It’s 2025. If you’re a company of ten employees or more with a web site that requires login and you force me to, or nag about enabling two-factor authentication but you don’t properly* support #passkeys, I’m either going to leave, or I’m going to lash out at your customer service until you do or they resign. You have no excuse.
* The passkey replaces both the password and the second factor, ideally also the username, maximum two clicks, including the one where I select the passkey. #2FA #Auth
The New MCP Authorization Specification | Den Delimarsky.
buff.ly/bGxBd0Q
#ai #mcp #auth #modelcontextprotocol #aimodels #apis
The New MCP Authorization Spec...
The New MCP Authorization Specification | Den Delimarsky.
For those skeptical of DMs in #ActivityPub: I'm also considering an alternative verification approach using ActivityPub's Question feature. Instead of sending numeric codes, the system could send a poll with several emoji options, and the user would select the one that matches what's displayed on their login screen. This visual authentication method might offer better security against certain automated attacks while still leveraging federation rather than platform-specific APIs. Would this approach address some of the privacy concerns around DM-based verification?
I'm exploring a new idea called FediOTP (codename): an authentication system that uses #ActivityPub DMs to deliver one-time passwords, allowing any #fediverse account to authenticate with web services. Unlike current solutions that rely on specific APIs (#Mastodon, #Misskey), this would work with any ActivityPub-compatible server, increasing interoperability across the fediverse. Would love to hear your thoughts on potential challenges or use cases for this approach.
Better Logic for Showing Auth Windows with Your Local MCP Server | by Den Delimarsky.
buff.ly/stFaonD
#ai #mcp #modelcontextprotocol #auth #aimodels #windev #windowsdev #win32
Better Logic For Showing Auth ...
Better Logic for Showing Auth Windows with Your Local MCP Server | by Den Delimarsky.
https://den.dev/blog/better-window-handle-wam-local-mcp/
#ai #mcp #modelcontextprotocol #auth #aimodels #windev #windowsdev #win32
When you set up authoritative DNS servers for domains, do you try to have NSes in the same TLD zone to take advantage of Glue recors in the zone (e.g.: .net domain would use name servers under .net too), or intentionally use NSes in separate TLD zones (like major cloud vendors do) ignoring Glue records, but using separate TLDs (.com, .info, ccTLD, etc.) for supposed redundancy in case one TLD registry goes offline?
Or you do not care at all? :blobcatnerd:
#poll #fediadmin #dns #dnsserver #domains #bind #auth #tld #cctld #ns #dnsadmin #itsalwaysdns
I improved my earlier prototype on MCP server auth with Entra ID - it now can use "session tokens" instead of pretending to be a public client 😀
All open-source, on GitHub, and written with TypeScript.
https://den.dev/blog/mcp-server-auth-entra-id-session/
#mcp #modelcontextprotocol #ai #auth #security #webdev #azure
C++ AWS MSK IAM Auth Implementation – Goodbye Kafka Passwords — https://github.com/timeplus-io/proton/blob/develop/src/IO/Kafka/AwsMskIamSigner.cpp
#HackerNews #C++ #AWS #MSK #IAM #Auth #Implementation #Goodbye #Kafka #Passwords #AWS #MSK #IAM #C++ #Development #Kafka #Security
The open-source security / authentication stacks are great at the core of what they do.
... I still want to grab some of the devs who maintain them and shake 'em by the lapels for having really bad DevEx opinions.
Burned two hours this week failing to get basic auth working on a Docker registry instance because I wasn't properly binding the htpasswd file I set up. Time would have been cut in half if the log entry was "user not in the password file" instead of a generic "authentication failed." I'm sure someone was like "hurr durr you can't put that much detail in the logs, attackers could steal the logs and have so much info." Look... Fuck you, my (imaginary) guy, no attackers are gonna steal the logs because the service won't exist because I don't have enough debug info to stand it up in the first place.
Authenticating HTTP requests with cookies from an embedded WebView2 browser in WPF by Anthony Simmon.
https://anthonysimmon.com/authenticating-http-requests-cookies-webview2-wpf/
#auth #wpf #webview #webdev #windowsdev
Authenticating HTTP requests w...
Authenticating HTTP requests with cookies from an embedded WebView2 browser in WPF by Anthony Simmon.
https://anthonysimmon.com/authenticating-http-requests-cookies-webview2-wpf/
#30MinsLearning Day 8: Today, I read the code of UserManager.CreateAsync(), it relies on the PasswordStore to set the password hash, then calls the UserStore to create the user in real - like in db. The responsibilities are quite clear. >>>🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ
"Common OAuth Vulnerabilities"
https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html
#30MinsLearning Day 7: Today, I sit down and read the `/register` endpoint code. Most of them is easy, validate the email, and create the user. This part, though, I don't understand why: 🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ
#30MinsLearning Day 6: Try to understand the relations of asp.net core identity tables. Some are simple, a user could have multiple roles, a role has multiple users, forming a m:n by 3 tables. 🧵 #dotnet #csharp #auth #identity #sql #relational #aspnetcore
Your app shouldn't need full Google access to check calendar availability.
WorkOS AuthKit now supports custom OAuth scopes for Google & Microsoft integrations 🔑
