Questions tagged [account-security]
Security controls and features related to an end user's account with a web/mobile based application or an operating system.
773
questions
1
vote
0
answers
43
views
Where to store Refresh Token in custom Authentication
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a ...
1
vote
0
answers
111
views
Bypass Microsoft Account 2FA
The Microsoft account can have multiple ways to prove who you are for 2FA (two-factor authentication).
When you forget your 2FA security info you can initiate the account recovery process by clicking &...
1
vote
0
answers
51
views
how to apply authentication/authorization on CLI tools
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run ...
1
vote
0
answers
21
views
In WHM/cPanel > Exim Config, how to prevent SendGrid API key from being breached?
Running a WHM/cPanel system on CentOS v7.9.2009 (STANDARD kvm) and cPanel Version 110.0.34.
We use WHM Exim Config with SendGrid for email forwarding.
In the last 3 months, our SendGrid account has ...
1
vote
1
answer
115
views
How effective is re-entering your password to enable high-risk functions on your account when autofill is always available?
Websites ask for passwords to ensure you are the account owner before you make changes to high-risk settings, but autofill works all the time, even when the browser is in Incognito mode.
If someone ...
1
vote
1
answer
65
views
Specific rate limit for changing security information
A few months ago, a popular YouTuber had their account hacked by a virus on his computer. Then, all of his security information was changed in under a minute. I remembered Google sent over 30 emails ...
1
vote
1
answer
113
views
Refresh tokens for impersonating user credentials: how to implement them?
The web app I'm developing makes use of the concepts of "access token" and "refresh token", even though it uses its own auth scheme.
In certain situations, the web app needs to get ...
7
votes
4
answers
4k
views
Should order numbers be guessable?
We wrote a e-commerce system where we were asked to generate orders based on a format provided to us
The format was extremely simple which was today's date with total number of orders in the database +...
22
votes
3
answers
5k
views
Is there a problem with having a combined login/register screen?
I am designing a new login/register process for a system and want to combine the 2 initial pages for register and login.
This would be one page where the user would enter their email and press '...
0
votes
1
answer
68
views
Best Practices for how to implement in-app user account switching
I am a developer responsible for mobile app and a couple of SPA web apps. Our customers are organizations ("tenants") with multiple users. Our authentication is built on OAuth2 (OpenID ...
4
votes
2
answers
3k
views
If my old device is infected, can my new device get viruses from my social media accounts?
Is it okay to log in my social media accounts (Facebook, Instagram, etc.) from my old phone that I believe is infected with viruses to my new phone? Can virus transfer because of that?
2
votes
0
answers
247
views
I linked an account with Plaid. If I change my username and password, will that mostly protect me in the event of a breach?
This is very similar to this question from 5 years ago, but I didn't see a clear answer: Is Plaid safe if I change the password after deposit?
I've linked an account with Plaid. That account is 2FA ...
0
votes
0
answers
48
views
How to add accounts management to a legacy blackbox application?
I have a legacy non-commercial (in-house) application that is distributed over several workstations on a private VLAN. I have to make it conform to some cybersecurity standards, but can barely modify ...
3
votes
1
answer
96
views
Account recovery protocol when email is breached, or inaccessible?
I am creating a web application for individual accounts. The email address is also used as the user name. 2FA is setup for the user to optionally use. I've been trying to wrap my head around preparing ...
0
votes
1
answer
108
views
Is it possible to hide the recognized devices in “WHERE YOU’RE LOGGED IN” section on facebook? [closed]
I am logged in to my husband’s facebook account. Is it possible that I can hide my device on his phone so that he won’t notice that I am logged in there? In the “Where you’re logged in” section, there ...