Hacker News with Generative AI: Authentication

Why Login Failures Matter (fusionauth.io)
When you care about providing great authentication experiences, like us (the few, the proud), there is nothing better than this chart - undeniable proof that our users are successfully logging in.

Security, Authentication, User Experience

17 points by mooreds 3 days ago | 5 comments

Show HN: An open source OAuth/auth system (github.com/ValueMelody)
Melody Auth is a user-friendly, robust solution for implementing and hosting your own OAuth and authentication system.

Open Source, Authentication, Security, OAuth

8 points by radomizing1234 6 days ago | 0 comments

OpenAI uses open source Ory to authenticate over 400M weekly active users (ory.sh)

Open Source, Security, Authentication, User Management

68 points by aeneas_ory 13 days ago | 34 comments

Configure Azure Entra ID as IdP on Keycloak (ght1pc9kc.fr)
For a new project, I needed to use Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I work for has a Microsoft Entra ID (formerly Azure Active Directory), the ideal solution was to connect Entra ID as an Identity Provider in Keycloak using OpenID Connect.

Authentication, OpenID Connect, Keycloak, Spring Boot

19 points by marthym 17 days ago | 7 comments

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials (github.blog)
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.

Security, Authentication, SAML, Ruby, Vulnerabilities

312 points by campuscodi 18 days ago | 123 comments

SAMLStorm: Critical Authentication Bypass in XML-crypto and Node.js libraries (workos.com)
On Tuesday, March 4, 2025, WorkOS received a critical security report from researcher Alexander Tan (ahacker1) detailing a zero-day vulnerability in the widely used xml-crypto and SAML libraries in the Node.js ecosystem. This flaw allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).

Security, Node.js, Authentication, SAML, Zero-Day Vulnerability

10 points by grinich 19 days ago | 0 comments

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials (github.blog)
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.

Security, Authentication, SAML, Open Source, Ruby

10 points by mark 21 days ago | 0 comments

Show HN: Torii – a framework agnostic authentication library for Rust (github.com/cmackenzie1)
Torii is a powerful authentication framework for Rust applications that gives you complete control over your users' data.

Rust, Authentication, Frameworks, Software

80 points by cmackenzie1 33 days ago | 38 comments

A Comprehensive Formal Security Analysis of OAuth 2.0 (arxiv.org)
The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect.

Security, OAuth 2.0, SSO, Authentication

49 points by colonCapitalDee 35 days ago | 12 comments

Google to Ditch SMS Code Authentication for Billions of Users (forbes.com)
It is certainly no secret that using SMS text messages for security codes used to authenticate your identity is far from ideal.

Google, Security, Authentication, Technology

5 points by CPLX 35 days ago | 0 comments

OwnCloud Infinite Scale with OpenID Connect Authentication (helgeklein.com)
This article explains how to set up ownCloud Infinity Scale with OpenID Connect authentication to Authelia or authentik.

Cloud Computing, Security, Authentication, Open Source

9 points by indigodaddy 37 days ago | 0 comments

The least secure TOTP code possible (shkspr.mobi)
If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

Security, Authentication, Multi-Factor Authentication

11 points by edent 38 days ago | 1 comments

Untangling AI Agent authn/authz (venturebeat.com)
AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.

Artificial Intelligence, Authentication, Authorization

12 points by sdomino 40 days ago | 2 comments

How you should respond to authentication failures isn't universal (utoronto.ca)
A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.

Authentication, Security, Web Development, Software Development, Programming

3 points by zdw 48 days ago | 0 comments

Pairwise TOTP Authentication of Humans (schneier.com)
Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.

Security, Authentication, Privacy

32 points by transpute 51 days ago | 10 comments

Show HN: Hanko – Open-Source Auth and User Management for the Passkey Era (hanko.io)
Quickly integrate Hanko’s embeddable components and APIs to get a secure and modern login for your app. From passwords all the way to passkeys, 2FA, and SSO. Finally an auth solution that scales – without breaking the bank. And it’s open source.

Open Source, Security, Authentication, User Management, Passkeys

11 points by FlxMgdnz 52 days ago | 2 comments

Bad Smart Watch Authentication (sprocketfox.io)
When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.

Security, Wearables, Authentication, Smartwatches

106 points by _Microft 52 days ago | 33 comments

How (not) to sign a JSON object (2019) (latacora.com)
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The idea is the same though: you’re trying to differentiate between a legitimate user and an attacker, usually by getting the legitimate user to prove that they know a credential that the attacker doesn’t.

Security, Authentication, API, JSON

54 points by maple3142 53 days ago | 43 comments

PeerAuth, TOTP-based peer authentication in the post-truth world (ksze.github.io)
Machine learning has become more and more powerful, to the point where a bad actor can take a photo and a voice recording of someone you know, and forge a complete video recording.

Security, Authentication, Machine Learning

19 points by k_sze 57 days ago | 22 comments

What's OAuth2 Anyway? (romaglushko.com)
Have you ever logged into a website using your Google or Facebook account? Or connected an app to access your GitHub data? If so, you’ve already used OAuth2, whether you knew it or not.

Authentication, Security, Web Development, Programming

3 points by thunderbong 67 days ago | 1 comments

Keycloak, Angular, and the BFF Pattern (brakmic.com)
In this article, we’ll use the BFF (Backend for Frontend) pattern to build a secure system comprising a web app, a Keycloak server, and a dedicated backend service that brokers authentication flows between them.

Keycloak, Angular, Authentication

57 points by brakmic 67 days ago | 23 comments

Ask HN: How to automate collecting HAR file while user is browsing (ycombinator.com)
We are facing an intermittent issue in our web application where for some users for some reasons http requests are ending in error ( 400s ) esp. during token refresh with authentication server.

Web Development, Debugging, Automation, HTTP, Authentication

25 points by royalghost 68 days ago | 19 comments

New Bambu Lab Firmware Update Adds Mandatory Authorization Control System (hackaday.com)
As per a recent Bambu Lab blog post, its FDM printers in the X1 series will soon receive a firmware update that adds mandatory authentication for certain operations, starting with the firmware update on January 23rd for the aforementioned FDM printers.

3D Printing, Firmware Updates, Security, Authentication

3 points by razerbeans 72 days ago | 1 comments

Avoiding Authentication System Lock-In (fusionauth.io)
Years ago your team decided to use a third-party authentication system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.

Authentication, Security, Software, Business, Vendor Lock-in

14 points by mooreds 73 days ago | 0 comments

Major authentication providers still doesn't support TLS 1.3 (okta.com)

Security, TLS, Authentication

4 points by Alcatros552 76 days ago | 1 comments

Magic/tragic email links: don't make them the only option (recyclebin.zip)
The term “Magic Links” once meant a futuristic PDA. Nowdays, companies like Auth0 use it to refer to the slightly-magical feat of including a login link in an email.

Security, Email, User Experience, Authentication

706 points by gepeto42 85 days ago | 504 comments

Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over (rmondello.com)
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.

Web Security, User Experience, Passwords, Authentication, Magic Links

50 points by mooreds 87 days ago | 57 comments

Ask HN: Google login has circular dependency (ycombinator.com)
I just changed to a new iPhone. After setup, the gmail app requires me to confirm using two factor authentication using one of the following methods: <p>1. Tap Yes on a notification on my iPhone, which I don't receive because I am not logged in into any google accounts <p>2.

Google, Authentication, Mobile Devices, iPhones, User Experience

11 points by darth_avocado 90 days ago | 10 comments

A Tour of WebAuthn (imperialviolet.org)
Passwords are rubbish.

Security, Web Development, Authentication

299 points by caust1c 97 days ago | 150 comments

CISA: Do not use SMS as a second factor for authentication [pdf] (cisa.gov)

Cybersecurity, Authentication, Two-Factor Authentication

42 points by zdw 103 days ago | 22 comments