Collaborate Disseminate
As the topic is a bit vague I have decided to ask you guys here what do you think and what is the best practice in given scenario.
Disclaimer: I am programmer, and although I know a bit about security I don’t posses an in-depth knowledg… Continue reading Authenticating (getting token) by making Http request
I’m designing a web service meant for storing data for users, but these users don’t have proper server-side accounts, just a random master key the user generated and stores on their device (a bip39 mnemonic) so they can derive some public-… Continue reading HTTP authentication with client-side private key
I’m implementing custom authentication & session management system in Node.js & PostgreSQL. My goal is to implement sessions that expire after 2 weeks (if not refreshed/renewed).
OWASP and other resources suggest to store unhashed … Continue reading Hashing sessions and retrieving them using cookie(s) with session "id" and "token"
Let’s say Alice created a new account on a service and this service saved her fingerprint as a way of logging in later. Then Alice creates a new account on a new service, but unfortunately this second service is not properly secured and th… Continue reading How will biometrics be a safe way to authenticate users across the internet?
I am currently trying to get an understanding of multi factor authentication. The biggest issue so far: When does "something you have" NOT get reduced to "something you know"? I want to have a "posession"-fact… Continue reading When does ‘something you have’ NOT become ‘something you know’?
Is there a way to list which websites authenticate by requiring that my browser sign into Gmail? It would probably be a Gmail or Google Account feature if it exists. I am not asking to list which websites support third-party (Gmail) authen… Continue reading list websites requiring that my browser is signed into Gmail [migrated]
Please note: although I mention Spring Boot (and by proxy, Java) I believe this is a pure HTTP/web development question at heart, and as such, can be answered by anyone with CORS-configuration experience and zero Java experience!
I am con… Continue reading CORS configuration for service with single browser client
I am designing the authentication and authorization flow of my mobile and web applications. I plan to use the AWS Cognito identity provider.
Use AWS Amplify and signup the user from the front-end.
Question: The signup will happen totally … Continue reading Rest Services Aunthentication and Authorization with AWS Cognito
The W3C working group is working on the standardization of Decentralized Identifiers (DIDs). I watched a video presentation about DIDs and the presenter mentioned several times the possibility of generating unique pseudonymous identities f… Continue reading Use-case for decentralized identifiers (DIDs) with unique identities for each relationship
I have implemented an authentication system which works like this:
Upon successful login, the server takes the username of client and encrypts it with AES-256.
This ciphertext is stored in the client’s browser and when the client wants t… Continue reading Is it possible to calculate an encryption key when both the plain text and ciphertext are known?