maybe i'm getting old, but i feel the recent trend towards #passwordless with #passkeys / #authn might be a bad idea.

passwords (with all their problems) are a low-tech thing. depending on the people having access to a high-end device with their keys seems highly rich-tech-bro-in-the-western-world

#TIL that you don’t need an #auth library like #Laravel’s fortify. Just host an AuthN provider and implement #oidc or #ldap.

If you ship a desktop app, you don’t need #AuthN because the user is authenticated through their login into their computer.

If you ship to a business, they will have an LDAP or OIDC server or will host one when needed.

If you ship an app with online account, you can just host #Keycloak or #Authentic or pay #auth0.

More below:

https://www.reddit.com/r/golang/comments/ykel0b/simple_web_app_how_to_do_auth/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

As we recap our fantastic #EverythingOpen talks, next up is William Brown @firstyear from @SUSE who walks us through #passkeys for #web #authn, showing us their ambiguities, how they work, what their limitations are, and what we need to be thinking about when we implement them.

Another fabulous talk from William.

https://www.youtube.com/watch?v=V-7zMIgGO1U

Working on a project with non-InfoSec folks I was reminded that not everyone's gotten the message. All the contributors were accessing the collaboration platform with the admin's credentials ('cause it was easier than creating separate accounts). #sigh

#infosec #authn #authz #fail #meme

Next in our #EverythingOpen Speaker Spotlight series, because we know you're all #nightowls - is @firstyear William Brown, who's presenting:

"Web #authn, #passkeys and you - the future of #authentication"

https://2023.everythingopen.au/schedule/presentation/2/

Qqn sait où on peut trouver plus d'info sur le protocole en "double anonymat" que le gouv veut déployer en mars pour restreindre l'accès à certains sites, dont les sites porno ?
J'ai vu un schéma et moralement, ça ressemble a du "sous-privacy pass", mais je voudrais bien étudier la spec ou le code.

#cryptography #france #pornography #privacypass #sécurité #security #authz #authn

Blogged: Use multiple identity providers from a Blazor WASM ASP.NET Core App secured using BFF

https://damienbod.com/2023/02/14/use-multiple-identity-providers-from-a-blazor-wasm-asp-net-core-app-secured-using-bff/

#blazor #wasm #bff #aspnetcore #dotnet #oidc #authn #oauth

#AuthN: done
#AuthZ: done
#Logging: Time to investigate #jaeger and #OpenTelemetry

#webdev

Here’s my first video chat with ChatGPT about authentication, authorization, and building Android and iOS apps that use Auth0/Okta for login. Does ChatGPT gets the answers right? Yes for some, categorically NO for others.

ChatGPT did me a solid, though — it wrote the YouTube description of the video for me. Thanks, ChatGPT! 🤖

#ChatGPT #AI #security #cyber #cybersecurity #OAuth #OIDC #authN #authentication #authorization #login

https://www.youtube.com/watch?v=rfkgdorO-8Y

“Remember me” he asks as he checks that little box below the login.

Oh the lies we tell ourselves.

#Identity #InfoSec #AuthN

@VidmoOreda @nf3xn The scraper would just be grabbing and parsing the html off the page. API interaction isn't scraping and can require authN/authZ or be wide open. If the API doesn't require authN/authZ, then I don't see how any AUP is enforceable. (I still have a way to go on API security. I'm familiar with the use of OAuth tokens for authZ. I think OIDC can be used instead, which I think uses an OAuth token with a "wrapper" to add authN. Reckon JWT is in play for authN/authZ, as well.) #api #authn #authz

#DevFestNantes #authz #authn

Avec un passage par

🍪 https://en.wikipedia.org/wiki/HTTP_cookie
🍪 https://en.wikipedia.org/wiki/Macaroons_(computer_science)
🍪 jwt https://jwt.io/

Introducing Public Key Cryptography and Web Authentication (WebAuthn)

https://webauthn.guide

#security #webauthn #authn