Ask HN: Magic links are bad UX and make people's lives worse. Change my mind(ycombinator.com) Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).<p>Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.<p>Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.<p>Maybe it's my mother, and she now has to go find where
A Guide to Bearer Tokens: JWT vs. Opaque Tokens(permit.io) Bearer tokens play an important role in securing APIs and managing user sessions. Whether you're building a single-page app, a backend-for-frontend API, or a network of microservices, bearer tokens act as the key that grants access to protected resources—without needing to re-authenticate the user on every request.
19 points by bubblehack3r 14 days ago | 9 comments
Behind the 6-digit code: Building HOTP and TOTP from scratch(dogac.dev) A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify your identity. How does the server know the newly generated one, and how is it really secure?
Why Login Failures Matter(fusionauth.io) When you care about providing great authentication experiences, like us (the few, the proud), there is nothing better than this chart - undeniable proof that our users are successfully logging in.
Configure Azure Entra ID as IdP on Keycloak(ght1pc9kc.fr) For a new project, I needed to use Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I work for has a Microsoft Entra ID (formerly Azure Active Directory), the ideal solution was to connect Entra ID as an Identity Provider in Keycloak using OpenID Connect.
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials(github.blog) Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
312 points by campuscodi 41 days ago | 123 comments
SAMLStorm: Critical Authentication Bypass in XML-crypto and Node.js libraries(workos.com) On Tuesday, March 4, 2025, WorkOS received a critical security report from researcher Alexander Tan (ahacker1) detailing a zero-day vulnerability in the widely used xml-crypto and SAML libraries in the Node.js ecosystem. This flaw allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials(github.blog) Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
The least secure TOTP code possible(shkspr.mobi) If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).
Untangling AI Agent authn/authz(venturebeat.com) AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.
How you should respond to authentication failures isn't universal(utoronto.ca) A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.
Bad Smart Watch Authentication(sprocketfox.io) When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.
How (not) to sign a JSON object (2019)(latacora.com) Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The idea is the same though: you’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t.
What's OAuth2 Anyway?(romaglushko.com) Have you ever logged into a website using your Google or Facebook account? Or connected an app to access your GitHub data? If so, you’ve already used OAuth2, whether you knew it or not.
Keycloak, Angular, and the BFF Pattern(brakmic.com) In this article, we’ll use the BFF (Backend for Frontend) pattern to build a secure system comprising a web app, a Keycloak server, and a dedicated backend service that brokers authentication flows between them.
Avoiding Authentication System Lock-In(fusionauth.io) Years ago your team decided to use a third-party authentication system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.