Questions tagged [authentication]
the process of establishing the authenticity of a person or other entity. Not to be confused with authorization - defining access rights to resources.
4,595 questions
0
votes
0
answers
12
views
LinkedIn website automatically gets my email address in Edge without consent, can all websites I browse silently get my email? [closed]
I'm using Edge 135 browser on Windows 10. I am currently logged in my Gmail account, but not logged in LinkedIn.
When browsing to https://www.linkedin.com (I never logged in on this website since I ...
- 963
0
votes
0
answers
17
views
For AES-GCM, why do protocols not use the nonce to prevent replay attacks? [migrated]
For protocols using AES-GCM, it appears to be common practice to store the sequence number in the additional authenticated data (AES_GCM and TLS sequence number). I have not found any instances of ...
- 1
-3
votes
0
answers
95
views
How to know whether a plate number is being faked or not? [closed]
I’m not sure whether this question fits better under AI, Cryptography, or Security. I’ll place it under Security for now, since AI Security has become a new and growing domain.
I have developed an ...
0
votes
0
answers
32
views
Alternatives for device code flow for headless sign-in in azure cli?
With the ongoing phishing campaign storm-2372, targeting the device code flow for authentication, we would like to disable this flow for our users.
However, the device code flow is essential for many ...
- 101
1
vote
1
answer
43
views
Using OPAQUE without envelope checksums
I've been considering switching from SRP to OPAQUE, because I like the idea that verifiers (which can be subject to dictionary attacks) are never communicated over the protocol, even during ...
- 273
0
votes
0
answers
34
views
Most secure method for a git workflow to reach another private github repo
I am working on multiple github workflows and these workflows need to reach other private repos within my organizations (these workflows might need to read and clone these repos or activate other ...
- 73
3
votes
1
answer
3k
views
Are there any security concerns with this authentication flow?
I’m in the process of developing a native app and am currently trying to come up with a workflow to secure the communication between my app and the server.
I’ve done a lot of research and have not ...
- 41
0
votes
1
answer
41
views
Why hide the access token from the User Agent? (OAuth Authorization Code Grant)
My understanding is that the OAuth Authorization Code Flow is used to avoid exposing the access token from the User Agent. But why?
I was reading this article (Common OAuth Vulnerabilities) by ...
- 1,146
0
votes
1
answer
52
views
When not to use Authorization Code Grant?
Why would an OAuth implementation choose to use the Authorization Code Grant -- when it means that the access tokens are leaked to a third party?
I've been using API keys for a package on my server to ...
- 1,146
0
votes
0
answers
71
views
How to assess poor OAuth security implementations?
What questions should I ask to determine if a given OAuth implementation is secure?
I've been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like ...
- 1,146
4
votes
2
answers
451
views
Is IP/location generally used as a strong signal that an account was stolen? [closed]
I recently started using a VPN.
I was surprised to discover that, on a couple sites that I use regularly as an authenticated user, my account was blocked. The reason given was something like "...
- 163
0
votes
1
answer
72
views
How is RabbitMQ's certificate authentication secure if it uses PKI?
According to the RabbitMQ documentation, any certificate issued by a CA that is in RabbitMQ's certification bundle will be trusted. Therefore, how can this type of authentication be secure if a CA — e....
1
vote
1
answer
97
views
Passwordless authentication with email OTP
I want to implement a passwordless authentication flow with a code sent by email but I can't find a clear best practice on how to securely implement it on the server side.
On the client side, the flow ...
- 11
0
votes
0
answers
28
views
client-initiated single logout
I have implemented a Single-Sign-On infrastructure where I own both the OIDC provider and the clients(RPs).
My question is about the single-logout mechanism. at the moment when a user requests a ...
0
votes
2
answers
94
views
Hashed email addresses in database and plain text emails in JWT
I was just wondering what the downsides of the following approach would be:
The email address I store is hashed (with a pepper that is db wide). This should (in my theory) better protect users in case ...
- 103