Launch HN: Better Auth (YC X25) – Authentication Framework for TypeScript(ycombinator.com) Hi HN! We’re Bereket and KinfeMichael of Better Auth (https://www.better-auth.com/), a comprehensive authentication framework for TypeScript that lets you implement everything from simple auth flows to enterprise-grade systems directly on your own database, embedded in your backend.
The cryptography behind passkeys(trailofbits.com) When most people think of cryptography, the first thing they typically think of is encryption: keeping information confidential. But just as important (if not more) is authenticity: ensuring that information is really coming from an authentic source.
The OAuth 2.1 Authorization Framework(ietf.org) The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf.
Best Practices for User Authentication and Authorization in Web Applications(securityboulevard.com) Your authentication system isn't just a door—it's the fortress protecting everything you value. This research paper presents a comprehensive framework for implementing secure authentication and authorization mechanisms in modern web applications. The increasing sophistication of cyber threats necessitates robust security practices for managing user identity and access privileges.
Ask HN: Magic links are bad UX and make people's lives worse. Change my mind(ycombinator.com) Click login, get sent an email link that you have to first wait to be delivered (sometimes takes a full minute, sometimes you have to resend the link).<p>Sometimes the link goes to spam, sometimes you have to search for it like a needle in a haystack of other notifications.<p>Sometimes you are not logged into your email on that device, or it's a small screen that makes it a pain.<p>Maybe it's my mother, and she now has to go find where
A Guide to Bearer Tokens: JWT vs. Opaque Tokens(permit.io) Bearer tokens play an important role in securing APIs and managing user sessions. Whether you're building a single-page app, a backend-for-frontend API, or a network of microservices, bearer tokens act as the key that grants access to protected resources—without needing to re-authenticate the user on every request.
19 points by bubblehack3r 77 days ago | 9 comments
Behind the 6-digit code: Building HOTP and TOTP from scratch(dogac.dev) A while ago, I have started working on authorization and authentication at work. This taught me a lot about how modern authentication systems work. However I have always thought One-Time Password logins are the most mystical ones. A six-digit code that changes every time and can be used to verify your identity. How does the server know the newly generated one, and how is it really secure?
Why Login Failures Matter(fusionauth.io) When you care about providing great authentication experiences, like us (the few, the proud), there is nothing better than this chart - undeniable proof that our users are successfully logging in.
Configure Azure Entra ID as IdP on Keycloak(ght1pc9kc.fr) For a new project, I needed to use Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I work for has a Microsoft Entra ID (formerly Azure Active Directory), the ideal solution was to connect Entra ID as an Identity Provider in Keycloak using OpenID Connect.
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials(github.blog) Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
312 points by campuscodi 104 days ago | 123 comments
SAMLStorm: Critical Authentication Bypass in XML-crypto and Node.js libraries(workos.com) On Tuesday, March 4, 2025, WorkOS received a critical security report from researcher Alexander Tan (ahacker1) detailing a zero-day vulnerability in the widely used xml-crypto and SAML libraries in the Node.js ecosystem. This flaw allows attackers to forge SAML authentication responses, potentially granting unauthorized access to any user account in affected applications—including admin accounts—without any user interaction. If exploited, this vulnerability could enable full account takeovers across organizations relying on SAML-based single sign-on (SSO).
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials(github.blog) Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. Attackers who are in possession of a single valid signature that was created with the key used to validate SAML responses or assertions of the targeted organization can use it to construct SAML assertions themselves and are in turn able to log in as any user.
The least secure TOTP code possible(shkspr.mobi) If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).
Untangling AI Agent authn/authz(venturebeat.com) AI agents are set to change ID authorization: As they integrate behind the scenes, they will need to move seamlessly between different apps on our behalf, and not get continually halted by login screens, lest they become cumbersome.
How you should respond to authentication failures isn't universal(utoronto.ca) A discussion broke out in the comments on my entry on how everything should be able to ratelimit authentication failures, and one thing that came up was the standard advice that when authentication fails, the service shouldn't give you any indication of why.
Bad Smart Watch Authentication(sprocketfox.io) When I originally paired the device I scanned a QR code on the watch. Turns out this probably just had the mac address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected.