Hacker News with Generative AI: Authentication

Show HN: Torii – a framework agnostic authentication library for Rust (github.com/cmackenzie1)
Torii is a powerful authentication framework for Rust applications that gives you complete control over your users' data.
Rust, Authentication, Frameworks, Software
80 points by cmackenzie1 6 days ago | 38 comments
A Comprehensive Formal Security Analysis of OAuth 2.0 (arxiv.org)
The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect.
Security, OAuth 2.0, SSO, Authentication
49 points by colonCapitalDee 8 days ago | 12 comments
Google to Ditch SMS Code Authentication for Billions of Users (forbes.com)
It is certainly no secret that using SMS text messages for security codes used to authenticate your identity is far from ideal.
Google, Security, Authentication, Technology
5 points by CPLX 8 days ago | 0 comments
OwnCloud Infinite Scale with OpenID Connect Authentication (helgeklein.com)
This article explains how to set up ownCloud Infinity Scale with OpenID Connect authentication to Authelia or authentik.
Cloud Computing, Security, Authentication, Open Source
9 points by indigodaddy 10 days ago | 0 comments
The least secure TOTP code possible (shkspr.mobi)
If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).
Security, Authentication, Multi-Factor Authentication
11 points by edent 11 days ago | 1 comments
Untangling AI Agent authn/authz (venturebeat.com)
AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.
Artificial Intelligence, Authentication, Authorization
12 points by sdomino 13 days ago | 2 comments
How you should respond to authentication failures isn't universal (utoronto.ca)
A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.
Authentication, Security, Web Development, Software Development, Programming
3 points by zdw 21 days ago | 0 comments
Pairwise TOTP Authentication of Humans (schneier.com)
Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.
Security, Authentication, Privacy
32 points by transpute 24 days ago | 10 comments
Show HN: Hanko – Open-Source Auth and User Management for the Passkey Era (hanko.io)
Quickly integrate Hanko’s embeddable components and APIs to get a secure and modern login for your app. From passwords all the way to passkeys, 2FA, and SSO. Finally an auth solution that scales – without breaking the bank. And it’s open source.
Open Source, Security, Authentication, User Management, Passkeys
11 points by FlxMgdnz 25 days ago | 2 comments
Bad Smart Watch Authentication (sprocketfox.io)
When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.
Security, Wearables, Authentication, Smartwatches
106 points by _Microft 25 days ago | 33 comments
How (not) to sign a JSON object (2019) (latacora.com)
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The idea is the same though: you’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t.
Security, Authentication, API, JSON
54 points by maple3142 26 days ago | 43 comments
PeerAuth, TOTP-based peer authentication in the post-truth world (ksze.github.io)
Machine learning has become more and more powerful, to the point where a bad actor can take a photo and a voice recording of someone you know, and forge a complete video recording.
Security, Authentication, Machine Learning
19 points by k_sze 30 days ago | 22 comments
What's OAuth2 Anyway? (romaglushko.com)
Have you ever logged into a website using your Google or Facebook account? Or connected an app to access your GitHub data? If so, you’ve already used OAuth2, whether you knew it or not.
Authentication, Security, Web Development, Programming
3 points by thunderbong 40 days ago | 1 comments
Keycloak, Angular, and the BFF Pattern (brakmic.com)
In this article, we’ll use the BFF (Backend for Frontend) pattern to build a secure system comprising a web app, a Keycloak server, and a dedicated backend service that brokers authentication flows between them.
Keycloak, Angular, Authentication
57 points by brakmic 40 days ago | 23 comments
Ask HN: How to automate collecting HAR file while user is browsing (ycombinator.com)
We are facing an intermittent issue in our web application where for some users for some reasons http requests are ending in error ( 400s ) esp. during token refresh with authentication server.
Web Development, Debugging, Automation, HTTP, Authentication
25 points by royalghost 41 days ago | 19 comments
New Bambu Lab Firmware Update Adds Mandatory Authorization Control System (hackaday.com)
As per a recent Bambu Lab blog post, its FDM printers in the X1 series will soon receive a firmware update that adds mandatory authentication for certain operations, starting with the firmware update on January 23rd for the aforementioned FDM printers.
3D Printing, Firmware Updates, Security, Authentication
3 points by razerbeans 46 days ago | 1 comments
Avoiding Authentication System Lock-In (fusionauth.io)
Years ago your team decided to use a third-party authentication system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.
Authentication, Security, Software, Business, Vendor Lock-in
14 points by mooreds 46 days ago | 0 comments
Major authentication providers still doesn't support TLS 1.3 (okta.com)
Security, TLS, Authentication
4 points by Alcatros552 49 days ago | 1 comments
Magic/tragic email links: don't make them the only option (recyclebin.zip)
The term “Magic Links” once meant a futuristic PDA. Nowdays, companies like Auth0 use it to refer to the slightly-magical feat of including a login link in an email.
Security, Email, User Experience, Authentication
706 points by gepeto42 58 days ago | 504 comments
Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over (rmondello.com)
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.
Web Security, User Experience, Passwords, Authentication, Magic Links
50 points by mooreds 60 days ago | 57 comments
Ask HN: Google login has circular dependency (ycombinator.com)
I just changed to a new iPhone. After setup, the gmail app requires me to confirm using two factor authentication using one of the following methods: <p>1. Tap Yes on a notification on my iPhone, which I don't receive because I am not logged in into any google accounts <p>2.
Google, Authentication, Mobile Devices, iPhones, User Experience
11 points by darth_avocado 63 days ago | 10 comments
A Tour of WebAuthn (imperialviolet.org)
Passwords are rubbish.
Security, Web Development, Authentication
299 points by caust1c 70 days ago | 150 comments
CISA: Do not use SMS as a second factor for authentication [pdf] (cisa.gov)
Cybersecurity, Authentication, Two-Factor Authentication
42 points by zdw 76 days ago | 22 comments
OpenAUTH: Universal, standards-based auth provider (openauth.js.org)
Authentication, Open Source, JavaScript
194 points by jacobrussell 81 days ago | 72 comments
Show HN: Replace CAPTCHAs with WebAuthn passkeys for bot prevention (github.com/singlr-ai)
Replace CAPTCHA with single-use, disposable passkeys. Human-friendly bot prevention without the frustration.
Security, Web Development, Authentication, AI
71 points by uday_singlr 88 days ago | 42 comments
Better Auth – Authentication library for TypeScript (better-auth.com)
The most comprehensive authentication framework for TypeScript.
TypeScript, Authentication, Libraries, Software
73 points by namukang 98 days ago | 32 comments
Improve your app authentication workflow with new Amazon Cognito features (amazon.com)
Introduced 10 years ago, Amazon Cognito is a service that helps you implement customer identity and access management (CIAM) in your web and mobile applications.
Amazon Cognito, Authentication, Security, Web Development, Mobile Development
7 points by mooreds 103 days ago | 1 comments
Show HN: Better Auth v1.0 is here (better-auth.com)
We are excited to announce the Better Auth V1.0 release.
New Releases, Authentication, Software
10 points by khanmitdoit 104 days ago | 0 comments
Refresh vs. Long-lived Access Tokens (2023) (grayduck.mn)
Authentication, Security, Web Development
12 points by mooreds 105 days ago | 1 comments
Will passkeys ever replace passwords? Can they? Here's why they should (theregister.com)
Will passkeys ever replace passwords? Can they?
Security, Passwords, Authentication, Technology
37 points by rntn 109 days ago | 79 comments