#passkeys #authentication #passwordless #security #infosec #cybersecurity #microsoft
#Authentication
login/sudo via fido2 touch? #authentication #twofactorauthentication
Microsoft Makes New Consumer Accounts Passwordless by Default
#Microsoft #Passkeys #Passwordless #Cybersecurity #Authentication #Security #WorldPasskeyDay #WindowsHello #MicrosoftAccount #TechNews
#ITByte: Do you know what is full form of #Captcha?
Today is #WorldPasswordDay. Know more about some common #Terminologies related to #Password and user #Authentication.
In other news, I'm speaking at #Authcon, a new CIAM-focused event happening inside APIDays NYC from May 14 to 15.
I'll be talking about how browsers have become gatekeepers for login and what that means for authentication, identity, and even payments.
It’s not all FUD, either! There are real opportunities here, if you’re paying attention.
Reg link + special code in the thread. It doesn’t unlock a discount, but it does prove I'm a helpful human.
Whoa! I just started researching if something like using PAKE within TLS (potentially simplifying authentication for HTTPS) was possible, and I happened to find this IETF draft: https://datatracker.ietf.org/doc/html/draft-guo-pake-pha-tls-00. Awesome! Why the excitement? I'm tired of one project where six weeks have been sunk into certificate discussions, and it's still not working.
#RFC #TLS #HTTPS #PAKE #certificates #authentication #password
#RFC #TLS #HTTPS #PAKE #certificates #authentication #password
Biometric authentication has become a go-to security measure, replacing passwords with fingerprints, facial recognition, and retina scans. While biometrics offer convenience and enhanced security, cybercriminals are finding ways to hack and bypass these once-trusted authentication...
Two existing @w3c specifications are published under a new level. #FPWD #timetogiveinput
- "Web Cryptography Level 2" defines a #JavaScript #API for cryptographic operations like hashing, signing, and #encryption, #authentication
▶️ https://www.w3.org/TR/webcrypto-2/
- "Subresource Integrity" specifies a way for user agents to verify that fetched resources haven’t been tampered with
▶️ https://www.w3.org/TR/sri-2/
Feedback welcome in the resp. directories: https://github.com/w3c/webcrypto/ and
https://github.com/w3c/webappsec-subresource-integrity/
#CyberHygiene is an important topic, now more than ever, and even more so as time goes on, especially in the new-world of #AI. So, let's have a quick chat!
I talk about this in my #AwarenessTrainings that I put together for my company. People sometimes have the mistaken notion that they aren't targets for bad actors because they aren't famous and don't have a high net worth, or don't have a high-profile job. But that's simply not the case today. Anyone with any online presence is a potential target to attackers. That means everyone needs to know their cyber hygiene. So what does that look like?
Basic cyber hygiene is essential and easy. Steps include (extra details below):
➡️ Be more stringent about the info you share online 📅
➡️ Review and adjust #privacy settings 🔒
➡️ Use strong and unique #passwords 🗝️
➡️ Enable two-factor #authentication 🗝️
➡️ #Monitor online presence 👀
➡️ Learn about data brokers ⬅️
➡️ Secure all devices 🔐
➡️ Be skeptical of unsolicited requests 😯
➡️ Regularly audit third-party apps with access to your accounts ❗
➡️ Monitor credit reports 💰
➡️ Separate personal and professional identities 👬
I go into A LOT more detail about each point in my recent blog post (TL;DR for :mastodon: lol). Check it out here, and let me know your thoughts or questions!
https://geekofthehouse.blogspot.com/2025/04/a-chat-about-cyberhygiene.html
Plans, Policies, and Procedures: Identification and Authentication
Defines how an organization establishes and verifies a user's identity for access to systems and resources.
https://blackcatwhitehatsecurity.com
#Plans #Policies #Procedures #Identification #Authentication #technology
Just released: #swad v0.3!
https://github.com/Zirias/swad/releases/tag/v0.3
swad is the "Simple Web Authentication Daemon", your tiny, efficient and (almost) dependency-free solution to add #cookie + login #form #authentication to whatever your #reverse #proxy offers. It's written in pure #C, portable across #POSIX platforms. It's designed with #nginx' 'auth_request' in mind, example configurations are included.
This release brings a file-based credential checker in addition to the already existing one using #PAM. Also lots of improvements, see details in the release notes.
I finally added complete build instructions to the README.md:
https://github.com/Zirias/swad
And there's more documentation available: manpages as well as a fully commented example configuration file.
Could blockchain kill the password? While its decentralized nature offers robust security via crypto keys & self-sovereign IDs, challenges like cost & adoption remain. For now, passwords combined with MFA are likely here to stay. #Blockchain #CyberSecurity #Authentication
Mothers maiden name: 5472615884
First car owned: 3656654851
Favorite color: 2580548933
They get generated and stored in the password manager, for each account as needed.
The advantage of ten digit numbers is that they are easy to communicate to a customer service agent over the phone.
IME, no agent has ever batted an eye. It's not even lying. It's just being clear on the purpose.
Secure a Vue App With OpenID Connect and the BFF Pattern, by @duendesoftware.com:
https://blog.duendesoftware.com/posts/20250409-secure-vue-app-with-openid-connect-bff-pattern/
How to Setup SSH Login with Public Key #Authentication (4 Step Quick-Start Guide)
This article describes how to setup SSH login with public key authentication across your servers and clients for secure access.
If you're using SSH to connect to remote servers, public key authentication is a security best practice. Unlike password-based logins, key-based authentication is not vulnerable to brute-force attacks.
Using a key to ...
Continued 👉 https://blog.radwebhosting.com/how-to-setup-ssh-login-with-public-key-authentication/?utm_source=mastodon&utm_medium=social&utm_campaign=ReviveOldPost #publickey #sshcommands
Атаки через новый OAuth flow, authorization code injection, и помогут ли HttpOnly, PKCE и BFF
В статье детально рассмотрим интересный вектор атаки на приложения, использующие OAuth/OIDC, разберем, какие предусловия для этого нужны, и увидим, что они не так недостижимы, как может показаться на первый взгляд. Затронем использование паттерна Backend-for-Frontend и способы реализации PKCE для confidential clients, попутно проверив, помогают ли они защититься от рассматриваемой атаки. Взглянем и на другие существующие рекомендации и предлагаемые лучшие практики, а также подумаем над прочими мерами защиты, которые действительно могут помочь. Все это с примерами, схемами и даже видео. Материал будет интересен как для занимающихся разработкой приложений, так и для представляющих атакующую сторону.
https://habr.com/ru/articles/880544/
#аутентификация #authentication #pkce #backendforfrontend #bff #authorization_code_injection #confidential_clients #токен #session_id #httponly
Just released: #swad v0.2
SWAD is the "Simple Web Authentication Daemon", meant to add #cookie #authentication with a simple #login form and configurable credential checker modules to a reverse #proxy supporting to delegate authentication to a backend service, like e.g. #nginx' "auth_request". It's a very small piece of software written in pure #C with as little external dependencies as possible. It requires some #POSIX (or "almost POSIX", like #Linux, #FreeBSD, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.
Currently, the only credential checker module available offers #PAM authentication, more modules will come in later releases.
swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:
New Open-Source Tool Spotlight 🚨🚨🚨
TinyAuth is a lightweight authentication backend that integrates seamlessly into your project with minimal setup. It supports password hashing (bcrypt, argon2) and JSON Web Tokens (JWT). Perfect for those prioritizing simplicity without sacrificing security. #Authentication #OpenSource
🔗 Project link on #GitHub 👉 https://github.com/steveiliop56/tinyauth
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴☠️
Password auth in Rust, from scratch - Attacks and best practices
https://lpalmieri.com/posts/password-authentication-in-rust/
Как упростить контроль доступа в приложениях на FastAPI с помощью фреймворка Oso
В разработке современных веб-приложений контроль доступа является одним из критически важных компонентов. Хотя FastAPI предоставляет базовые инструменты для реализации аутентификации и авторизации, они могут оказаться недостаточными для сложных сценариев. Фреймворк Oso предлагает элегантное решение этой проблемы, значительно упрощая процесс и повышая безопасность вашего приложения. Давайте посмотрим, как это можно реализовать.
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst