Hacker News with Generative AI: Authentication

How you should respond to authentication failures isn't universal (utoronto.ca)
A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.
Authentication, Security, Web Development, Software Development, Programming
3 points by zdw 7 days ago | 0 comments
Pairwise TOTP Authentication of Humans (schneier.com)
Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.
Security, Authentication, Privacy
32 points by transpute 10 days ago | 10 comments
Show HN: Hanko – Open-Source Auth and User Management for the Passkey Era (hanko.io)
Quickly integrate Hanko’s embeddable components and APIs to get a secure and modern login for your app. From passwords all the way to passkeys, 2FA, and SSO. Finally an auth solution that scales – without breaking the bank. And it’s open source.
Open Source, Security, Authentication, User Management, Passkeys
11 points by FlxMgdnz 10 days ago | 2 comments
Bad Smart Watch Authentication (sprocketfox.io)
When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.
Security, Wearables, Authentication, Smartwatches
106 points by _Microft 11 days ago | 33 comments
How (not) to sign a JSON object (2019) (latacora.com)
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The idea is the same though: you’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t.
Security, Authentication, API, JSON
54 points by maple3142 11 days ago | 43 comments
PeerAuth, TOTP-based peer authentication in the post-truth world (ksze.github.io)
Machine learning has become more and more powerful, to the point where a bad actor can take a photo and a voice recording of someone you know, and forge a complete video recording.
Security, Authentication, Machine Learning
19 points by k_sze 16 days ago | 22 comments
What's OAuth2 Anyway? (romaglushko.com)
Have you ever logged into a website using your Google or Facebook account? Or connected an app to access your GitHub data? If so, you’ve already used OAuth2, whether you knew it or not.
Authentication, Security, Web Development, Programming
3 points by thunderbong 25 days ago | 1 comments
Keycloak, Angular, and the BFF Pattern (brakmic.com)
In this article, we’ll use the BFF (Backend for Frontend) pattern to build a secure system comprising a web app, a Keycloak server, and a dedicated backend service that brokers authentication flows between them.
Keycloak, Angular, Authentication
57 points by brakmic 25 days ago | 23 comments
Ask HN: How to automate collecting HAR file while user is browsing (ycombinator.com)
We are facing an intermittent issue in our web application where for some users for some reasons http requests are ending in error ( 400s ) esp. during token refresh with authentication server.
Web Development, Debugging, Automation, HTTP, Authentication
25 points by royalghost 27 days ago | 19 comments
New Bambu Lab Firmware Update Adds Mandatory Authorization Control System (hackaday.com)
As per a recent Bambu Lab blog post, its FDM printers in the X1 series will soon receive a firmware update that adds mandatory authentication for certain operations, starting with the firmware update on January 23rd for the aforementioned FDM printers.
3D Printing, Firmware Updates, Security, Authentication
3 points by razerbeans 31 days ago | 1 comments
Avoiding Authentication System Lock-In (fusionauth.io)
Years ago your team decided to use a third-party authentication system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.
Authentication, Security, Software, Business, Vendor Lock-in
14 points by mooreds 32 days ago | 0 comments
Major authentication providers still doesn't support TLS 1.3 (okta.com)
Security, TLS, Authentication
4 points by Alcatros552 35 days ago | 1 comments
Magic/tragic email links: don't make them the only option (recyclebin.zip)
The term “Magic Links” once meant a futuristic PDA. Nowdays, companies like Auth0 use it to refer to the slightly-magical feat of including a login link in an email.
Security, Email, User Experience, Authentication
706 points by gepeto42 44 days ago | 504 comments
Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over (rmondello.com)
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.
Web Security, User Experience, Passwords, Authentication, Magic Links
50 points by mooreds 46 days ago | 57 comments
Ask HN: Google login has circular dependency (ycombinator.com)
I just changed to a new iPhone. After setup, the gmail app requires me to confirm using two factor authentication using one of the following methods: <p>1. Tap Yes on a notification on my iPhone, which I don't receive because I am not logged in into any google accounts <p>2.
Google, Authentication, Mobile Devices, iPhones, User Experience
11 points by darth_avocado 49 days ago | 10 comments
A Tour of WebAuthn (imperialviolet.org)
Passwords are rubbish.
Security, Web Development, Authentication
299 points by caust1c 56 days ago | 150 comments
CISA: Do not use SMS as a second factor for authentication [pdf] (cisa.gov)
Cybersecurity, Authentication, Two-Factor Authentication
42 points by zdw 62 days ago | 22 comments
OpenAUTH: Universal, standards-based auth provider (openauth.js.org)
Authentication, Open Source, JavaScript
194 points by jacobrussell 67 days ago | 72 comments
Show HN: Replace CAPTCHAs with WebAuthn passkeys for bot prevention (github.com/singlr-ai)
Replace CAPTCHA with single-use, disposable passkeys. Human-friendly bot prevention without the frustration.
Security, Web Development, Authentication, AI
71 points by uday_singlr 74 days ago | 42 comments
Better Auth – Authentication library for TypeScript (better-auth.com)
The most comprehensive authentication framework for TypeScript.
TypeScript, Authentication, Libraries, Software
73 points by namukang 83 days ago | 32 comments
Improve your app authentication workflow with new Amazon Cognito features (amazon.com)
Introduced 10 years ago, Amazon Cognito is a service that helps you implement customer identity and access management (CIAM) in your web and mobile applications.
Amazon Cognito, Authentication, Security, Web Development, Mobile Development
7 points by mooreds 89 days ago | 1 comments
Show HN: Better Auth v1.0 is here (better-auth.com)
We are excited to announce the Better Auth V1.0 release.
New Releases, Authentication, Software
10 points by khanmitdoit 89 days ago | 0 comments
Refresh vs. Long-lived Access Tokens (2023) (grayduck.mn)
Authentication, Security, Web Development
12 points by mooreds 91 days ago | 1 comments
Will passkeys ever replace passwords? Can they? Here's why they should (theregister.com)
Will passkeys ever replace passwords? Can they?
Security, Passwords, Authentication, Technology
37 points by rntn 95 days ago | 79 comments
An analysis of the Keycloak authentication system (humanativaspa.it)
Earlier this year, I was working with my colleague Ema on a source-assisted application and architecture assessment for a client who was using Keycloak to implement single sign-on on their applications.
Authentication, Security, Keycloak, Software, Open Source
189 points by udev4096 98 days ago | 96 comments
Requesting Spotify access_token's to use their API in seconds (spoken.host)
API, Spotify, Development, Authentication
12 points by 4788424801146 99 days ago | 1 comments
OpenID Connect specifications published as ISO standards (self-issued.info)
I’m thrilled to report that the OpenID Connect specifications have now been published as ISO/IEC standards.
OpenID Connect, Standards, Security, Authentication
306 points by mooreds 102 days ago | 138 comments
A simple to use Java 8 JWT Library (github.com/FusionAuth)
FusionAuth JWT is intended to be fast and easy to use. FusionAuth JWT has a single external dependency on Jackson, no Bouncy Castle, Apache Commons or Guava.
Java, Security, Authentication, Libraries, Open Source
27 points by mooreds 106 days ago | 51 comments
Pushed Authorization Requests (Par) in Asp.net Core 9 (nestenius.se)
ASP.NET Core 9 introduces support for Pushed Authorization Requests (PAR) in its OpenIdConnect authentication handler. But what exactly is PAR, and why does it matter? In this post, I’ll explain what PAR is, how it works, how to use it with Duende IdentityServer, and when you should consider using it in your applications.
ASP.NET Core, Security, Authentication, OpenID Connect
25 points by tndata 106 days ago | 3 comments
Okta discloses auth bypass bug affecting 52-character usernames (theregister.com)
In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username.
Security, Cybersecurity, Authentication, Okta
5 points by LinuxBender 108 days ago | 0 comments