Med-Mastodon

BillSome research on how password recovery has to mature in the face of passwordless authentication. Hmm, wonder if the OWASP team on that gas plans.<a href="https://www.darkreading.com/endpoint-security/researchers-warn-hidden-risks-passwordless-account-recovery" rel="nofollow noopener" translate="no" target="_blank">https://www.darkreading.com/endpoint-security/researchers-warn-hidden-risks-passwordless-account-recovery</a><a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a>

Paralhax 👾‘David logged in using a facial scan, then, with a couple of lines of code, Osswald was able to insert a Hello facial scan he made on another machine into the database and unlock David's machine instantly.’ :blobcat_thisisfine: <a href="https://www.theregister.com/2025/08/07/windows_hello_hell_no/" rel="nofollow noopener" translate="no" target="_blank">https://www.theregister.com/2025/08/07/windows_hello_hell_no/</a><a href="https://infosec.exchange/tags/BlackHat" class="mention hashtag" rel="nofollow noopener" target="_blank">#BlackHat</a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://infosec.exchange/tags/biometrics" class="mention hashtag" rel="nofollow noopener" target="_blank">#biometrics</a> <a href="https://infosec.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#microsoft</a> <a href="https://infosec.exchange/tags/ITSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#ITSec</a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/BlackHat2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#BlackHat2025</a>

knoppixProton launches Proton Authenticator, a new open-source, end-to-end encrypted 2FA app 🛡️ Available on iOS, Android, Windows, macOS & Linux 📱💻🔐 Securely store and sync your 2FA codes—no tracking, no ads, offline-friendly 🔁 Easy import from Google & Microsoft Authenticator 🔓 No Proton account required<a href="https://mastodon.social/@protonprivacy" class="u-url mention" rel="nofollow noopener" target="_blank">@protonprivacy</a> <a href="https://mastodon.social/@itsfoss" class="u-url mention" rel="nofollow noopener" target="_blank">@itsfoss</a> <a href="https://news.itsfoss.com/proton-authenticator-launch/" rel="nofollow noopener" translate="no" target="_blank">https://news.itsfoss.com/proton-authenticator-launch/</a><a href="https://mastodon.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://mastodon.social/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://mastodon.social/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://mastodon.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#OpenSource</a> <a href="https://mastodon.social/tags/Proton" class="mention hashtag" rel="nofollow noopener" target="_blank">#Proton</a> <a href="https://mastodon.social/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#Infosec</a> <a href="https://mastodon.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://mastodon.social/tags/DataProtection" class="mention hashtag" rel="nofollow noopener" target="_blank">#DataProtection</a> <a href="https://mastodon.social/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#FOSS</a> <a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> <a href="https://mastodon.social/tags/TechNews" class="mention hashtag" rel="nofollow noopener" target="_blank">#TechNews</a> <a href="https://mastodon.social/tags/Freedom" class="mention hashtag" rel="nofollow noopener" target="_blank">#Freedom</a> <a href="https://mastodon.social/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#Tech</a> <a href="https://mastodon.social/tags/Technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#Technology</a>

Erik van Straten<a href="https://kolektiva.social/@LukefromDC" class="u-url mention" rel="nofollow noopener" target="_blank">@LukefromDC</a> wrote: > "Some people (myself included) will never reveal a real birthday online and will respond to a request for a birthday with a fake, will check an "I am over 18" box or button, but will close the tab for anything more."Sure, but the European Commission wants civillians to start using EUDIW (EUropean Digital Identity Wallet, aka EDIW) soon. If a website demands authentication using such an app, cheating will not be easy. You'll have two choices: abort or do what's being asked.Website owners mostly, if not always, demand more PII than strictly necessary. Lying will become a lot harder when using EDIW than filling in forms.> "I have NoScript (on the desktop) and Privacy Browser(on phones) set up to block 3ed party code unless explicitly enabled every time."I too use NoScript as much as possible. However, IMO it does not solve any risks associated with mandatory authentication.> "Any unique age verification token is a tracker by definition BTW."That is not necessarily true, at least according to the app's specification. There are all kinds of (possibly unexpected) tricks using (asymmetric) cryptography that can be played.All of which does not mean that I'm a fan, on the contrary. Reliable authentication (including partial, such as proving being e.g. 18+), online in particular, is HARD.It gets even harder if neither the verifier, nor the person being (partially) authenticated, benefits.And the more privacy-friendly the less reliable it becomes - and the harder it gets to detect fraud.<a href="https://sigmoid.social/@drgroftehauge" class="u-url mention" rel="nofollow noopener" target="_blank">@drgroftehauge</a> <a href="https://manganiello.social/users/fabio" class="u-url mention" rel="nofollow noopener" target="_blank">@fabio</a> <a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@SylvieLorxu</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/AgeVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#AgeVerification</a> <a href="https://infosec.exchange/tags/Fraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fraud</a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#IdentityFraud</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener" target="_blank">#eID</a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#OnlineAuthentication</a> <a href="https://infosec.exchange/tags/RemoteAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#RemoteAuthentication</a>

Pyrzout :vm:Fighting AI with AI: How Darwinium is reshaping fraud defense <a href="https://www.helpnetsecurity.com/2025/07/29/alisdair-faulkner-darwinium-ai-powered-fraud-defense-tools/" rel="nofollow noopener" translate="no" target="_blank">https://www.helpnetsecurity.com/2025/07/29/alisdair-faulkner-darwinium-ai-powered-fraud-defense-tools/</a> <a href="https://social.skynetcloud.site/tags/Artificialintelligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#Artificialintelligence</a> <a href="https://social.skynetcloud.site/tags/BlackHatUSA2025" class="mention hashtag" rel="nofollow noopener" target="_blank">#BlackHatUSA2025</a> <a href="https://social.skynetcloud.site/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://social.skynetcloud.site/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://social.skynetcloud.site/tags/automation" class="mention hashtag" rel="nofollow noopener" target="_blank">#automation</a> <a href="https://social.skynetcloud.site/tags/enterprise" class="mention hashtag" rel="nofollow noopener" target="_blank">#enterprise</a> <a href="https://social.skynetcloud.site/tags/Don" class="mention hashtag" rel="nofollow noopener" target="_blank">#Don</a>'tmiss <a href="https://social.skynetcloud.site/tags/Darwinium" class="mention hashtag" rel="nofollow noopener" target="_blank">#Darwinium</a> <a href="https://social.skynetcloud.site/tags/Features" class="mention hashtag" rel="nofollow noopener" target="_blank">#Features</a> <a href="https://social.skynetcloud.site/tags/Hotstuff" class="mention hashtag" rel="nofollow noopener" target="_blank">#Hotstuff</a> <a href="https://social.skynetcloud.site/tags/strategy" class="mention hashtag" rel="nofollow noopener" target="_blank">#strategy</a> <a href="https://social.skynetcloud.site/tags/opinion" class="mention hashtag" rel="nofollow noopener" target="_blank">#opinion</a> <a href="https://social.skynetcloud.site/tags/fraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#fraud</a> <a href="https://social.skynetcloud.site/tags/News" class="mention hashtag" rel="nofollow noopener" target="_blank">#News</a> <a href="https://social.skynetcloud.site/tags/CISO" class="mention hashtag" rel="nofollow noopener" target="_blank">#CISO</a> <a href="https://social.skynetcloud.site/tags/LLMs" class="mention hashtag" rel="nofollow noopener" target="_blank">#LLMs</a> <a href="https://social.skynetcloud.site/tags/tips" class="mention hashtag" rel="nofollow noopener" target="_blank">#tips</a>

Erik van Straten<a href="https://kolektiva.social/@LukefromDC" class="u-url mention" rel="nofollow noopener" target="_blank">@LukefromDC</a> : it won't be that bad (it will be bad, but in a different way).ANY website may ask a user to confirm they are 18+ (or whatever age).There will be a huge amount of AitM (Attacker in the Middle) websites where naive people will be lured to (using fake emails, SMS, chat app messages or falsified QR-codes) and asked to confirm their age.That AitM website will subsequently obtain a "ticket" (session cookie) from a real "relying party" website (with a potentially very different type of content than the victim is told).Those "tickets" will be sold (or traded for watching ads and/or paying with privacy).Reliable authentication requires a trustworthy identity verifier (even if identification is restricted to age+).<a href="https://sigmoid.social/@drgroftehauge" class="u-url mention" rel="nofollow noopener" target="_blank">@drgroftehauge</a> <a href="https://manganiello.social/users/fabio" class="u-url mention" rel="nofollow noopener" target="_blank">@fabio</a> <a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@SylvieLorxu</a> <a href="https://infosec.exchange/tags/AgeVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#AgeVerification</a> <a href="https://infosec.exchange/tags/ByPass" class="mention hashtag" rel="nofollow noopener" target="_blank">#ByPass</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#Identification</a> <a href="https://infosec.exchange/tags/IdentityVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#IdentityVerification</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/ForSale" class="mention hashtag" rel="nofollow noopener" target="_blank">#ForSale</a>

Erik van Straten<a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener" target="_blank">@jwildeboer</a> : modern certificates are used for authentication only, not for secure connections.OTOH, if you have no certainty that your software is communicating with the server you intended, a secure connection to it is pointless - but the connection remains secure.Using TLS v1.3, the connection is even secured before the server is authenticated (if, after encrypting the connection, the authentication of the server fails, then the client should at least warn the user - if not immediately disconnect).Yes, I know, these are boring details, but they are misunderstood way too often by people who SHOULD know how this works (I know you do, but please don't simplify things too much). <a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#TLS</a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener" target="_blank">#https</a> <a href="https://infosec.exchange/tags/X509" class="mention hashtag" rel="nofollow noopener" target="_blank">#X509</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/Certs" class="mention hashtag" rel="nofollow noopener" target="_blank">#Certs</a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#Identification</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/TLSv1_3" class="mention hashtag" rel="nofollow noopener" target="_blank">#TLSv1_3</a> <a href="https://infosec.exchange/tags/ForwardSecrecy" class="mention hashtag" rel="nofollow noopener" target="_blank">#ForwardSecrecy</a> <a href="https://infosec.exchange/tags/DH" class="mention hashtag" rel="nofollow noopener" target="_blank">#DH</a> <a href="https://infosec.exchange/tags/DHE" class="mention hashtag" rel="nofollow noopener" target="_blank">#DHE</a> <a href="https://infosec.exchange/tags/DiffieHellman" class="mention hashtag" rel="nofollow noopener" target="_blank">#DiffieHellman</a>

Erik van Straten<a href="https://infosec.exchange/@adfichter" class="u-url mention" rel="nofollow noopener" target="_blank">@adfichter</a> : I'm trying to warn people for such holes.Published earlier this month: <a href="https://www.heise.de/en/news/BSI-and-ANSSI-warn-against-VideoIdent-for-the-EU-digital-wallet-10476045.html" rel="nofollow noopener" translate="no" target="_blank">https://www.heise.de/en/news/BSI-and-ANSSI-warn-against-VideoIdent-for-the-EU-digital-wallet-10476045.html</a> (there of course is a German version as well).It refers to a recent joint publication (in English) by the German BSI and the French ANSSI titled:"Remote ldentity Proofing for EUDI Wallet Onboarding: Strengthening Assurance Against Evolving Threats"(EUDI Wallet = European Digital Identity Wallet aka EDIW aka EUDIW).It's about the risks of VideoIdent (getting bigger every day, see e.g. <a href="https://www.theverge.com/report/714402/uk-age-verification-bypass-death-stranding-reddit-discord" rel="nofollow noopener" translate="no" target="_blank">https://www.theverge.com/report/714402/uk-age-verification-bypass-death-stranding-reddit-discord</a> - not to mention AI).However, like in their previous publication (PDF: <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.pdf?__blob=publicationFile&v=3" rel="nofollow noopener" translate="no" target="_blank">https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.pdf?__blob=publicationFile&v=3</a>) they ignore one HUGE risk: AitM's (Attacker in the Middle).The unmentioned gaping security hole here are fake websites, where people are being directed to via falsified emails, SMS, chat app messages and possibly QR-codes.Step 1️⃣: ———— Victim (contacts AitM site as instructed) | | "Please give me my EDIW" v AitM site: contacts site below and forwards | | "Please give me my EDIW" v True EDIW identity verification siteStep 2️⃣: ———— Victim ^ | "Please perform VideoIdent" | AitM site: forwards ^ | "Please perform VideoIdent" | True EDIW identity verification siteStep 3️⃣: ———— Victim | | VideoIdent showing victim v AitM site: forwards | | VideoIdent showing victim v True EDIW identity verification siteStep 4️⃣: ———— Victim ^ | "Something went wrong" | AitM site: stores victim's EDIW on their device ^ | EDIW | True EDIW identity verification siteThe same may happen to people who are tricked into *authenticating* using EDIW on AitM websites.<a href="https://mastodon.nl/@ellent" class="u-url mention" rel="nofollow noopener" target="_blank">@ellent</a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#EDIW</a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#EUDIW</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener" target="_blank">#VideoIdent</a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#OnlineAuthentication</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#Identification</a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#IdentityFraud</a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a>

🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸> <a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a> informed me that I already had a <a href="https://mastodon.social/tags/passkey" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkey</a> on my device. If that's the case, why didn't it work when I attempted to log into my Google account on the tablet? When I was logging into the tablet, Google should have been aware I had <a href="https://mastodon.social/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#passkeys</a> on my Pixel 9 Pro and request <a href="https://mastodon.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> with either a fingerprint or face scan. It didn't. No passkey was recognized… even though it's there.> It's a recursive nightmare from which I can't seem to escape.<a href="https://www.zdnet.com/article/passkeys-wont-be-ready-for-primetime-until-google-and-other-companies-fix-this/" rel="nofollow noopener" translate="no" target="_blank">https://www.zdnet.com/article/passkeys-wont-be-ready-for-primetime-until-google-and-other-companies-fix-this/</a><a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a>

Erik van Straten<a href="https://infosec.exchange/@tbortels" class="u-url mention" rel="nofollow noopener" target="_blank">@tbortels</a> : even if we disagree, thank you for a fair discussion.You wrote: ❝Asking any third party to ensure "trust" is doomed from the start. In the history of humanity no govermnment or organization whatsoever has managed to eliminate fraud, and none ever will.❞You are right, not for 100%. That will never be achieved; what I think is seriously needed is risk *reduction*.By typing the toot you sent to me, you had to trust the manufacturers of hardware and software you used. You'll have to trust your bank for prudently guarding your savings. Trust is a very basic requirement in our lives, even if we are to be very disappointed now and then.We have chambers of commerce for a reason (in my country: <a href="https://www.kvk.nl/en/" rel="nofollow noopener" translate="no" target="_blank">https://www.kvk.nl/en/</a>).Among other things, I wrote a section {1} WHAT IS A DECENT WEBPKI in my (long) proposal <a href="https://infosec.exchange/@ErikvanStraten/113079966331873386" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/113079966331873386</a> (the current CA/B forum is pointless: it's big tech for big tech, zero consumer orgs are involved).To decrease the (enormous) impact of cybercrime, IMO we can and should provide users with as much information about a website as possible, in particular when it is the first time they visit it (or if ownership may have changed).❝The reality is this: people need to learn basic defensive cynicism.❞That is simpy impossible. Even I sometimes find it hard to determine whether a website is authentic (and like you, I have a lot of infosec experience - that dates back to around the time that "internet" became accessible to universities).The web is being FLOODED with criminal websites (example: see the image below) while no big tech org cares - on the contrary, they're making money by condoning it. Guess why Google introduced zillions of stupid TLD's. There are way too many people who will not and cannot become forensic researchers.❝The internet is just another place where doing dumb things gets you hurt, and it can't be made safe without destroying it.❞I disagree. Like I wrote in <a href="https://infosec.exchange/@ErikvanStraten/114241359684890759" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/114241359684890759</a>: "I am not against (free) Domain Validated certificates. They're fine if visitors do exactly know the domain name in advance, such as of your home NAS (and are not easily fooled by IDN's)."❝Security and Trust are two different unrelated things. And people need to understand it.❞Agreed, but we can still help them *a lot* making better decisions whom to trust. Again, I mean trust based on reputation and the ability to "see them in court" if you know who you're dealing with - in cases where that matters.<a href="https://mastodon.scot/@UndisScot" class="u-url mention" rel="nofollow noopener" target="_blank">@UndisScot</a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeWebsites</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#BigTechIsEvil</a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#GoogleIsEvil</a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#CloudflareIsEvil</a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#DV</a> <a href="https://infosec.exchange/tags/EV" class="mention hashtag" rel="nofollow noopener" target="_blank">#EV</a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#Certificates</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a>

Grumpy WebsiteThis dialog always confuses me. I have to read small print to really understand what does it want<a href="https://mastodon.online/tags/Apple" class="mention hashtag" rel="nofollow noopener" target="_blank">#Apple</a> <a href="https://mastodon.online/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#macOS</a> <a href="https://mastodon.online/tags/Dialog" class="mention hashtag" rel="nofollow noopener" target="_blank">#Dialog</a> <a href="https://mastodon.online/tags/VisualHierarchy" class="mention hashtag" rel="nofollow noopener" target="_blank">#VisualHierarchy</a> <a href="https://mastodon.online/tags/Fingerprint" class="mention hashtag" rel="nofollow noopener" target="_blank">#Fingerprint</a> <a href="https://mastodon.online/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a>

Serge from BabkaAnother approach would be if Alice could generate multiple Passkeys and hand them out to individuals she trusts, and then retaining the ability to revoke them. Sadly many sites don't yet support Passkeys, and this model still lets someone like Mal revoke Alice's access, so that's not great.Bitwarden has a feature whereby Alice can share a password with Eve but not let her see it or export it. This could work pretty well, except that if the site requires 2FA from a SMS text message (vs TOTP or a token) or if Eve has the knowhow to intercept the password.I still think that what we ultimately want is attenuated scopes because then we can track all actions by the delegated party.I do wonder if this need is niche or if the current solution of "good faith password sharing" works well enough often enough that it's not risen to the level of concern for developers.2/2<a href="https://babka.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://babka.social/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authorization</a> <a href="https://babka.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a> <a href="https://babka.social/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> <a href="https://babka.social/tags/Passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwordless</a> <a href="https://babka.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#Programming</a>

Serge from BabkaI've been thinking about delegated authority on websites lately.It would be convenient if I could delegate certain functions to people, for example allowing someone like my accountant to have access to some of my financial records.Some organizations make this easy, allowing me to have multiple accounts.Other services don't offer this, nor do they offer any kind of OAuth type of delegated authorization or capabilities model.I've been thinking about ways around this.One very wacky way would be if Alice could have a a "special browser" that would tie into some service she runs. Bob would log in with his credentials and then behind the scenes the application logs in as Alice.This would be very complicated to implement though.1/<a href="https://babka.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://babka.social/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authorization</a> <a href="https://babka.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#InfoSec</a> <a href="https://babka.social/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> <a href="https://babka.social/tags/Passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwordless</a> <a href="https://babka.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#Programming</a>

StrypeyThe UX of 2FA could be improved considerably, and security along with it, by using a circles of trust model.Take the example of a code forge, hosting the canonical version of some crucial piece of kit like the Linux kernel, OpenSSL, or GnuPG. You would want a maintainer to be 100% authenticated before they can commit changes to these repositories. Basic security culture.But ...(1/2)<a href="https://mastodon.nzoss.nz/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> <a href="https://mastodon.nzoss.nz/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a>

PrivacyDigestCritical <a href="https://mas.to/tags/CitrixBleed" class="mention hashtag" rel="nofollow noopener" target="_blank">#CitrixBleed</a> 2 <a href="https://mas.to/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a> has been under active <a href="https://mas.to/tags/exploit" class="mention hashtag" rel="nofollow noopener" target="_blank">#exploit</a> for weeksA critical vulnerability allowing <a href="https://mas.to/tags/hackers" class="mention hashtag" rel="nofollow noopener" target="_blank">#hackers</a> to bypass <a href="https://mas.to/tags/multifactor" class="mention hashtag" rel="nofollow noopener" target="_blank">#multifactor</a> <a href="https://mas.to/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> in network management devices made by <a href="https://mas.to/tags/Citrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#Citrix</a> has been actively <a href="https://mas.to/tags/exploited" class="mention hashtag" rel="nofollow noopener" target="_blank">#exploited</a> for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild <a href="https://mas.to/tags/exploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#exploitation</a>. <a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://mas.to/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a><a href="https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/" rel="nofollow noopener" translate="no" target="_blank">https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/</a>

BillSpike in credential theft. Probably comes as no surprise to anyone. Use MFA!<a href="https://www.infosecurity-magazine.com/news/hackers-target-employee-credentials/" rel="nofollow noopener" translate="no" target="_blank">https://www.infosecurity-magazine.com/news/hackers-target-employee-credentials/</a><a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://infosec.exchange/tags/mfa" class="mention hashtag" rel="nofollow noopener" target="_blank">#mfa</a>

Erik van Straten<a href="https://sw-development-is.social/@maaikees" class="u-url mention" rel="nofollow noopener" target="_blank">@maaikees</a> : the way we look is an important part of how we are (and want to be) recognized by others.Over the years I became amazed about how the looks of peoples heads differ, and how enormously good people are at recognizing each other.Changing how you look changes your identity - as others see it.<a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Identity</a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#Identification</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authenticity</a>

Erik van Straten<a href="https://infosec.exchange/@relishthecracker" class="u-url mention" rel="nofollow noopener" target="_blank">@relishthecracker</a> : that's make belief."Wow, asymmetric encryption, even quantum-computer-proof", "military-grade", etcetera.Right after logging in using a passkey with an unbreakably protected private key, the website sends a session cookie (or similar) to the browser - which is NOT protected like private keys. If a website (like most of them) does not log you out if your IP-address changes, such a cookie is nearly as bad as a password. And fully if the cookie never expires.Therefore:1️⃣ Even if attackers cannot copy private keys: if the user device is sufficiently compromised (i.e. on Android, running an accessibility service), they can take over all of the user's accounts;2️⃣ If the user's browser is compromised, attackers can copy session cookies and use them to obtain access to accounts the user logs in to;3️⃣ An AitM (Attacker in the Middle) using a malicious website can copy/steal authentication cookies. Such AitM-attacks are possible in at least the following cases if either:• A malicious third party website manages to obtain a fraudulently issued certificate (examples: <a href="https://infosec.exchange/@ErikvanStraten/112914050216821746" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@ErikvanStraten/112914050216821746</a>);• An attacker obtains unauthorised write access to the website's DNS record;• An attacker manages to obtain access to a server where a "dangling" (forgotten) subdomain name points to, *AND* the real authenticating server (RP) does not carefully check for allowed subdomains (see <a href="https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580" rel="nofollow noopener" translate="no" target="_blank">https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580</a>);4️⃣ The server is compromised or has a rogue admin: the attacker can add their passkey's public key to your account, or replace your public key with theirs (note that passkey pubkeys are not encapsulated by certificates issued by trusted issuers, stating who owns the public key).Phishing using fake websites is probably the number one problem on the internet. *THE* major advantage of passkeys is that they make phishing attacks VERY HARD.Indeed, if your device is sufficiently compromised, the risk of all of your passwords being stolen if you use a password manager is BIG.However, as I wrote, if your device is sufficiently compromised, an attacker does not need access to your private keys in order to obtain access to your accounts.<a href="https://sigmoid.social/@oliversampson" class="u-url mention" rel="nofollow noopener" target="_blank">@oliversampson</a> <a href="https://cathode.church/@kaye" class="u-url mention" rel="nofollow noopener" target="_blank">@kaye</a> <a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passkeys</a> <a href="https://infosec.exchange/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#PasswordManagers</a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#DomainNames</a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#AitM</a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#MitM</a> <a href="https://infosec.exchange/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cryptography</a> <a href="https://infosec.exchange/tags/MilitaryGrade" class="mention hashtag" rel="nofollow noopener" target="_blank">#MilitaryGrade</a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#Authentication</a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#Impersonation</a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#FakeWebsites</a> <a href="https://infosec.exchange/tags/ATO" class="mention hashtag" rel="nofollow noopener" target="_blank">#ATO</a> <a href="https://infosec.exchange/tags/AccountTakeOver" class="mention hashtag" rel="nofollow noopener" target="_blank">#AccountTakeOver</a> <a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#Passwords</a> <a href="https://infosec.exchange/tags/SharedSecrets" class="mention hashtag" rel="nofollow noopener" target="_blank">#SharedSecrets</a> <a href="https://infosec.exchange/tags/AsymmetricCryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#AsymmetricCryptography</a> <a href="https://infosec.exchange/tags/SubDomains" class="mention hashtag" rel="nofollow noopener" target="_blank">#SubDomains</a> <a href="https://infosec.exchange/tags/DanglingSubDomains" class="mention hashtag" rel="nofollow noopener" target="_blank">#DanglingSubDomains</a>

Mad A. Argon :qurio:Thought it is high time to finally set <a href="https://is-a.cat/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#2FA</a> on my <a href="https://is-a.cat/tags/DeviantArt" class="mention hashtag" rel="nofollow noopener" target="_blank">#DeviantArt</a> account... Turned out it's premium feature for paid accounts :neocatBlushHide:<a href="https://is-a.cat/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://is-a.cat/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a>

Teodor Sandu<a href="https://mastodon.online/tags/funny" class="mention hashtag" rel="nofollow noopener" target="_blank">#funny</a> <a href="https://mastodon.online/tags/meme" class="mention hashtag" rel="nofollow noopener" target="_blank">#meme</a> <a href="https://mastodon.online/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#authentication</a> <a href="https://mastodon.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://mastodon.online/tags/it" class="mention hashtag" rel="nofollow noopener" target="_blank">#it</a> <a href="https://mastodon.online/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#programming</a> <a href="https://mastodon.online/tags/development" class="mention hashtag" rel="nofollow noopener" target="_blank">#development</a> <a href="https://mastodon.online/tags/fun" class="mention hashtag" rel="nofollow noopener" target="_blank">#fun</a> <a href="https://mastodon.online/tags/memes" class="mention hashtag" rel="nofollow noopener" target="_blank">#memes</a> <a href="https://mastodon.online/tags/joke" class="mention hashtag" rel="nofollow noopener" target="_blank">#joke</a> <a href="https://mastodon.online/tags/jokes" class="mention hashtag" rel="nofollow noopener" target="_blank">#jokes</a> <a href="https://mastodon.online/tags/dev" class="mention hashtag" rel="nofollow noopener" target="_blank">#dev</a> <a href="https://mastodon.online/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.online/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#hacking</a>

Recent searches

Search options

Administered by:

Server stats:

#authentication