Hacker News with Generative AI: Authentication

Critical Samlify SSO flaw lets attackers log in as admin (bleepingcomputer.com)
A critical Samlify authentication bypass vulnerability has been discovered that allows attackers to impersonate admin users by injecting unsigned malicious assertions into legitimately signed SAML responses.

Security, Vulnerability, SAML, Authentication, Cybersecurity

4 points by noleary 17 hours ago | 0 comments

Launch HN: Better Auth (YC X25) – Authentication Framework for TypeScript (ycombinator.com)
Hi HN! We’re Bereket and KinfeMichael of Better Auth (https://www.better-auth.com/), a comprehensive authentication framework for TypeScript that lets you implement everything from simple auth flows to enterprise-grade systems directly on your own database, embedded in your backend.

Authentication, TypeScript, Backend Development, YC, Startup

257 points by bekacru 4 days ago | 104 comments

The cryptography behind passkeys (trailofbits.com)
When most people think of cryptography, the first thing they typically think of is encryption: keeping information confidential. But just as important (if not more) is authenticity: ensuring that information is really coming from an authentic source.

Cryptography, Security, Authentication

275 points by tatersolid 9 days ago | 263 comments

Ask HN: Should You Include a Certificate in a SAML AuthnRequest? (ycombinator.com)
When implementing SAML authentication, one question often arises: Should the Service Provider (SP) include its certificate directly in the <AuthnRequest>?

Security, SAML, Authentication, Software Development

5 points by andy89 11 days ago | 2 comments

The OAuth 2.1 Authorization Framework (ietf.org)
The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf.

Security, Authentication, Standards, Web Development, APIs

9 points by mooreds 15 days ago | 2 comments

Email and password authentication should be a last resort (rant) (smudge.ai)
Email + password authentication should be a last resort (rant)

Security, Authentication, Software Development, Opinion

13 points by aaossa 16 days ago | 6 comments

Best Practices for User Authentication and Authorization in Web Applications (securityboulevard.com)
Your authentication system isn't just a door—it's the fortress protecting everything you value. This research paper presents a comprehensive framework for implementing secure authentication and authorization mechanisms in modern web applications. The increasing sophistication of cyber threats necessitates robust security practices for managing user identity and access privileges.

Web Development, Security, Authentication, Authorization

6 points by mooreds 19 days ago | 0 comments

OAuth Explained (github.com/LukasNiessen)
Let’s say LinkedIn wants to let users import their Google contacts.

OAuth, Authentication, Software, Programming

5 points by thunderbong 31 days ago | 0 comments

Ask HN: Magic links are bad UX and make people's lives worse. Change my mind (ycombinator.com)
Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).<p>Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.<p>Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.<p>Maybe it's my mother, and she now has to go find where

Email, Authentication

51 points by figassis 39 days ago | 40 comments

A Guide to Bearer Tokens: JWT vs. Opaque Tokens (permit.io)
Bearer tokens play an important role in securing APIs and managing user sessions. Whether you're building a single-page app, a backend-for-frontend API, or a network of microservices, bearer tokens act as the key that grants access to protected resources—without needing to re-authenticate the user on every request.

Security, APIs, Authentication, JWT

19 points by bubblehack3r 42 days ago | 9 comments

Behind the 6-digit code: Building HOTP and TOTP from scratch (dogac.dev)
A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify your identity. How does the server know the newly generated one, and how is it really secure?

Security, Authentication, Programming, Development

250 points by dogacel 42 days ago | 74 comments

Let's Fix OAuth in MCP (aaronparecki.com)
Let's not overthink auth in MCP.

Authentication, Security, Software Development

11 points by mooreds 45 days ago | 1 comments

Why Login Failures Matter (fusionauth.io)
When you care about providing great authentication experiences, like us (the few, the proud), there is nothing better than this chart - undeniable proof that our users are successfully logging in.

Security, Authentication, User Experience

17 points by mooreds 53 days ago | 5 comments

Show HN: An open source OAuth/auth system (github.com/ValueMelody)
Melody Auth is a user-friendly, robust solution for implementing and hosting your own OAuth and authentication system.

Open Source, Authentication, Security, OAuth

9 points by radomizing1234 57 days ago | 0 comments

OpenAI uses open source Ory to authenticate over 400M weekly active users (ory.sh)

Open Source, Security, Authentication, User Management

69 points by aeneas_ory 64 days ago | 34 comments

Configure Azure Entra ID as IdP on Keycloak (ght1pc9kc.fr)
For a new project, I needed to use Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I work for has a Microsoft Entra ID (formerly Azure Active Directory), the ideal solution was to connect Entra ID as an Identity Provider in Keycloak using OpenID Connect.

Authentication, OpenID Connect, Keycloak, Spring Boot

19 points by marthym 67 days ago | 7 comments

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials (github.blog)
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.

Security, Authentication, SAML, Ruby, Vulnerabilities

312 points by campuscodi 69 days ago | 123 comments

SAMLStorm: Critical Authentication Bypass in XML-crypto and Node.js libraries (workos.com)
On Tuesday, March 4, 2025, WorkOS received a critical security report from researcher Alexander Tan (ahacker1) detailing a zero-day vulnerability in the widely used xml-crypto and SAML libraries in the Node.js ecosystem. This flaw allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).

Security, Node.js, Authentication, SAML, Zero-Day Vulnerability

10 points by grinich 70 days ago | 0 comments

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials (github.blog)
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.

Security, Authentication, SAML, Open Source, Ruby

10 points by mark 71 days ago | 0 comments

Show HN: Torii – a framework agnostic authentication library for Rust (github.com/cmackenzie1)
Torii is a powerful authentication framework for Rust applications that gives you complete control over your users' data.

Rust, Authentication, Frameworks, Software

80 points by cmackenzie1 84 days ago | 38 comments

A Comprehensive Formal Security Analysis of OAuth 2.0 (arxiv.org)
The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect.

Security, OAuth 2.0, SSO, Authentication

49 points by colonCapitalDee 85 days ago | 12 comments

Google to Ditch SMS Code Authentication for Billions of Users (forbes.com)
It is certainly no secret that using SMS text messages for security codes used to authenticate your identity is far from ideal.

Google, Security, Authentication, Technology

5 points by CPLX 86 days ago | 0 comments

OwnCloud Infinite Scale with OpenID Connect Authentication (helgeklein.com)
This article explains how to set up ownCloud Infinity Scale with OpenID Connect authentication to Authelia or authentik.

Cloud Computing, Security, Authentication, Open Source

9 points by indigodaddy 88 days ago | 0 comments

The least secure TOTP code possible (shkspr.mobi)
If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

Security, Authentication, Multi-Factor Authentication

11 points by edent 88 days ago | 1 comments

Untangling AI Agent authn/authz (venturebeat.com)
AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.

Artificial Intelligence, Authentication, Authorization

12 points by sdomino 91 days ago | 2 comments

How you should respond to authentication failures isn't universal (utoronto.ca)
A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.

Authentication, Security, Web Development, Software Development, Programming

3 points by zdw 99 days ago | 0 comments

Pairwise TOTP Authentication of Humans (schneier.com)
Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.

Security, Authentication, Privacy

32 points by transpute 102 days ago | 10 comments

Show HN: Hanko – Open-Source Auth and User Management for the Passkey Era (hanko.io)
Quickly integrate Hanko’s embeddable components and APIs to get a secure and modern login for your app. From passwords all the way to passkeys, 2FA, and SSO. Finally an auth solution that scales – without breaking the bank. And it’s open source.

Open Source, Security, Authentication, User Management, Passkeys

11 points by FlxMgdnz 102 days ago | 2 comments

Bad Smart Watch Authentication (sprocketfox.io)
When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.

Security, Wearables, Authentication, Smartwatches

106 points by _Microft 103 days ago | 33 comments

How (not) to sign a JSON object (2019) (latacora.com)
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The idea is the same though: you’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t.

Security, Authentication, API, JSON

54 points by maple3142 103 days ago | 43 comments