Collaborate Disseminate
For quite some time WebKit and others support WebAuthn. This allows for a pretty seamless 2FA experience with a key, like Yubico. On Apple devices TouchID/FaceID can also be used as a hardware key.
This creates an interesting workflow:
Us… Continue reading Does using TouchID and WebAuthn with a password manager defeat the 2FA?
Similar Question: Securing a multi-tenant API with SSO and different roles per tenant
I’ll provide an example
This is the top level domain:
umantis.com
This is the syntax for a tenant/subdomain:
recruitingapp-xxx.umantis.com
Why don’t th… Continue reading Is there any advantage of per-tenant password storing to cross-tenant SSO if at all? [closed]
OWASP’s Authentication Cheat Sheet states unequivocally:
Do NOT allow login with sensitive accounts (i.e. accounts that can be used internally within the solution such as to a back-end / middle-ware / DB) to any front-end user-interface.
… Continue reading Interpreting OWASP prohibition: no sensitive-account login to any frontend interface
This question relates to this post I made on StackOverflow recently, which I’ll recap here briefly.
I have a desktop app that I would like to authenticate through a website, using the process outlined below:
I click a "Login" b… Continue reading Creating secure website-based login for a desktop app
During an engagement, i have been asked by a client to explain (with the use of one
or more examples) why they must update their website authentication mechanism,
as they are currently using HTTP Basic-Authentication and how it can be dang… Continue reading What security concerns can arise from using HTTP Basic-Authentication?
As the topic is a bit vague I have decided to ask you guys here what do you think and what is the best practice in given scenario.
Disclaimer: I am programmer, and although I know a bit about security I don’t posses an in-depth knowledg… Continue reading Authenticating (getting token) by making Http request
I’m designing a web service meant for storing data for users, but these users don’t have proper server-side accounts, just a random master key the user generated and stores on their device (a bip39 mnemonic) so they can derive some public-… Continue reading HTTP authentication with client-side private key
I’m implementing custom authentication & session management system in Node.js & PostgreSQL. My goal is to implement sessions that expire after 2 weeks (if not refreshed/renewed).
OWASP and other resources suggest to store unhashed … Continue reading Hashing sessions and retrieving them using cookie(s) with session "id" and "token"
Let’s say Alice created a new account on a service and this service saved her fingerprint as a way of logging in later. Then Alice creates a new account on a new service, but unfortunately this second service is not properly secured and th… Continue reading How will biometrics be a safe way to authenticate users across the internet?
I am currently trying to get an understanding of multi factor authentication. The biggest issue so far: When does "something you have" NOT get reduced to "something you know"? I want to have a "posession"-fact… Continue reading When does ‘something you have’ NOT become ‘something you know’?