Collaborate Disseminate
I am exploring Self-Sovereign Identity (SSI) as a decentralized approach to identity management, similar to how Bitcoin addresses financial systems through blockchain (as verifiable data registry (VDR)). However, I am trying to understand … Continue reading Specific Security Risks in Decentralized Identity and Self-Sovereign Identity (SSI)
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey rawId
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey user id
I have a server exposing a REST service. I am thinking about a way to prevent unauthorized access to the service.
Setup
My current setup is as follows:
The server uses SSL.
There are exactly three clients that are allowed to access the RE… Continue reading Can I sufficiently protect my REST Service using shared Tokens?
I have my iPhone connected to my MacBook and receive SMS codes on my computer, which is very convenient. I also recently learned you can have an authentication app on your MacBook too. I just wonder if this doesn’t defeat the purpose?
I al… Continue reading Do 2FA Codes on the same device defeat their purpose? [duplicate]
Now I know this website is not for asking for specific software recommendations, but for my website for work purposes (as mentioned in another question,) I feel I need a more secure login protocol than just password- even though the passwo… Continue reading What 2FA should I use for my website login and what are the risks of 2FA?
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and stori… Continue reading storing user hashed password into webauthn id
I’m working on a web application where a user gains access by clicking on a magic link sent to them by an internal co-worker. Upon clicking this link, the user is automatically authenticated and a session cookie is established to maintain… Continue reading Are JWT’s needed when implementing passwordless magic link authentication?
I would like to analyze the authentication function of a given GWT web application. When authenticating with my credentials, I could identify that my credentials are sent via websocket in form of a binary blob. This most certainly is a ser… Continue reading GWT: Deserialize objects sent/received via websocket