Questions tagged [authentication]
the process of establishing the authenticity of a person or other entity. Not to be confused with authorization - defining access rights to resources.
4,546
questions
1
vote
1
answer
39
views
Is local password recovery for each device a viable security approach?
I'm developing a multi-platform application using Flutter, which involves sensitive user data and requires both online and offline accessibility. To enhance security and usability, I am considering ...
2
votes
1
answer
178
views
CORS credentials option set to true
To allow cookies to be sent to my ExpressJS server,credentials: true has to be set in my CORS config.
What potential security risks/ vulnerabilities could arise from this configuration?
If possible, ...
8
votes
4
answers
3k
views
How to receive large files guaranteeing authenticity, integrity and sending time
I need to receive some important documents from another person. It may be important to be able to prove (in justice) which files exactly I received from that person at a specific moment.
My first ...
2
votes
2
answers
37
views
Is Kerberos Constrained Delegation (KCD) deprecated?
Referred to the official microsoft documentation on KCD where they are using the terms KCD & Resource Based Constrained Delegation (RBCD) almost interchangeably which got me confused. They have ...
1
vote
0
answers
43
views
Where to store Refresh Token in custom Authentication
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a ...
1
vote
1
answer
67
views
Is electronic signature a proper/sufficient mean for identification/authentication?
We have received an electronically signed GDPR data request from a person who has only provided his name and surname. We wanted to be sure that this person is who he claims he is, so we have asked to ...
1
vote
0
answers
28
views
Leveraging MS SSO for teams tab secure?
I have an app I want to embed as a tab in MS Teams. Users may already have an account outside of teams and I use magic login link to typically to log users in. I want to know if I can leverage teams ...
0
votes
0
answers
30
views
Is MS number-matching MFA still amenable to bypass in this scenario?
On August 2, 2023, the Microsoft security blog presented this scenario, in which the protection normally afforded by number-matching MFA on MS Authenticator can be thwarted:
In this activity, ...
2
votes
1
answer
1k
views
Offline, multi-machine, 2-factor authentication information vault?
I think this should be the right SE, apologies otherwise
I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded ...
1
vote
0
answers
51
views
how to apply authentication/authorization on CLI tools
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run ...
1
vote
0
answers
54
views
How to verify authentication tag during chunked AES-GSM-128 decryption
Due to there are large encrypted files we are dealing with, we can't afford to keep entire file in memory during a decryption process.
I've implemented the algorithm of chunked decryption of AES GSM ...
1
vote
0
answers
39
views
Authenticating via device
I want to authenticate users based on their devices. Basically, when a user deletes my app, I want to make sure that their local storage is independent of who they are, so that they do not evade a ban ...
1
vote
1
answer
115
views
How effective is re-entering your password to enable high-risk functions on your account when autofill is always available?
Websites ask for passwords to ensure you are the account owner before you make changes to high-risk settings, but autofill works all the time, even when the browser is in Incognito mode.
If someone ...
1
vote
0
answers
40
views
Mutual Authentication after ECDH Exchange with pre-shared secrets
I´m currently building a protocol, in which two parties establish a connection via ECDH Key Establishment. The shared secret after ECDH is used to derivate Keys (with HKDF) for symmetric encryption.
...
0
votes
1
answer
49
views
Using mTLS for API access control and authentication
my question is about using mTLS for API access control and authentication.
I understand in mTLS, both the server and client (making the API request) will verify each other's identity. This allows the ...