Here's a screencast demonstration of Single Sign-On facilitated by loosely-coupling #Identity and #Authentication, courtesy of the #IndieAuth protocol.
A huge tech player with a bajillion customers just enabled passkey support: Amazon. Here's how to enable them for login that in my experience is fast and easy and, according to a ton of experts I've spoken to, vastly more secure than passwords.
Furthermore: why FIDO2 does have some advantages compared to passkeys when #security is more important than convenience. Passkeys leaks your private key to the #cloud provider.
US cyber safety board to analyze Microsoft Exchange hack of govt emails
The Department of Homeland Security's Cyber Safety Review Board (#CSRB) has announced plans to conduct an in-depth review of cloud security practices following recent Chinese hacks of Microsoft Exchange accounts used by US government agencies.
The CSRB is a collaboration of public and private sectors, created to conduct in-depth investigations that offer a better understanding of critical events, discern root causes, and issue informed recommendations on cybersecurity.
In this case, CSRB will explore how the government, industry, and cloud service providers (CSPs) can bolster #identity#management and #authentication in the cloud and develop actionable #cybersecurity recommendations for all stakeholders.
There is a sea of Cloud Auth / Identity management providers.
There was a time I used to roll my own, but as security is getting complicated, it seems for startups & small to medium businesses it is better to use a cloud auth provider.
Please share your thoughts on your experience with this as I look into this area.
@arstechnica Letting big tech make all these decisions on their own is pretty risky.
Due to the probably coming assault of intelligent bot-fueled personalised propaganda (probably by Dec this year), it will become necessary to prove humanness very soon.
But that doesn’t have to be where privacy ends if nation-states step in as the legal providers #human#authentication and guarantee #anonymity at least for interactions with corporations.
Some of the WCAG 2.2 guidelines around authentication are interesting when it comes to user experience for logging in, reinforcing the need to allow users to copy and paste passwords and use their password manager extension, among other things.
You can check Accessible Authentication (Minimum) (Level AA) for more details: https://www.w3.org/WAI/WCAG22/Understanding/accessible-authentication-minimum.html#examples
I wonder if there will be conflicts with security teams, though, what do you think? #Authentication#Accessibility
My PhD thesis on the usability, security, and privacy of Risk-Based Authentication (RBA) is now published. For free, for everyone, as I believe that publicly funded research should be open to the public.
On 239 pages, you will learn how to strengthen password-based authentication with RBA while being privacy-enhanced and accepted by users.
Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
Just logged into CVS and they prompted me to enroll a passkey. Super easy. 3 steps and I'm done. (For this browser, on this laptop — sync is the next hurdle.) #passwordless#authentication#passkey
ZTNA? Don't get me started. Third party cloud-based IAM is inherently less secure than private network architecture.
You're trusting someone you don't know.
And all of their employees.
And all of their vendors.
And all of their support providers.
Open your eyes and look at all the cloud breaches.
If you want real zero trust, bring your data home. #zerotrust#cybersecurity#cloudarchitecture
@fifonetworks It’s sort of crazy to even think about. Some identity providers, like Okta, pride themselves on the idea that their users, every day, use a “My Apps” dashboard which acts as a springboard for logging into every single application in their organization. This acts a visual representation of every single app that the cloud-based IdP can spoof a security token for, all based on a single, basic, RSA signature.
It gets even worse when you consider that most organizations also use the same provider for the 2nd auth factor. 🤯🤯🤯 #iam#idp#cloud#authentication#oauth#saml#sso
Is there any notion of unique identification in the fediverse?
I mean between tools, no instances....