Collaborate Disseminate
Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO/Passkey can have various different attestation formats and verification methods/algorithms during public-key cr… Continue reading Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?
Is + in email addresses a security vulnerability for authentication algorithms? How can it be used in a malicious way? Should we forbid emails with + signs during registration?
For example we have 2 accounts that correspond to 2 different … Continue reading Is a + on an email address a security vulnerability for a registration process?
Many websites and/or web apps require you to validate the e-mail address after registration.
Why don’t we first validate the email address and then continue with the registration? Is there something wrong with a person first providing thei… Continue reading Is there a reason we don’t first validate the email address before continuing with the registration?
For a number of years now, it’s been impossible for me to register an account anywhere.
Even if my cookies and other browser data is cleared. Even if I switch user-agents. Even if I try countless different non-Tor, paid proxies. No matter … Continue reading What has happened that makes it impossible to register an account anywhere? [closed]
One of the raised issues for a Web API is that for an e-mail based authentication (e-mail and password) the Register user method returns something like "the registration e-mail has been sent" regardless of the e-mail being used o… Continue reading Is it possible to avoid exposing the fact that an e-mail address is used by a web application (API) while still ensuring a decent UX?
MFA recovery codes last forever until used. The TOTP codes expire as per the clock (e.g. 30 seconds).
Does the initial QR code to register a MFA device last forever until disabled by a MFA reset?
I’m imagining (expecting) that the key, lik… Continue reading Do MFA QR registration codes/keys expire?
In my HTTPS client-server application, the registration sequence must begin with the server receiving personal information but end without a way to connect it to the newly registered client. This is necessary for legal reasons. Specific re… Continue reading How to replace an identifier with a pseudonym? [closed]
I am working on a user registration link and I think that after the user registers, I would send an email with the link for adding more info. What’s the best way of generating the unique link for a user like somesite.com/<hash>?
Can … Continue reading What’s the best way to get a registration hash for a user? [migrated]
I’ve been asked to write an app with registration and login systems. In essence, I’ve already wrote the first version of their app using PHP, some javascript/jquery and storing data in MySQL. It worked for a time but now they are growing a… Continue reading What are the best practices to create a safe and performant user registration and validation with Nodejs and Postgres?
Recently, we’ve had users complain that they forget that they have an account, try registering, and get error message that the user with such email already exists. There is a proposal to just log them in such cases. So, if the user inputs … Continue reading Should I log users in if they enter valid login info in registration form?