kidehen, 8 months ago to HowTo

Here's a screencast demonstration of Single Sign-On facilitated by loosely-coupling #Identity and #Authentication, courtesy of the #IndieAuth protocol.

https://youtu.be/DyRlar9PCvM

#SSI #CreatorEconomy #YouID #VirtuosoRDBMS #SPARQL #Screencast #HowTo

stshank, 8 months ago to security

A huge tech player with a bajillion customers just enabled passkey support: Amazon. Here's how to enable them for login that in my experience is fast and easy and, according to a ton of experts I've spoken to, vastly more secure than passwords.

https://www.amazon.com/gp/help/customer/display.html?nodeId=TPphmhSWBgcI9Ak87p

#Security #Authentication #Amazon

denzilferreira, 9 months ago to linux

Been thinking to get a USB fingerprint reader for a mini desktop PC I have running Fedora 38. Any recommendations?

#linux #lfvs #biometric #authentication

laravista, 9 months ago to github

@melroy What is the best #TOTP app for #GitHub ?

https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

#authentication #2FA 🔒

thakshiladamsak, 9 months ago (edited 9 months ago) to illustration

Website login screen illustration.
Made using Inkscape.

Download SVG - https://bit.ly/loginsvg (watermark becomes nearly invisible after download. You can also remove it using Inkscape or something.)

Original Upload - 11/12/2022

#illustration #website #graphic #graphicdesign #login #signin #username #password #lock #authentication #svg #man #phone #app #green #unlock #key #signup #thakshiladamsak #free #download #internet #art #assests #stock #leaf #leaves #fluent

Edent, 9 months ago to random

The classic multi-authentication security is based around the trifecta of:

• Something you know (e.g. a password).
• Something you have (e.g. a smart card)
• Something you are (e.g. a fingerprint)

What if we add a fourth?

• Something someone else can verify

https://shkspr.mobi/blog/2013/08/two-factor-authentication-and-the-police-state/

Would you be happy if you had to call a trusted contact to get your temporary 2FA code?

publicvoit, 9 months ago to security

#FIDO2 - the superior Multi Factor #Authentication Framework
https://media.ccc.de/v/camp2023-57174-fido2
(50min) by @cy

Great overview/intro talk about #2FA using #WebAuthN, hardware security tokens, #TOTP and #passkeys.

Furthermore: why FIDO2 does have some advantages compared to passkeys when #security is more important than convenience. Passkeys leaks your private key to the #cloud provider.

#MFA #YubiKey #Solokeys #NitroKey

/cc @frank @keno3003

linuxmagazine, 9 months ago to linux

ICYMI: Jesse Hagewood shows you how to integrate Google Authenticator with SSH logins https://www.linux-magazine.com/Issues/2023/269/Multifactor-Authentication-with-SSH #authentication #SSH #Linux #password #MFA #TOTP

cdarwin, 9 months ago to Cybersecurity

US cyber safety board to analyze Microsoft Exchange hack of govt emails

The Department of Homeland Security's Cyber Safety Review Board (#CSRB) has announced plans to conduct an in-depth review of cloud security practices following recent Chinese hacks of Microsoft Exchange accounts used by US government agencies.

The CSRB is a collaboration of public and private sectors, created to conduct in-depth investigations that offer a better understanding of critical events, discern root causes, and issue informed recommendations on cybersecurity.

In this case, CSRB will explore how the government, industry, and cloud service providers (CSPs) can bolster #identity #management and #authentication in the cloud and develop actionable #cybersecurity recommendations for all stakeholders.

https://www.bleepingcomputer.com/news/security/us-cyber-safety-board-to-analyze-microsoft-exchange-hack-of-govt-emails/

nosherwan, 9 months ago to security

🌩️
Cloud Authentication Services

There is a sea of Cloud Auth / Identity management providers.

There was a time I used to roll my own, but as security is getting complicated, it seems for startups & small to medium businesses it is better to use a cloud auth provider.

Please share your thoughts on your experience with this as I look into this area.

So far I have come across:

#Cognito
#Auth0 (by Okta)
#Okta
#Firebase
#Supabase
#KeyCloak

#security
#authentication
#cloud

arstechnica, 10 months ago to random

Google’s “Web Integrity API” sounds like DRM for the web

It's just a "proposal," but it's also being prototyped inside Chrome right now.

https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

stephaniewalter, 10 months ago to random

Passwordless Accounts: One-Time Passwords (OTPs) and Passkeys: https://www.nngroup.com/articles/passwordless-accounts/?ref=uxdesignweekly
Two very interesting technologies to make registration and login easier. It boils down to “give the user choices”
#PasswordUX #Authentication

stshank, 10 months ago to security

I predict that passkeys will be a big deal. In my tests using them for Google login, then with CVS just prompting me to migrate to them from password authentication, they were indeed pretty simple to use. 1Password is testing the ability to store passkeys and now the ability to unlock your passkey vault with passkeys. My latest story: https://www.cnet.com/tech/services-and-software/1password-tests-passkeys-for-unlocking-your-password-vault/
#passkeys #authentication #Security #1Password

publicvoit, 10 months ago to security

How Hype Will Turn Your #Security Key Into Junk
https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-turn-your-security-key-into-junk/

#passkeys #FIDO #FIDO2 #Authentication #2FA #Apple #yubikey #nitrokey #solokeys

Dozer, 10 months ago to security

#security #infosec #authentication

schizanon, 10 months ago to mastodon

When I try to login to http://schizo.social using my mas.to account it doesn't work if I have the #mastodon #PWA installed 😩

It's probably because the PWA handles mas.to urls but doesn't redirect with the query params correctly...

#webDev #auth #authentication #oauth #progressiveWebApps

stephaniewalter, 10 months ago to accessibility

Some of the WCAG 2.2 guidelines around authentication are interesting when it comes to user experience for logging in, reinforcing the need to allow users to copy and paste passwords and use their password manager extension, among other things.
You can check Accessible Authentication (Minimum) (Level AA) for more details: https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html#examples
I wonder if there will be conflicts with security teams, though, what do you think?
#Authentication #Accessibility

swiefling, 10 months ago to UX

My PhD thesis on the usability, security, and privacy of Risk-Based Authentication (RBA) is now published. For free, for everyone, as I believe that publicly funded research should be open to the public.

On 239 pages, you will learn how to strengthen password-based authentication with RBA while being privacy-enhanced and accepted by users.

Thesis PDF: https://doi.org/10.13154/294-9901

Defense Slides: https://www.stephanwiefling.de/slides/rba-thesis-defense23.pdf

#password #ux #hci #authentication #cybersecurity #privacy #openaccess #phd

Three softcover books of the dissertation "Usability, Security, and Privacy of Risk-Based Authentication" in front of a building showing the logo of Ruhr University Bochum on a sunny day.

raptor, 10 months ago to windows

Pulling SYSTEM out of #Windows GINA — #Authentication #Bypass to SYSTEM shell in #ManageEngine #ADSelfService Plus Windows GINA Client

// by @pedrib1337

https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/adselfpwnplus/adselfpwnplus.md

hertg, 10 months ago to random

Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).

How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.

#passwords #fido #fido2 #webauthn #identitymanagement #iam #oauth #openid

kpwn, 11 months ago to infosec

🚧 Brute-Forcing One-Time Passwords 🚧

My last two threads discussed the probability of brute-forcing OTPs, how to do it effectively and how to defend against attacks.

Here is an overview of the topics covered:

1. Bernoulli Processes 🧮
   https://infosec.exchange/@kpwn/110520985360492457

2. Increasing and Decreasing Probabilities 🤞
   https://infosec.exchange/@kpwn/110561329301840527

Here's everything compiled into a blog post 📰
https://kpwn.de/2023/06/brute-forcing-one-time-passwords/

Do you find my content valuable?

🔔 Follow me for more web security content.

🔁 Also, boost this toot to spread the word!

#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #Passwords #OTP #Authentication

stshank, 11 months ago to random

Just logged into CVS and they prompted me to enroll a passkey. Super easy. 3 steps and I'm done. (For this browser, on this laptop — sync is the next hurdle.)
#passwordless #authentication #passkey

Screenshot of CVS passkey authentication enrollment. Step 2 of 3
Screenshot of CVS passkey authentication enrollment. Step 3 of 3

Is there any notion of unique identification in the fediverse?

I mean between tools, no instances....

fifonetworks, 11 months ago to Cybersecurity

ZTNA? Don't get me started. Third party cloud-based IAM is inherently less secure than private network architecture.
You're trusting someone you don't know.
And all of their employees.
And all of their vendors.
And all of their support providers.
Open your eyes and look at all the cloud breaches.
If you want real zero trust, bring your data home.
#zerotrust #cybersecurity #cloudarchitecture