Questions tagged [web-authentication]
28 questions
29
votes
9 answers
When does 'something you have' NOT become 'something you know'?
I am currently trying to get an understanding of multi factor authentication. The biggest issue so far: When does "something you have" NOT get reduced to "something you know"? I want to have a "posession"-factor that does not get reduced to a…
Gamer2015
- 707
- 4
- 12
21
votes
4 answers
How will biometrics be a safe way to authenticate users across the internet?
Let's say Alice created a new account on a service and this service saved her fingerprint as a way of logging in later. Then Alice creates a new account on a new service, but unfortunately this second service is not properly secured and the…
Mohamed Waleed
- 1,169
- 1
- 5
- 13
18
votes
4 answers
Is it possible to calculate an encryption key when both the plain text and ciphertext are known?
I have implemented an authentication system which works like this:
Upon successful login, the server takes the username of client and encrypts it with AES-256.
This ciphertext is stored in the client's browser and when the client wants to do…
Mr. Engineer
- 684
- 1
- 4
- 10
7
votes
2 answers
How good are Angular Route Guards from a security standpoint?
For an enterprise setting, how secure are Route Guards against script kiddies, hackers, and advanced threats?
If I understand correctly, the route guards are all available in .js files to the attacker and since all of the data is on the client-side,…
Sir Muffington
- 1,447
- 2
- 9
- 22
3
votes
1 answer
Browser not generating kerberos ticket
Firstly, please apologise me if I'm still confused about stuff here, Kerberos auth is quite the complex issue for a java dev
So, I have the following scenario:
A suite of webapps which use kerberos pre-authentication for access and LDAP profiles…
Steven
- 83
- 7
3
votes
0 answers
Comprehensive list of mechanisms that automatically send authentication information in browsers
I'm trying to come up with a list of built-in mechanisms that either automatically send authentication information or automatically prompt the user to provide them in browsers.
So far I have
Cookies - sends cookies based on domain / expiration…
Eran Medan
- 811
- 1
- 10
- 19
3
votes
3 answers
Why are ASP.NET form authentication cookies deleted only on client side if client side can't be trusted?
ASP.NET documentation says:
FormsAuthentication.SignOut()
Removes the forms-authentication ticket from the browser
Why is the cookie not invalidated at the server as well? It would be easy to implement. After all this code runs at the server. …
user3280964
- 1,130
- 2
- 7
- 13
2
votes
1 answer
Hashing sessions and retrieving them using cookie(s) with session "id" and "token"
I'm implementing custom authentication & session management system in Node.js & PostgreSQL. My goal is to implement sessions that expire after 2 weeks (if not refreshed/renewed).
OWASP and other resources suggest to store unhashed session IDs both…
Dominik Serafin
- 71
- 5
2
votes
1 answer
CORS configuration for service with single browser client
Please note: although I mention Spring Boot (and by proxy, Java) I believe this is a pure HTTP/web development question at heart, and as such, can be answered by anyone with CORS-configuration experience and zero Java experience!
I am configuring…
hotmeatballsoup
- 307
- 2
- 7
2
votes
1 answer
Web Authentication Offline
I've been working on a project and one of the requirements that came up is offline authentication. On the web what we would like to do is ask the user to login using their device authentication for example touch ID and face ID on iOS devices. I know…
Nxte
- 23
- 2
2
votes
2 answers
Is it necessary to force a newly registered user to login?
In a web application, is there a security advantage to forcing a newly registered user to manually log into their account, or is it safe to automatically log in a new registration? Assume that the user is registering using a local registration/login…
the8thbit
- 121
- 2
2
votes
1 answer
Authenticate limited client devices from server without login process
I have limited client devices and one server.
I want to create a client-server secure connection while app installation but don't want human-interaction between devices and server like registration or login.
After installation app, this client…
Necromancer
- 121
- 3
2
votes
1 answer
How does the browser know windows logged in user id or Kerberos TGT?
My organization uses SSO for its applications i.e. Once a user logs into his Windows 10 workstation, he accesses his web application without login. I was informed that the web applications uses NetIQ Identity Manager(IdP) and Kerberos in the…
ZEE
- 157
- 3
1
vote
3 answers
Use-case for decentralized identifiers (DIDs) with unique identities for each relationship
The W3C working group is working on the standardization of Decentralized Identifiers (DIDs). I watched a video presentation about DIDs and the presenter mentioned several times the possibility of generating unique pseudonymous identities for each…
DurandA
- 107
- 1
- 10
1
vote
2 answers
Is access token confidentiality also ensured in the Authorization Code grant type in Oauth2.0
One of the really nice articles I came across while trying to understand the various grant types in Oauth2.0 was this. The author really has done a good job at explaining quite clearly what various grant types in an Oauth2.0 flow look like. I also…
qre0ct
- 1,492
- 3
- 19
- 30