Collaborate Disseminate
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey rawId
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey user id
I have a server exposing a REST service. I am thinking about a way to prevent unauthorized access to the service.
Setup
My current setup is as follows:
The server uses SSL.
There are exactly three clients that are allowed to access the RE… Continue reading Can I sufficiently protect my REST Service using shared Tokens?
I have my iPhone connected to my MacBook and receive SMS codes on my computer, which is very convenient. I also recently learned you can have an authentication app on your MacBook too. I just wonder if this doesn’t defeat the purpose?
I al… Continue reading Do 2FA Codes on the same device defeat their purpose? [duplicate]
Now I know this website is not for asking for specific software recommendations, but for my website for work purposes (as mentioned in another question,) I feel I need a more secure login protocol than just password- even though the passwo… Continue reading What 2FA should I use for my website login and what are the risks of 2FA?
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and stori… Continue reading storing user hashed password into webauthn id
I’m working on a web application where a user gains access by clicking on a magic link sent to them by an internal co-worker. Upon clicking this link, the user is automatically authenticated and a session cookie is established to maintain… Continue reading Are JWT’s needed when implementing passwordless magic link authentication?
I would like to analyze the authentication function of a given GWT web application. When authenticating with my credentials, I could identify that my credentials are sent via websocket in form of a binary blob. This most certainly is a ser… Continue reading GWT: Deserialize objects sent/received via websocket
I’m implementing a refresh-token rotation mechanism. For the sake of simplicity in implementing the frontend I would like to remove the need for requesting a new access token when an old one expires.
The idea I have goes:
User logs in via… Continue reading Refresh-token rotation without additional frontend requests