“Technologists have historically failed to evaluate the effectiveness of authentication requirements against all reasonable attacks, to disclose the shortcomings of these requirements, and to account for and acknowledge their negative impact on users.” Excellent article about #2FA but the lessons about #cybersecurity are more general.
And making open source alternatives — #DevStoriesThis is a transcript of a talk I gave at the Hacker Noon #devstories @Github event, with minor modifications to improve readability. I wanted to call out the irony that security calls for openness, but security is also the reason for obscurity and proprietary implementations, especially in the hardware world. Making security more open is what motivated us to found SoloKeys, and make open source hardware security keys.▻https://medium.com/media/6a0e0d8f7709f7937cc7221c95a19eaa/hrefWhat I think is really fascinating about security is the duality that I tried to capture in the title between openness and obscurity.Borrowing a definition from cryptography:A (crypto)system should be secure even if everything about the system, except the key, is (...)
Authorized requests to #s3 bucket
Protected S3 buckets, protected filesThis notebook shows the finished product of adding basic permissioning to an S3 bucketWe use basic auth which is an HTTP protocol for simple auth on web-accessible files. ▻https://en.wikipedia.org/wiki/Basic_access_authenticationBasic auth isn’t very secure — however, we pair this with HTTPS and restrict access to the s3 bucket.Set up some python stuffIn :import requests; import jsonAccess secure endpoint without authfirst were gonna try to access this file without any credentialsIn :url = ’▻https://d17nii79zr8aom.cloudfront.net/success.json'resp = requests.get(url)resp.contentOut:’Unauthorized’Next we add basic auth paramsAccess secure endpoint with auth!In :user, password = ’user’, ’pass’resp = requests.get(url, (...)
Building RESTful APIs (Authentication & Error Handling)
▻https://medium.com/media/7a227f639a07519d5e744c1de06d2f11/hrefSubscribe to MobycastiTunes | Google Play | Soundcloud | Stitcher | SpotifyShow NotesJon Christensen and Chris Hickman of Kelsus and Rich Staats of Secret Stache continue their conversation on building RESTful APIs, specifically focusing on #authentication and error handling. REST stands for Representational State of Transfer.Some of the highlights of the show include:Importance of authentication with APIs to identify callers and their authorized permissionsStateless vs. stateful communication channels between entitiesSimplest authentication technique is to use basic HTTP metadata in headers; you must send it over an encrypted connectionExchanging short-lived tokens negotiated based upon user’s credentials is another (...)
Stop printing your personal photos via online websites
Security Vulnerability in InkmonkThere are plenty of online shops which offer to print your photos, visiting cards and t-shirts. But do they protect the photos or personal information you share with them? We will find out.We discovered a #security vulnerability in Inkmonk.com (India’s first print marketplace) which leaks all the photos you have uploaded, via a simple API:Vulnerable APIThe ids used in the above #api is serially iterable and the response looks like this:API responseAnd if you click on one of the URLs in the above response, you will see the pictures uploaded by the users of the website. They do not require any kind of #authentication at all. Some examples below:This security bug was reported to the InkMonk on 19th November, 2017. They acknowledged the existence of the issue and (...)
PassportJS — The Confusing Parts Explained
PassportJS is awesome. It provides an abstraction layer over logging in with various providers such as Facebook, Google, Github, Twitter and more.When first getting started though it can be a little challenging to understand what’s going on and why. Their documentation is pretty good but leaves out some specifics that I initially found difficult to understand. Hopefully this helps answer some of your questions and clears up some confusion. I assume you’ve read the docs a little and have maybe tried implementing it. Even if you haven’t though, you should still be able to follow along. Even if you have, this should still prove useful in understanding PassportJS a little better.Here’s what’s coveredThe Callback Function in Strategy SetupWhy #passport.authenticate() is needed in the (...)
Step up authentication and #2fa makes users feel secure. Being asked to get your phone out and swipe an app feels satisfyingly secure but it also gets tiresome awful quick.Iris scanning, facial recognition, Yubikeys, FIDO, SMS one time codes, Google Authenticator, PING swipe, TokenOne and on and on. Asking our customers to take “just one more step”, to thumb scan, to swipe an app, to type a onetime sms code, to look up an email all feels like a reasonable ask until it isn’t.The reality is that consumers and business users resent being asked to jump through more hoops or to learn another authentication procedure. So while the top end of the #security spectrum supports more varied and complex authentication flavours, the average user is fighting even the most basic efforts to secure their (...)
Auth Headers vs #jwt vs Sessions — How to Choose the Right Auth Technique for APIs
Authenticating REST APIs calls for selecting the right one that suits your application. There are several ways:There are two choices for Single Page Applications:Session BasedToken Based authenticationThe set of questions that needs to be asked are:Should the sessions be invalidated before they expire? If Yes, Sessions must be preferred.Should the session end based on inactivity as against ending after a fixed time? If Yes, Sessions must be preferred.If Yes, Sessions must be preferred.Will mobile applications to use the same APIs? If yes, prefer token-based #authentication (but ensure a separate #api is built for these use cases)Is Your web framework protected against CSRF? Prefer token based authentication if it is a “No” or if you don’t know what CSRF is.If token based authentication is (...)
#aws Cognito User Pools or Identity Pools: what do I use to secure my #api?
As a developer, you don’t like reinventing the wheel. You need to add #authentication and authorization to your API and you’ve decided to use a third-party service, instead of rolling your own users management system. You are familiar with AWS, so Cognito is the way to go. You check the docs and try to understand what is User Pools, what is Identity Pools and what is the difference between them.That’s your face when going through Cognito docsNo worries, we’ve all been there. It’s really confusing, specially if you’re not an expert on authentication and authorization protocols (I include myself there). Both services seem to be built for the same purpose, so choosing one or another can become a tough task.Long story shortIf you’d like to access AWS resources directly from the client side (be it a (...)
Integrating #firebase #authentication with #react Router in React 16.3
▻https://medium.com/media/23d780ad25b9d0a143198553201dbe25/hrefAfter many months of React Native development, I’ve been acquainted with building an authentication workflow between Firebase and React Navigation. Lately I was looking to do the same but in ReactJS. The only difference between the web and the native use case is that, on a web app, the user can try to access a navigation state directly via the URL so you need to protect your components. Luckily, React 16.3 now provides a fantastic new Context API that will help us with that.We first create a Firebase auth context that contains two values:authStatusReported indicates if Firebase has reported the auth status. If the auth status hasn’t been reported yet, you might want to display a loading indicator for your app.isUserSignedIn (...)
Divide and Govern : How We Implemented Session Separation at Mail.Ru portal
In the beginning…Mail.Ru is a gigantic portal created more than 15 years ago. Since then we have evolved from a minor web project to the most visited Runet site online. The portal comprises an enormous number of services, each with its own story and separate team of developers, who had to do their utmost to make sure all projects (new, old and those joining the portal as it evolved) shared a single user #authentication system. Then after many years we were eventually faced with a task that was almost the opposite: separate user sessions. Why this was necessary, what obstacles tripped us up and how we got around them will be covered in this post. If we take a trip back in time when all our services were part of a single second-level domain and separated into third-level domains, (...)
Un article de blog (en anglais) sur l’authentification XMPP pour Django. Pour mémoire, ceci permet de s’identifier sans mot de passe avec n’importe quel client XMPP (que ça soit sur bureau, web, téléphone, ou autre).
Police asked 3D printing lab Arora to recreate a dead man’s fingers to unlock phone
A 3D printed finger alone often can’t unlock a phone these days. Most fingerprint readers used on phones are capacitive, which means they rely on the closing of tiny electrical circuits to work. The ridges of your fingers cause some of these circuits to come in contact with each other, generating an image of the fingerprint. Skin is conductive enough to close these circuits, but the normal 3D printing plastic isn’t, so Arora coated the 3D printed fingers in a thin layer of metallic particles so that the fingerprint scanner can read them.
“We don’t know which finger the suspect used,” he told me by phone. “We think it’s going to be the thumb or index finger—that’s what most people use—but we have all ten.”
a password that you have memorized may be protected by the Fifth Amendment. Your fingerprints aren’t.
but a judge argues that
phones should be considered extensions of our minds and should be protected under the Fifth Amendment (protection against self-incrimination) and not just the Fourth Amendment (protection against illegal search and seizure). He argues that cell phones are unlike almost anything else we own.
Selfies to replace passwords in Mastercard online payments trial
Participants in Mastercard’s trial will be prompted to snap a photograph of their face using the Mastercard app on their smartphone at the online checkout point, rather than entering a password.
This app then converts the photo into 1s and 0s using facial recognition technology, and transmits it over the internet to MasterCard, which compares it with a stored code representing the cardholder’s face. If the two codes match up, then the purchase will be approved.
#Authentication management in #Composer - Jordi Boggiano
Jusque là, il y avait une solution sous forme de plugin :
HybridAuth, Open Source Social-Single-Sign-On Solution for authentication through Facebook, Twitter, Google, Yahoo, MySpace, LinkedIn, AOL, Vimeo, FourSquare, OpenID and other Identity providers
HybridAuth is an open source web-based #authentication and authorisation solution that combines the strengths of several major social networks and Identity Providers services into one simple PHP Library.
repéré par @b_b