security problem to allow that two different user accounts have the same email address?
If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email with list of the usernames of all associ… Continue reading Is there a problem allowing two accounts to have the same recovery email?
My organisation uses Google workspace.
2FA is enforced organisation wide
Enforce password rotation every 90 days [can always discuss if wanted but not current focus]
We encourage that people use for example Google Authenticator for their … Continue reading Google Workspace – Password rotation and Logged in Google Authenticator [closed]
In the past few weeks I’ve seen periodic attempts of someone logging in to my linkedin accounts. They appear to use some sort of one time login link feature that linkedin has, which allows passwordless sign in if you know (and can access) … Continue reading Repeated passwordless login links from linkedin
In the past few weeks I’ve seen periodic attempts of someone logging in to my linkedin accounts. They appear to use some sort of one time login link feature that linkedin has, which allows passwordless sign in if you know (and can access) … Continue reading Repeated passwordless login links from linkedin