Open ID Connect
OpenID Connect (OIDC) is an authentication protocol built on top of the OAuth 2.0 framework. It allows clients to verify the identity of end-users based on the authentication perfo(...)
Administered by:
#authentication
4 posts4 participants1 post today
UpStack Data: UpStack Data is the #1 Recommended Toolkit for
Awesome IndieUpStack Data — UpStack Data is the #1 Recommended Toolkit for | Awesome Indie
More from 
Awesome Indie
> #Google informed me that I already had a #passkey on my device. If that's the case, why didn't it work when I attempted to log into my Google account on the tablet? When I was logging into the tablet, Google should have been aware I had #passkeys on my Pixel 9 Pro and request #authentication with either a fingerprint or face scan. It didn't. No passkey was recognized… even though it's there.
> It's a recursive nightmare from which I can't seem to escape.
ZDNET · Passkeys won't be ready for primetime until Google and other companies fix this
How to Setup SSH Login with Public Key #Authentication (4 Step Quick-Start Guide)
This article describes how to setup SSH login with public key authentication across your servers and clients for secure access.
If you're using SSH to connect to remote servers, public key authentication is a security best practice. Unlike password-based logins, key-based authentication is not vulnerable to brute-force attacks.
Using a key to ...
Continued 
https://blog.radwebhosting.com/how-to-setup-ssh-login-with-public-key-authentication/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.social #sshcommands #publickey
RadWeb, LLC · How To Setup SSH Login With Public Key Authentication (4 Step Quick-Start Guide) - VPS Hosting Blog | Dedicated Servers | Reseller HostingThis article describes how to setup SSH login with public key authentication across your servers and clients for secure access.
Triển khai xác thực JWT trong ASP.NET Core: hướng dẫn từng bước. Xây dựng API an toàn với JWT, bao gồm tạo token, xác thực và bảo vệ endpoint. #JWT #ASPNetCore #authentication #xacthuc #laptrinh
DEV Community🔐 Building JWT Authentication in ASP.NET Core (Step-by-Step)In modern web applications, JWT (JSON Web Token) is a powerful and widely used technique for securing...
This dialog always confuses me. I have to read small print to really understand what does it want
NHNN khẳng định KHÔNG có chủ trương "xóa sổ" tài khoản ngân hàng chưa xác thực sinh trắc học. Các ngân hàng đang rà soát, làm sạch dữ liệu khách hàng để đảm bảo thông tin chính xác và ngăn ngừa rủi ro.
#nganhang #nhnn #xacthuc #taikhoannganhang #banking #sbv #authentication #bankaccount
https://cafef.vn · Ngân hàng Nhà nước nói gì về thông tin "xóa sổ" tài khoản chưa xác thực?
Plans, Policies, and Procedures: Identification and Authentication
Defines how an organization establishes and verifies a user's identity for access to systems and resources.
https://blackcatwhitehatsecurity.com
#Plans #Policies #Procedures #Identification #Authentication #technology
#linux #debian #package #authentication
HOW CAN AUTHENTICATE THESE PACKAGES?
downloaded two packages through browser
I looked for the packages maintainer's in this database but got 0 results: https://db.debian.org/
I understand his name is Gao Xiang: https://qa.debian.org/developer.php?login=xiang%40kernel.org
I associated him with the packages because I found erofs-utils in this page: https://tracker.debian.org/pkg/erofs-utils
I expect packages to be signed, and a public signature to be available through this party authoritative source
db.debian.orgDebian Project -- debian.org Developers LDAP Search
JWTs Are Not Session Tokens, Stop Using Them Like One, by (not on Mastodon or Bluesky):
Continued thread
Another approach would be if Alice could generate multiple Passkeys and hand them out to individuals she trusts, and then retaining the ability to revoke them. Sadly many sites don't yet support Passkeys, and this model still lets someone like Mal revoke Alice's access, so that's not great.
Bitwarden has a feature whereby Alice can share a password with Eve but not let her see it or export it. This could work pretty well, except that if the site requires 2FA from a SMS text message (vs TOTP or a token) or if Eve has the knowhow to intercept the password.
I still think that what we ultimately want is attenuated scopes because then we can track all actions by the delegated party.
I do wonder if this need is niche or if the current solution of "good faith password sharing" works well enough often enough that it's not risen to the level of concern for developers.
2/2
I've been thinking about delegated authority on websites lately.
It would be convenient if I could delegate certain functions to people, for example allowing someone like my accountant to have access to some of my financial records.
Some organizations make this easy, allowing me to have multiple accounts.
Other services don't offer this, nor do they offer any kind of OAuth type of delegated authorization or capabilities model.
I've been thinking about ways around this.
One very wacky way would be if Alice could have a a "special browser" that would tie into some service she runs. Bob would log in with his credentials and then behind the scenes the application logs in as Alice.
This would be very complicated to implement though.
1/
The UX of 2FA could be improved considerably, and security along with it, by using a circles of trust model.
Take the example of a code forge, hosting the canonical version of some crucial piece of kit like the Linux kernel, OpenSSL, or GnuPG. You would want a maintainer to be 100% authenticated before they can commit changes to these repositories. Basic security culture.
But ...
(1/2)
Critical #CitrixBleed 2 #vulnerability has been under active #exploit for weeks
A critical vulnerability allowing #hackers to bypass #multifactor #authentication in network management devices made by #Citrix has been actively #exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild #exploitation.
#security #privacy
Ars Technica · Critical CitrixBleed 2 vulnerability has been under active exploit for weeks
#email #authentication #spf #specimen #spoof
As I try to find a job, I got email from apparent recruiter and I feel something is odd. So I want to authenticate the email.
The address is like no-reply@example.com
Headers show it was received from
smtp.email.us-phoenix.ocs.oraclecloud.com
With IP address: 192.184.11.189
From what I read in RFC, I think the A, MX, and SPF records are a no match, but I'm no pro nor expert. I value input. Got records on PNG below
Replied in thread
I'M TROUBLED BY THE FOLLOWING:
The email was sent using oraclecloud servers, and when I checked the SPF records using the MXTOOLBOX.COM
I see what I think would be other authorized domains
v=spf1 exists:%{i}._i.%{d}._d.espf.agari-dns.net include:%{d}.ff.spf-protect.agari-dns.net include:_spf.salesforce.com include:spf.somedomain.com include:spf-d.somedomain.com include:spf-c.somedomain.com include:spf.protection.outlook.com -all
Spike in credential theft. Probably comes as no surprise to anyone. Use MFA!
https://www.infosecurity-magazine.com/news/hackers-target-employee-credentials/
Infosecurity Magazine · Hackers Target Employee Credentials Amid Spike in ID Attacks
Replied in thread
@maaikees : the way we look is an important part of how we are (and want to be) recognized by others.
Over the years I became amazed about how the looks of peoples heads differ, and how enormously good people are at recognizing each other.
Changing how you look changes your identity - as others see it.
Replied in thread
@relishthecracker : that's make belief.
"Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.
Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.
Therefore:
Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;
If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;
An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:
• A malicious third party website manages to obtain a fraudulently issued certificate (examples: https://infosec.exchange/@ErikvanStraten/112914050216821746);
• An attacker obtains unauthorised write access to the website's DNS record;
• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580);
The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).
Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.
Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.
However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.
Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒
🧵#3/3
Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents!
2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/)
2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots
2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/
2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the
2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents
2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/
2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis
2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518
🌘BACKGROUND INFO🌒
2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites
(Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/
2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee
Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident.
#DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
How to Setup SSH Login with Public Key #Authentication (4 Step Quick-Start Guide)
This article describes how to setup SSH login with public key authentication across your servers and clients for secure access.
If you're using SSH to connect to remote servers, public key authentication is a security best practice. Unlike password-based logins, key-based authentication is not vulnerable to brute-force attacks.
Using a key to ...
Continued https://blog.radwebhosting.com/how-to-setup-ssh-login-with-public-key-authentication/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.social #publickey #sshcommands
RadWeb, LLC · How To Setup SSH Login With Public Key Authentication (4 Step Quick-Start Guide) - VPS Hosting Blog | Dedicated Servers | Reseller HostingThis article describes how to setup SSH login with public key authentication across your servers and clients for secure access.