Here's a highlight from the stream. Full recording dropping on YouTube next week!
#Keycloak provides many advanced features for implementing #authentication. Configuring a custom #LDAP user filter for User Federation to select a subset of user entries in Active Directory is just one of them. It might be quite useful in big organizations. The following post describes my experience: https://akrisanov.com/custom-user-ldap-filter-in-keycloak/
I'm finally writing an #introduction toot LOL.
I'm "JJGadgets" online, you can call me JJ, everyone does.
My life is #tech, nothing brings me more joy and zen than sitting in front of my screens. Maybe except for Japanese food.
I study #infosec but textbooks and lessons don't even come close to doing justice to what #infosec is all about. I like to think that I live and strive to live the infosec life, including my mindset. (After all, that's why @truxnell started calling me the "tinfoil hat sensei" LOL)
I do #Kubernetes @ Home, and maintain my cluster state in #git then apply it with tools like #FluxCD. My #homelab repo can be found at https://biohazard.jjgadgets.tech (will always 301 redirect to my latest Git remote of choice, in the event it changes). I think using #GitOps/IaC to declare desired security-related state (policies, rules etc) makes managing security a lot easier.
I try to follow "Principle of Least Privilege" for my homelab, and especially for Kubernetes security, using tools such as network policies (#netpols), policy engines, secrets management, identity management, strong #authentication, and access control. For example, my homelab Kubernetes cluster heavily uses netpols everywhere to default-deny and only allow the necessary network traffic for any given app to work.
I am also very interested in strong authentication methods such as #passwordless #fido2 / #webauthn (#yubikey and #passkeys) and where possible, I only enroll FIDO2 MFA, and choose the passwordless variant if available.
I try my best to use privacy-respecting software where possible, as I believe in maintaining transparency and control over the #privacy of people, regardless of online or offline.
I also believe in #opensource, too many times we've been shown the consequences of relying on closed source software, so where possible I always prefer open source.
Outside of the screen, admittedly I'm terrible at life stuff, and it's very hard for me to be interested in much of anything other than stuff on or related to a screen/device (I basically only talk tech stuff LOL). I'm working on changing that in the event I burnout hard again (though I still haven't found a non-tech interest yet, as of writing). I've burnt out multiple times despite still being a student, and thus I now (try to) take as much necessary measures as I can to avoid over-working, over-stressing or over-exerting myself.
That's about it, let's chat (or toot?)!
Passkeys are generally available
hey p.s. #macOS users if you have two #yubikeys (i use many but the #5c or #5cNFC are good options) you can add security keys to your Apple ID for a much better #MFA option. Apple makes you have redundant tokens, and I have to wait until i get back to iowa to set it up for myself but i don't know i missed this.
I seem to have locked myself out of my #Yubikey 😩
Maybe I'll just set up the second one now..
@hertg my personal opinion is that for an #IdP it should work without JS because you have everything needed server-side AND you have a server.
For client-side-only apps though, that's where JS is allowed (and a must actually)
Please comment if you want to add nuance, and thanks for sharing :)
Statement from Stefan Killer-Haug, #Tresorit
#itsa #HomeofITSecurity #ITSecurity #Cybersecurity #Law #Databreach #Infosec #Compliance #Authentication #Encrytion #Cyberresilience #Security #Sicherheitsmesse #Security #Cybersicherheit #ITSicherheit
I'm about to move a few parts of my network off-site. Anyone have any input for getting LDAP-based authentication to work across locations?
Like, LDAP+TLS with mutual certificate authentication is just fine, but I don't like the idea of exposing an LDAP port. Though a firewall rule to only allow the other side's IP to access it would probably be okay.
Given that this side still needs to access some internal services, it also makes sense just to #WireGuard it or something, that gives me everything in a manner that I believe is secure, I've yet to hear of any breaks on its encryption... just that if the remote host is compromised I have quite a wide open attack surface.
#Cloudflare’s Dashboard enables users to configure 2-Factor #Authentication using a #Security Key. An issue in the authentication system allowed for the retrieval of #recovery codes (used to regain account access if the security key is lost) after verifying the username and password but before completing the authentication process by touching the Security Key.
And to wrap up the session before lunch, Brian Bockelman gives us a Token Taxonomy, with respect to #HTCondor. I appreciate it because #authentication & #authorization still confuse 😖 the heck out of me.
Come chill with us this Wednesday, September 20th at 5 pm UTC!
#Authorizer is an #open-source #authentication and #authorization solution for your applications. Bring your database and have complete control over the user information. You can self-host authorizer instances and connect to any database (Currently supports 11+ databases including Postgres, MySQL, SQLite, SQLServer, YugaByte, MariaDB, PlanetScale, CassandraDB, ScyllaDB, MongoDB, ArangoDB).
#Linux #macOS #windows
Build vs. Buy in 2023: Top Considerations for Choosing Identity Management Solution
Choosing between building or buying an identity management solution is not a straightforward decision. In this article, we'll dive into the key considerations that can guide this decision.
I'm almost afraid of asking this question, but I'll do it anyway.
Why are we still using cookies to store state about for example authentication and session?
I mean, as a user I go through hoops to securely authenticate myself, tokens here and there, hardware fingerprint readers... only to have all of this, reduced to a text file, stored in the clear, in my browser.
It just seems... odd. Oh, BTW, asking for a friend ;-)
I'm a fan of passkeys for easier, safer authentication. So is password manager Dashlane: "With the rollout of iOS 17, Dashlane will be available as a passkey manager on both mobile and desktop, supporting passkeys across web and on Android and iOS." https://www.dashlane.com/blog/passkeys-progress-innovation
#Authentication #passkeys #PasswordManager #Dashlane #iOS17 #iOS
4 Okta customers hit by campaign that gave attackers super admin control:
Attackers already had credentials. Now, they just needed to bypass 2FA protections.
Getting rid of 3rd party cookies to avoid tracking: noble idea, but with some really bad side effects (for #authentication).
Replacing it with an API that mines your browser history to create an interests profile for you that any website can query (and put more money into Google's pockets), while using the terms "enhanced" and "#privacy" in the name: sketchy af.
.@jik This is another one of those situations where the best answer is likely that the industry needs to create a better #authentication mechanism. Memorizing a code is terrible #UX from the jump. The fact that it also isn't long enough to foster confidence is just extra.
But it does cause problems. It's the reason why the big platforms need to offer this kind of thing in a way which harms #user #privacy. Since these short codes can't actually be trusted, they want to lock-in #2FA to a user's #phone, situating them with location services, and reducing the likelihood of an impersonation attempt.
Attention people building #authentication mechanisms for web sites and apps! Numeric verification codes sent via text or email are not actually a context in which bigger is better! 6 digits is enough. More than 6 is bad #UX, because the average person can remember 6 for long enough to get them from the message to the app, but more than that is hard for many. There's a lot of research on this. Go look it up and stop using codes longer than 6 digits. #infosec #AppDev #WebDev #SecurityEngineering
🎓 #InAcademia, the real-time online student validation service, has continued to grow in 2022!
The service is now operational in 🇳🇱 🇩🇪 🇩🇰 🇪🇸 🇫🇷 🇮🇹 🇸🇪 🇹🇷 🇦🇹 🇮🇸 🇫🇮
Read about #NRENs activities in Trust & Identity (and much more) in the 2022 GÉANT #Compendium of NRENs 👉
More about InAcademia at https://inacademia.org
A huge tech player with a bajillion customers just enabled passkey support: Amazon. Here's how to enable them for login that in my experience is fast and easy and, according to a ton of experts I've spoken to, vastly more secure than passwords.
I just got #T2 authenticated today.
I've had my share of being impersonated online, so if there is an "official" authentication system available, I take the opportunity (but not Twitter and Meta, they rejected me multiple times).
So, I guess before this week ended, there's something good that happened. It at least lifted my soul.
Here's my profile: https://t2.social/YourOnlyOne
If you want invites, ping me up, I still have a few left.
Storm-0558 hacks of Microsoft Exchange
In mid-July 2023, Microsoft reported that a Chinese hacking group tracked as '#Storm0558' breached the email accounts of 25 organizations, including US and Western European government agencies, using #forged #authentication #tokens from a stolen Microsoft consumer #signing #key.
Using this stolen key, the Chinese threat actors exploited a zero-day vulnerability in the #GetAccessTokenForResource API function for Outlook Web Access in Exchange Online (#OWA) to forge authorization tokens.
These tokens allowed the threat actors to impersonate Azure accounts and access email accounts for numerous government agencies and organizations to monitor and steal email.
After these attacks, Microsoft faced a lot of criticism for not providing adequate #logging to Microsoft customers for free. Instead, Microsft required customers to purchase additional licenses to obtain logging data that could have helped detect these attacks.
US cyber safety board to analyze Microsoft Exchange hack of govt emails
The Department of Homeland Security's Cyber Safety Review Board (#CSRB) has announced plans to conduct an in-depth review of #cloud #security practices following recent Chinese #hacks of #Microsoft #Exchange accounts used by US government agencies.
The CSRB is a collaboration of public and private sectors, created to conduct in-depth investigations that offer a better understanding of critical events, discern root causes, and issue informed recommendations on cybersecurity.
In this case, CSRB will explore how the government, industry, and cloud service providers (CSPs) can bolster #identity #management and #authentication in the cloud and develop actionable #cybersecurity recommendations for all stakeholders.
Microsoft Signing Key Stolen by Chinese - Schneier on Security
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used #forged #authentication #tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers.
The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.
The fact that #Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad
Cloud Authentication Services
There is a sea of Cloud Auth / Identity management providers.
There was a time I used to roll my own, but as security is getting complicated, it seems for startups & small to medium businesses it is better to use a cloud auth provider.
Please share your thoughts on your experience with this as I look into this area.
So far I have come across:
4/ #Phishing is a numbers game & difficulty + cost of faking a voice, have limited the use certain presumably effective themes (e.g. call from your lawyer or mom).
Those same factors have led to some companies going going hard on "my voice is my password" #authentication.
Or handling their #insurance .
Because the next few years are going to be a bloodbath.
Microsoft Signing Key Stolen by Chinese
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user ema... https://www.schneier.com/blog/archives/2023/08/microsoft-signing-key-stolen-by-chinese.html
When exposing an application, consider a an #APIGateway to protect it from attacks. Rate Limiting comes to mind first, but it shouldn’t stop there. We can factor many features in the API Gateway and should be bold in moving them from our apps. In this post, I’ll show how to implement authentication at the Gateway API stage.
@arstechnica Letting big tech make all these decisions on their own is pretty risky.
Due to the probably coming assault of intelligent bot-fueled personalised propaganda (probably by December this year), it will become necessary to prove one’s humanness very soon.
But they payrolled the politicians.
For Oppenheimer weekend, I broke out a couple of mementos from the two summers that I worked at Los Alamos in a support role for their high performance computing group. (ASCI Blue Mountain was just coming online around that time.)
These are two-factor authentication devices that were required to log in anywhere and are very similar to today's time-based one-time passwords (TOTP) that are in growing use today.
I predict that passkeys will be a big deal. In my tests using them for Google login, then with CVS just prompting me to migrate to them from password authentication, they were indeed pretty simple to use. 1Password is testing the ability to store passkeys and now the ability to unlock your passkey vault with passkeys. My latest story: https://www.cnet.com/tech/services-and-software/1password-tests-passkeys-for-unlocking-your-password-vault/
#passkeys #authentication #Security #1Password
70% of Google account users have 2-factor authentication protection now. My predictions: passkey technology will help with this, making MFA easier to accomplish and less vulnerable than login codes via SMS. https://blog.google/technology/safety-security/the-past-present-and-future-of-authentication/
#authentication #passkeys #security #Google #MFA
My PhD thesis on the usability, security, and privacy of Risk-Based Authentication (RBA) is now published. For free, for everyone, as I believe that publicly funded research should be open to the public.
On 239 pages, you will learn how to strengthen password-based authentication with RBA while being privacy-enhanced and accepted by users.
Thesis PDF: https://doi.org/10.13154/294-9901
Defense Slides: https://www.stephanwiefling.de/slides/rba-thesis-defense23.pdf
Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
🚧 Brute-Forcing One-Time Passwords 🚧
My last two threads discussed the probability of brute-forcing OTPs, how to do it effectively and how to defend against attacks.
Here is an overview of the topics covered:
1. Bernoulli Processes 🧮
2. Increasing and Decreasing Probabilities 🤞
Here's everything compiled into a blog post 📰
Do you find my content valuable?
🔔 Follow me for more web security content.
🔁 Also, boost this toot to spread the word!
OAuth Authentication with Enhance?
Read @ryanbethel latest post on how to set it up.
🔒 Verify email and phone for new accounts
Verify a phone number or email address as a method for account recovery.
Usually I polish my work a bit more before releasing it publicly, but I really wanted to give people interested in making fediverse apps for everyone a bit of a head start.
Here's a very work-in-progress authentication server I use for my fediverse connections data visualization project:
Would you feel at all suspicious of a site that asked to do so? Knowing that it would allow said site to post to your mastodon account?
🔒 Authentication for a Username and Password flow
Continuing our series on authentication. Build a username password authentication flow for an Enhance app.
Newbie question: what is best #mfa #authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
If passkeys are easy enough to use, will people be less inclined to stay logged in via cookies? (Password managers have shifted me this direction.) Will websites cut down on the "stay logged in" option? Because there's a market for cookie credentials to break into accounts.
#Security #PasswordManager #passkey #login #authentication