Will passkeys ever replace passwords? Can they? Here's why they should
(theregister.com)
Will passkeys ever replace passwords? Can they?
Will passkeys ever replace passwords? Can they?
An analysis of the Keycloak authentication system
(humanativaspa.it)
Earlier this year, I was working with my colleague Ema on a source-assisted application and architecture assessment for a client who was using Keycloak to implement single sign-on on their applications.
Earlier this year, I was working with my colleague Ema on a source-assisted application and architecture assessment for a client who was using Keycloak to implement single sign-on on their applications.
OpenID Connect specifications published as ISO standards
(self-issued.info)
I’m thrilled to report that the OpenID Connect specifications have now been published as ISO/IEC standards.
I’m thrilled to report that the OpenID Connect specifications have now been published as ISO/IEC standards.
A simple to use Java 8 JWT Library
(github.com/FusionAuth)
FusionAuth JWT is intended to be fast and easy to use. FusionAuth JWT has a single external dependency on Jackson, no Bouncy Castle, Apache Commons or Guava.
FusionAuth JWT is intended to be fast and easy to use. FusionAuth JWT has a single external dependency on Jackson, no Bouncy Castle, Apache Commons or Guava.
Pushed Authorization Requests (Par) in Asp.net Core 9
(nestenius.se)
ASP.NET Core 9 introduces support for Pushed Authorization Requests (PAR) in its OpenIdConnect authentication handler. But what exactly is PAR, and why does it matter? In this post, I’ll explain what PAR is, how it works, how to use it with Duende IdentityServer, and when you should consider using it in your applications.
ASP.NET Core 9 introduces support for Pushed Authorization Requests (PAR) in its OpenIdConnect authentication handler. But what exactly is PAR, and why does it matter? In this post, I’ll explain what PAR is, how it works, how to use it with Duende IdentityServer, and when you should consider using it in your applications.
Okta discloses auth bypass bug affecting 52-character usernames
(theregister.com)
In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username.
In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username.
Auth Wiki
(auth.wiki)
Explore and find clear definitions of key glossaries related to authentication, authorization, and identity management. Work with open-standards like OpenID Connect, OAuth 2.0, and SAML.
Explore and find clear definitions of key glossaries related to authentication, authorization, and identity management. Work with open-standards like OpenID Connect, OAuth 2.0, and SAML.
Eartho: Open-Source, Privacy-Focused Alternative to Google Sign-In
(github.com/eartho-group)
Eartho is an open-source authentication alternative that prioritizes user privacy.
Eartho is an open-source authentication alternative that prioritizes user privacy.
Comparing Auth from Supabase, Firebase, Auth.js, Ory, Clerk and Others
(hyperknot.com)
I’m Zsolt Ero. After reading blog posts all my life, but never writing one, I decided to start writing my thoughts while building. This is my first blog post.
I’m Zsolt Ero. After reading blog posts all my life, but never writing one, I decided to start writing my thoughts while building. This is my first blog post.
Understanding Pam and Creating a Custom Module in Python – Inside Out Insights
(tchncs.de)
In today's interconnected world, user authentication plays a critical role in ensuring the security and integrity of computer systems.
In today's interconnected world, user authentication plays a critical role in ensuring the security and integrity of computer systems.
The War on Passwords Is One Step Closer to Being Over
(wired.com)
“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
New passkey specifications will let users import and export them
(9to5mac.com)
Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them.
Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them.
Coming soon: Securely import and export passkeys
(1password.com)
Passkeys are superior to passwords in almost every way. They’re simpler to use because there’s nothing to memorize, type out, or paste in. They’re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome.
Passkeys are superior to passwords in almost every way. They’re simpler to use because there’s nothing to memorize, type out, or paste in. They’re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome.
FortiLock: The Future of Unhackable Authentication
(ycombinator.com)
Hey there, tech enthusiasts and security pros! Ready to explore the future of secure logins? We’re proud to introduce FortiLock, an innovative, next-level authentication system designed to keep your credentials safe even in a world full of threats.
Hey there, tech enthusiasts and security pros! Ready to explore the future of secure logins? We’re proud to introduce FortiLock, an innovative, next-level authentication system designed to keep your credentials safe even in a world full of threats.
Show HN: An open-source reverse proxy that authenticates users
(github.com/stack-auth)
auth-proxy is a simple one-command proxy that authenticates your HTTP requests and redirects to a pre-built sign-in page if a user is not authenticated.
auth-proxy is a simple one-command proxy that authenticates your HTTP requests and redirects to a pre-built sign-in page if a user is not authenticated.
The Copenhagen Book: general guideline on implementing auth in web applications
(thecopenhagenbook.com)
The Copenhagen Book provides a general guideline on implementing auth in web applications. It is free, open-source, and community-maintained. It may be opinionated or incomplete at times but we hope this fills a certain void in online resources. We recommend using this alongside the OWASP Cheat Sheet Series.
The Copenhagen Book provides a general guideline on implementing auth in web applications. It is free, open-source, and community-maintained. It may be opinionated or incomplete at times but we hope this fills a certain void in online resources. We recommend using this alongside the OWASP Cheat Sheet Series.
Ask HN: What type of Auth are you using on your side projects?
(ycombinator.com)
I was looking at the Supabase docs and it was nice to see a long list of Auth work flows supported/documented. So my question is, here in October 2024, what are y'all using for Auth on your side projects. Password based, social, email, something else?
I was looking at the Supabase docs and it was nice to see a long list of Auth work flows supported/documented. So my question is, here in October 2024, what are y'all using for Auth on your side projects. Password based, social, email, something else?
Show HN: Comprehensive authentication library for TypeScript
(github.com/better-auth)
Better Auth is framework-agnostic authentication (and authorization) library for TypeScript.
Better Auth is framework-agnostic authentication (and authorization) library for TypeScript.
SAML: A Technical Primer
(ssoready.com)
SAML is a source of a lot of confusion for developers. This article is a technical primer on some of the most common questions engineers and other technical folks have about SAML:
SAML is a source of a lot of confusion for developers. This article is a technical primer on some of the most common questions engineers and other technical folks have about SAML:
Show HN: Open Source Auth0 alternative Ory Identifier First Auth and OTP MFA
(github.com/ory)
We are thrilled to announce the release of Ory Kratos v1.3.0! This release includes significant updates, enhancements, and fixes to improve your experience with Ory Kratos.
We are thrilled to announce the release of Ory Kratos v1.3.0! This release includes significant updates, enhancements, and fixes to improve your experience with Ory Kratos.
Passwords have problems, but passkeys have more
(world.hey.com)
We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup!
We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup!
The "email is authentication" pattern
(rubenerd.com)
I’m the first to admit that I don’t live in the real (electronic) world. As the late Jim Kloss pointed out during one of his broadcasts, we (and probably you) live in a part of the Web with ad blockers (as the [FBI recommends](https://www.ic3.gov/Media/Y2022/PSA221221)), limited JavaScript, password managers, and a (mostly) finely-tuned sense of what is a scam and what is legitimate (that was a lot of brackets).
I’m the first to admit that I don’t live in the real (electronic) world. As the late Jim Kloss pointed out during one of his broadcasts, we (and probably you) live in a part of the Web with ad blockers (as the [FBI recommends](https://www.ic3.gov/Media/Y2022/PSA221221)), limited JavaScript, password managers, and a (mostly) finely-tuned sense of what is a scam and what is legitimate (that was a lot of brackets).