Questions tagged [authentication]
the process of establishing the authenticity of a person or other entity. Not to be confused with authorization - defining access rights to resources.
4,574 questions
1
vote
0
answers
27
views
Is a Nebula overlay network essentially a peer-to-peer mesh network with mutual TLS?
I'm looking into Nebula overlay networks as also offered by the founders of it on defined.net.
To my understanding this type of network is some kind of mesh overlay network, which offers a form of ...
- 7,135
0
votes
0
answers
14
views
Implement continuous authentication of users within an internal network using FreeRADIUS in pfsense
I am building a small network virtualization using VirtualBox, with the goal of testing and implementing various security concepts. The network includes a pfSense VM acting as the router, three Ubuntu ...
21
votes
4
answers
7k
views
A website asks you to enter a Microsoft/Google/Facebook password. How do you know it is safe?
A website prompts me to log in to my Microsoft Account. In order to perform my task, it requires me to enter that password.
How does the "average user" avoid giving all their login details ...
- 1,023
1
vote
0
answers
38
views
Microsoft Identity vs ASP.NET Core Identity
I’ve been using the Microsoft ASP.NET Identity Library. It’s a basic authentication and authorization system that is a DLL that stores everything in my app’s DB. It has screens for forgotten password, ...
- 513
16
votes
4
answers
3k
views
Why might an operating system require a restart after N failed login attempts?
I continually entered my password incorrectly whilst trying to login to Windows 11. I expected that after N failed attempts I would then start to see an increasing time delay after each subsequent ...
- 263
0
votes
0
answers
72
views
2FA and «Sign in from new location» email
If a user configures 2FA, and then he logs in from a new location, should we send an email to inform him that he just signed in from a new location?
Even if it's not common, unnecessary notifications ...
5
votes
2
answers
1k
views
How to allow a user to login via client X.509 certificate or username/password?
I have a niche website programmed by a volunteer. Like pretty much every website it's secured via TLS, and the main page doesn't let you do much except login via username & password or request an ...
- 51
0
votes
1
answer
83
views
Specific Security Risks in Decentralized Identity and Self-Sovereign Identity (SSI)
I am exploring Self-Sovereign Identity (SSI) as a decentralized approach to identity management, similar to how Bitcoin addresses financial systems through blockchain (as verifiable data registry (VDR)...
- 145
2
votes
0
answers
60
views
Usage of OTPs in combination with long-lived auto login URLs
My requirement is to implement auto-login URLs for one-click authentication. We will generate an URL with a login token (e.g. https://my-company.com/autologin?token=${autoLoginToken}), which will act ...
- 347
1
vote
0
answers
62
views
How can I keep a subdomain secure when its parent domain is not secure?
Suppose I have a domain whose name is example.com. example.com is maintained by other developers. Now suppose my job is to create a website named subdomain.example.com. Both websites are publicly ...
- 11
2
votes
0
answers
51
views
How do I know if our OTP solution is secure enough? [closed]
At work we are using a one time PIN code (6 digits, TTL 5 min) for signing in to devices that we hand out to our customers. We have earlier deemed that this is secure enough for that use case.
Now we’...
- 21
1
vote
0
answers
21
views
Enabling Windows Policy Breaks Halo PIN [migrated]
In the Windows Local Security Policy (secpol.msc) I enabled the following policy:
Interactive logon: Do not require CTRL + ALT + DEL --> DISABLED
So my computer requires the users to hit CTRL + ...
- 151
0
votes
1
answer
66
views
Best Practices for WebAuthn FIDO2 reset
Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:...
- 1
2
votes
2
answers
870
views
Preventing authentication (login) timing attacks in a nodejs application
I am using graphql and my login function is resolved using a promise. The username is an email address.
The steps in the logic are the following: -
Validate CRSF token else return generic response (&...
- 31
4
votes
2
answers
138
views
How is biometric login protected against security leaks?
If a database full of passwords is leaked, a user can just make another password. Today biometric security checks like fingerprint scanners and face recognition are often promoted as good security ...
1
vote
1
answer
97
views
Is an API vulnerable to BREACH if HTTP compression is only enabled for endpoints that are authenticated using bearer tokens?
Let's assume an API returns sensitive information (e.g. medical or financial) to authenticated users only.
In some circumstances responses may include information the user supplied in the request (e.g....
- 13
3
votes
1
answer
89
views
How to securely change email address in a Mobile App with Email OTP Based Login
I'm working on a mobile app where users can only log in using their email address and receive an OTP to verify their identity. I'm trying to figure out the best approach for allowing users to change ...
- 133
4
votes
1
answer
159
views
What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
Context
I've read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it's not clear to me why.
The recommended ...
- 143
1
vote
2
answers
141
views
Keycloak - SSO security best practices
I am using Keycloak as OIDC provider for several web applications. I have approximately 50 users and 5 applications. Some applications contain sensitive data and are used only by the company managers. ...
- 151
0
votes
0
answers
84
views
BLE Challenge-Response Authentication Using Pre-Shared Key and SHA-256
I’m working on a Bluetooth Low Energy lock system and have implemented a challenge-response authentication flow for secure communication between the lock (an ESP32 device) and the user's phone. I'm ...
1
vote
1
answer
67
views
Is it currently considered strong security to store the encrypted data and encryption key in the same database? [duplicate]
In 2024, is it considered safe to encrypt user data, store the encryption keys in the database, and protect them with user credentials? Deriving keys from user password is not ideal in my design. My ...
- 13
0
votes
0
answers
34
views
Does requiring log in every n hours actually increase security for a web app, if login info is stored in browser? [duplicate]
A web application I use forces log in again every 12 hours.
I'm struggling to see exactly how this increases security, considering the browser has user and pass pre-filled, and I simply have to click &...
- 1
0
votes
1
answer
96
views
Is there an attack vector for SMS verification code using a bunch of parallel requests
I'm trying to elaborate a login scenario with SMS verification code. Not sure whether it's an attack vector or not.
Assume, we have a N = 3 digit code sent to a user mobile phone (3-digit code just ...
- 3
1
vote
1
answer
45
views
Can I sufficiently protect my REST Service using shared Tokens?
I have a server exposing a REST service. I am thinking about a way to prevent unauthorized access to the service.
Setup
My current setup is as follows:
The server uses SSL.
There are exactly three ...
- 111
1
vote
2
answers
2k
views
What's the best format or way to generate a short-lived access token?
I'm creating a fairly basic authentication mechanism with username and password. The auth flow is essentially:
User inputs their username and password
On the client side the password is hashed
The ...
- 251
1
vote
1
answer
123
views
Is there a private, secure and easy login system?
I am trying to figure out the implications of authentication technologies. Answers to a previous question indicate my real question is more "meta than that.
The primary requirements for an ...
- 375
23
votes
4
answers
10k
views
Whats the safest way to store a password in database?
I read that a password and a salt needs to be combined and then hashed. You save the result and the salt in plaintext. Is it a good practice to use the username as a salt? Why and why not?
I also read ...
- 369
0
votes
2
answers
103
views
How do macOS Touch ID and Windows Hello work securely with fingerprints in place of passwords?
How do macOS Touch ID and Windows Hello work securely with fingerprints in place of passwords?
As an example, macOS has been successfully using fingerprint authentication as a secure method for ...
- 103
0
votes
1
answer
73
views
Save password pop-up appears with encrypted password [closed]
I have an requirement for an web application that during login, while submitting login form the password should be transmitted as encrypted but also password manager's save password pop-up should show ...
0
votes
1
answer
53
views
How to setup a new SCRAM user without sending password to the server
I'm looking at using SCRAM for authentication of clients of the server I'm writing, as SCRAM does not send password over the wire in a way that it is useful if intercepted, and does not store ...
4
votes
4
answers
3k
views
What's wrong with my app authentication scheme?
I'm writing my own networking layer for my video games startup and am using TCP for connection/authentication. I wanted to know how safe my authentication scheme was and what I could do to improve it.
...
1
vote
1
answer
56
views
Who generates the TACACS+ challenge in challenge-response authentication protocols?
Reading the TACACS+ RFC common authentication flows, the CHAP/MSCHAPv1/MSCHAPv2 sections state the following:
The entire exchange MUST consist of a single START packet and a single REPLY.
Which ...
0
votes
0
answers
55
views
Should OTP be resent during the sign-up process if the user is already verified?
I'm building an authentication backend API that includes a resend OTP endpoint. The question is whether the API should check if the user is already verified before sending a new OTP. Specifically, if ...
0
votes
0
answers
33
views
End user authN / authZ in a B2B2C setup
I am hosting a SaaS application that exposes an API and does authN using an API Key (M2M).
An organization can subscribe to this SaaS and consume the API. The end user (customer) of the organization ...
- 1
1
vote
1
answer
68
views
Authenticate web application generated data
I am currently developing a web application where I need to ensure that retrieved data (stored in database) have been generated by one or multiple (in the case of clustered applications) application. ...
- 113
2
votes
1
answer
89
views
Is local password recovery for each device a viable security approach?
I'm developing a multi-platform application using Flutter, which involves sensitive user data and requires both online and offline accessibility. To enhance security and usability, I am considering ...
3
votes
1
answer
224
views
CORS credentials option set to true
To allow cookies to be sent to my ExpressJS server,credentials: true has to be set in my CORS config.
What potential security risks/ vulnerabilities could arise from this configuration?
If possible, ...
- 73
9
votes
4
answers
3k
views
How to receive large files guaranteeing authenticity, integrity and sending time
I need to receive some important documents from another person. It may be important to be able to prove (in justice) which files exactly I received from that person at a specific moment.
My first ...
- 191
2
votes
2
answers
83
views
Is Kerberos Constrained Delegation (KCD) deprecated?
Referred to the official microsoft documentation on KCD where they are using the terms KCD & Resource Based Constrained Delegation (RBCD) almost interchangeably which got me confused. They have ...
- 85
1
vote
0
answers
128
views
Where to store Refresh Token in custom Authentication
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a ...
1
vote
1
answer
91
views
Is electronic signature a proper/sufficient mean for identification/authentication?
We have received an electronically signed GDPR data request from a person who has only provided his name and surname. We wanted to be sure that this person is who he claims he is, so we have asked to ...
- 279
1
vote
0
answers
41
views
Leveraging MS SSO for teams tab secure?
I have an app I want to embed as a tab in MS Teams. Users may already have an account outside of teams and I use magic login link to typically to log users in. I want to know if I can leverage teams ...
- 11
0
votes
0
answers
43
views
Is MS number-matching MFA still amenable to bypass in this scenario?
On August 2, 2023, the Microsoft security blog presented this scenario, in which the protection normally afforded by number-matching MFA on MS Authenticator can be thwarted:
In this activity, ...
2
votes
1
answer
1k
views
Offline, multi-machine, 2-factor authentication information vault?
I think this should be the right SE, apologies otherwise
I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded ...
- 215
1
vote
0
answers
77
views
how to apply authentication/authorization on CLI tools
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run ...
- 187
1
vote
0
answers
68
views
How to verify authentication tag during chunked AES-GSM-128 decryption
Due to there are large encrypted files we are dealing with, we can't afford to keep entire file in memory during a decryption process.
I've implemented the algorithm of chunked decryption of AES GSM ...
- 111
2
votes
0
answers
96
views
Authenticating via device
I want to authenticate users based on their devices. Basically, when a user deletes my app, I want to make sure that their local storage is independent of who they are, so that they do not evade a ban ...
- 73
1
vote
1
answer
137
views
How effective is re-entering your password to enable high-risk functions on your account when autofill is always available?
Websites ask for passwords to ensure you are the account owner before you make changes to high-risk settings, but autofill works all the time, even when the browser is in Incognito mode.
If someone ...
- 121
1
vote
0
answers
87
views
Mutual Authentication after ECDH Exchange with pre-shared secrets
I´m currently building a protocol, in which two parties establish a connection via ECDH Key Establishment. The shared secret after ECDH is used to derivate Keys (with HKDF) for symmetric encryption.
...
- 11
0
votes
1
answer
205
views
Using mTLS for API access control and authentication
my question is about using mTLS for API access control and authentication.
I understand in mTLS, both the server and client (making the API request) will verify each other's identity. This allows the ...
- 3