Questions tagged [authentication]
the process of establishing the authenticity of a person or other entity. Not to be confused with authorization - defining access rights to resources.
4,595 questions
0votes
0answers
9views
LinkedIn website automatically gets my email address in Edge without consent, can all websites I browse silently get my email? [migrated]
I'm using Edge 135 browser on Windows 10. I am currently logged in my Gmail account, but not logged in LinkedIn. When browsing to https://www.linkedin.com (I never logged in on this website since I ...
- 963
0votes
0answers
17views
For AES-GCM, why do protocols not use the nonce to prevent replay attacks? [migrated]
For protocols using AES-GCM, it appears to be common practice to store the sequence number in the additional authenticated data (AES_GCM and TLS sequence number). I have not found any instances of ...
-3votes
0answers
91views
How to know whether a plate number is being faked or not? [closed]
I’m not sure whether this question fits better under AI, Cryptography, or Security. I’ll place it under Security for now, since AI Security has become a new and growing domain. I have developed an ...
0votes
0answers
27views
Alternatives for device code flow for headless sign-in in azure cli?
With the ongoing phishing campaign storm-2372, targeting the device code flow for authentication, we would like to disable this flow for our users. However, the device code flow is essential for many ...
1vote
1answer
43views
Using OPAQUE without envelope checksums
I've been considering switching from SRP to OPAQUE, because I like the idea that verifiers (which can be subject to dictionary attacks) are never communicated over the protocol, even during ...
- 273
0votes
0answers
34views
Most secure method for a git workflow to reach another private github repo
I am working on multiple github workflows and these workflows need to reach other private repos within my organizations (these workflows might need to read and clone these repos or activate other ...
- 73
3votes
1answer
3kviews
Are there any security concerns with this authentication flow?
I’m in the process of developing a native app and am currently trying to come up with a workflow to secure the communication between my app and the server. I’ve done a lot of research and have not ...
- 41
0votes
1answer
41views
Why hide the access token from the User Agent? (OAuth Authorization Code Grant)
My understanding is that the OAuth Authorization Code Flow is used to avoid exposing the access token from the User Agent. But why? I was reading this article (Common OAuth Vulnerabilities) by ...
- 1,146
0votes
1answer
51views
When not to use Authorization Code Grant?
Why would an OAuth implementation choose to use the Authorization Code Grant -- when it means that the access tokens are leaked to a third party? I've been using API keys for a package on my server to ...
- 1,146
0votes
0answers
71views
How to assess poor OAuth security implementations?
What questions should I ask to determine if a given OAuth implementation is secure? I've been using a wordpress plugin for payments that authenticates with the payment gateway with an API key. I like ...
- 1,146
4votes
2answers
451views
Is IP/location generally used as a strong signal that an account was stolen? [closed]
I recently started using a VPN. I was surprised to discover that, on a couple sites that I use regularly as an authenticated user, my account was blocked. The reason given was something like "...
- 163
0votes
1answer
72views
How is RabbitMQ's certificate authentication secure if it uses PKI?
According to the RabbitMQ documentation, any certificate issued by a CA that is in RabbitMQ's certification bundle will be trusted. Therefore, how can this type of authentication be secure if a CA — e....
1vote
1answer
96views
Passwordless authentication with email OTP
I want to implement a passwordless authentication flow with a code sent by email but I can't find a clear best practice on how to securely implement it on the server side. On the client side, the flow ...
0votes
0answers
28views
client-initiated single logout
I have implemented a Single-Sign-On infrastructure where I own both the OIDC provider and the clients(RPs). My question is about the single-logout mechanism. at the moment when a user requests a ...
0votes
2answers
94views
Hashed email addresses in database and plain text emails in JWT
I was just wondering what the downsides of the following approach would be: The email address I store is hashed (with a pepper that is db wide). This should (in my theory) better protect users in case ...
- 103
