#authentication
Ubuntu 22.04 stuck in login loop on GUI login #nvidia #2204 #login #desktopenvironments #authentication
The latest update to Windows 11 introduces support for passkeys, which provide phishing-resistant passwordless authentication. #windows11 #passkeys #phishing #passwordless #authentication
Anyone heading to #Oktane next week in San Francisco?
We'd love to connect with more of our Okta and infosec community there!
We're live in 15 minutes with Dev Agrawal who will be showing how sessions can be a powerful tool in authentication and enable security and UX features. #authentication #development #webdev https://crowdcast.io/c/sign-in-sessions
It was tonnes of fun hanging with @devagrawal09 from @clerkdev this week on my Twitch stream! We discussed all things Clerk, authentication, web dev, all the things!
Here's a highlight from the stream. Full recording dropping on YouTube next week!
#authentication #usermanagerment #webdevelopment https://www.twitch.tv/videos/1933567799?filter=highlights&sort=time
Which CA Certificate to use when installing Ubuntu 22.04 from a USB? #networking #2204 #liveusb #authentication #certificates
#Keycloak provides many advanced features for implementing #authentication. Configuring a custom #LDAP user filter for User Federation to select a subset of user entries in Active Directory is just one of them. It might be quite useful in big organizations. The following post describes my experience: https://akrisanov.com/custom-user-ldap-filter-in-keycloak/
I'm finally writing an #introduction toot LOL.
I'm "JJGadgets" online, you can call me JJ, everyone does.
My life is #tech, nothing brings me more joy and zen than sitting in front of my screens. Maybe except for Japanese food.
I use and prefer #linux for both server and desktop use, despite its flaws. I live in the #commandline. Been that way since I first jailbroke on iOS 5 and installed MobileTerminal.
I study #infosec but textbooks and lessons don't even come close to doing justice to what #infosec is all about. I like to think that I live and strive to live the infosec life, including my mindset. (After all, that's why @truxnell started calling me the "tinfoil hat sensei" LOL)
I do #Kubernetes @ Home, and maintain my cluster state in #git then apply it with tools like #FluxCD. My #homelab repo can be found at https://biohazard.jjgadgets.tech (will always 301 redirect to my latest Git remote of choice, in the event it changes). I think using #GitOps/IaC to declare desired security-related state (policies, rules etc) makes managing security a lot easier.
I try to follow "Principle of Least Privilege" for my homelab, and especially for Kubernetes security, using tools such as network policies (#netpols), policy engines, secrets management, identity management, strong #authentication, and access control. For example, my homelab Kubernetes cluster heavily uses netpols everywhere to default-deny and only allow the necessary network traffic for any given app to work.
I am also very interested in strong authentication methods such as #passwordless #fido2 / #webauthn (#yubikey and #passkeys) and where possible, I only enroll FIDO2 MFA, and choose the passwordless variant if available.
I try my best to use privacy-respecting software where possible, as I believe in maintaining transparency and control over the #privacy of people, regardless of online or offline.
I also believe in #opensource, too many times we've been shown the consequences of relying on closed source software, so where possible I always prefer open source.
Outside of the screen, admittedly I'm terrible at life stuff, and it's very hard for me to be interested in much of anything other than stuff on or related to a screen/device (I basically only talk tech stuff LOL). I'm working on changing that in the event I burnout hard again (though I still haven't found a non-tech interest yet, as of writing). I've burnt out multiple times despite still being a student, and thus I now (try to) take as much necessary measures as I can to avoid over-working, over-stressing or over-exerting myself.
That's about it, let's chat (or toot?)!
Passkeys are generally available
Check it out! 👇
https://github.blog/2023-09-21-passkeys-are-generally-available/
hey p.s. #macOS users if you have two #yubikeys (i use many but the #5c or #5cNFC are good options) you can add security keys to your Apple ID for a much better #MFA option. Apple makes you have redundant tokens, and I have to wait until i get back to iowa to set it up for myself but i don't know i missed this.
I seem to have locked myself out of my #Yubikey 😩
So now if I want to use it as a #passkey I have to reset all my #2fa seeds.
Back when I first got it I thought I'd use it for #WebAuthN so I bought two but only Google, Amazon, and Microsoft supported that so I only use it for #TOTP really.
Maybe I'll just set up the second one now..
@hertg my personal opinion is that for an #IdP it should work without JS because you have everything needed server-side AND you have a server.
For client-side-only apps though, that's where JS is allowed (and a must actually)
#javascript #identity #securitykeys #Passkeys #webauthn #iam #idp #openid #authentication #webdev
Requiring Javascript for Login Flows
The modern web and all its client-side code makes #javascript pretty much a requirement to surf the internet. Should #identity providers still go the extra step to make login flows work without javascript or is it reasonable to make JS a requirement?
Please comment if you want to add nuance, and thanks for sharing :)
btw. Google and Microsoft require JS for logins while Facebook, Amazon, and Github apparently don't. But JS obviously becomes a requirement once you use #securitykeys / #passkeys / #webauthn.
iOS Users Of CIMB Clicks App May Require Re-Authentication After Update #app #apps #authentication #banking #cimb #clicks #mobile #security #update
https://www.lowyat.net/2023/307649/ios-cimb-clicks-reauthentication-update/
What must be on the #cybersecurity radar of visitiors to #itsa2023 this year and, above all, why?
Statement from Stefan Killer-Haug, #Tresorit
#itsa #HomeofITSecurity #ITSecurity #Cybersecurity #Law #Databreach #Infosec #Compliance #Authentication #Encrytion #Cyberresilience #Security #Sicherheitsmesse #Security #Cybersicherheit #ITSicherheit
Okay nerds, it's #selfhosted #authentication #askFedi time.
I'm about to move a few parts of my network off-site. Anyone have any input for getting LDAP-based authentication to work across locations?
Like, LDAP+TLS with mutual certificate authentication is just fine, but I don't like the idea of exposing an LDAP port. Though a firewall rule to only allow the other side's IP to access it would probably be okay.
Given that this side still needs to access some internal services, it also makes sense just to #WireGuard it or something, that gives me everything in a manner that I believe is secure, I've yet to hear of any breaks on its encryption... just that if the remote host is compromised I have quite a wide open attack surface.
Any ideas?
#Cloudflare’s Dashboard enables users to configure 2-Factor #Authentication using a #Security Key. An issue in the authentication system allowed for the retrieval of #recovery codes (used to regain account access if the security key is lost) after verifying the username and password but before completing the authentication process by touching the Security Key.
#bugbounty
https://hackerone.com/reports/1805779
And to wrap up the session before lunch, Brian Bockelman gives us a Token Taxonomy, with respect to #HTCondor. I appreciate it because #authentication & #authorization still confuse 😖 the heck out of me.
https://indico.cern.ch/event/1274213/contributions/5571155/
So, is there a way to enable "two factor authentication" on a Linux laptop for facebook, not using a smartphone?
VPN connection in Ubuntu 22.04 throws "MS-CHAP authentication failed" #server #networkmanager #vpn #authentication #l2tp
Looking forward to hanging with @devagrawal09 this week on https://nickyt.live! We're going to discuss Clerk, auth, web dev, all the things!
Come chill with us this Wednesday, September 20th at 5 pm UTC!
Reminder: https://www.nickyt.co/pages/stream-schedule/#dev-agrawal-clerk-authn-authz-web-dev-all-the-things- #authentication #authorization #webdevelopment
#Authorizer is an #open-source #authentication and #authorization solution for your applications. Bring your database and have complete control over the user information. You can self-host authorizer instances and connect to any database (Currently supports 11+ databases including Postgres, MySQL, SQLite, SQLServer, YugaByte, MariaDB, PlanetScale, CassandraDB, ScyllaDB, MongoDB, ArangoDB).
https://github.com/authorizerdev/authorizer
#Linux #macOS #windows
Build vs. Buy in 2023: Top Considerations for Choosing Identity Management Solution
Choosing between building or buying an identity management solution is not a straightforward decision. In this article, we'll dive into the key considerations that can guide this decision.
#identityandaccessmanagement #authentication #security #buildorbuy
Learn what passkeys are all about and their advantages and disadvantages https://www.fosslife.org/why-and-how-use-passkeys #security #passwords #passkey #authentication #cryptography
Teil 2 meiner Artikelserie über #FIDO #Passkeys im @informatikaktuell Magazin
#passwordless #passkey #authentication #security
https://www.informatik-aktuell.de/betrieb/sicherheit/fido-passkeys-2-in-zukunft-ohne-passwort.html
Random print before login after restarting in Ubuntu from Windows on a dual-boot #2204 #printing #authentication
I'm almost afraid of asking this question, but I'll do it anyway.
Why are we still using cookies to store state about for example authentication and session?
I mean, as a user I go through hoops to securely authenticate myself, tokens here and there, hardware fingerprint readers... only to have all of this, reduced to a text file, stored in the clear, in my browser.
It just seems... odd. Oh, BTW, asking for a friend ;-)
#Security #Web #Development #Session #Authentication #Cookies
I'm a fan of passkeys for easier, safer authentication. So is password manager Dashlane: "With the rollout of iOS 17, Dashlane will be available as a passkey manager on both mobile and desktop, supporting passkeys across web and on Android and iOS." https://www.dashlane.com/blog/passkeys-progress-innovation
#Authentication #passkeys #PasswordManager #Dashlane #iOS17 #iOS
‼️ #AUTHENTICATION
‼️ IS
‼️ A
‼️ NON-FUNCTIONAL
‼️ #REQUIREMENT
‼️ FROM
‼️ DAY
‼️ 0
‼️ !!!
👏👏👏👏👏👏👏👏
802.1x wired authentication: How to make NetworkManager ask for identity every time? #networkmanager #security #authentication
Dear Tech world,
Seamless SSO (Single Sign-On)
#rant #seamless #sso #IT #authentication
4 Okta customers hit by campaign that gave attackers super admin control:
Attackers already had credentials. Now, they just needed to bypass 2FA protections.
--
#security #2fa #2factorauthetification #authentication #bypass #admintools
Getting rid of 3rd party cookies to avoid tracking: noble idea, but with some really bad side effects (for #authentication).
Replacing it with an API that mines your browser history to create an interests profile for you that any website can query (and put more money into Google's pockets), while using the terms "enhanced" and "#privacy" in the name: sketchy af.
https://www.theregister.com/2023/09/06/google_privacy_popup_chrome/
.@jik This is another one of those situations where the best answer is likely that the industry needs to create a better #authentication mechanism. Memorizing a code is terrible #UX from the jump. The fact that it also isn't long enough to foster confidence is just extra.
But it does cause problems. It's the reason why the big platforms need to offer this kind of thing in a way which harms #user #privacy. Since these short codes can't actually be trusted, they want to lock-in #2FA to a user's #phone, situating them with location services, and reducing the likelihood of an impersonation attempt.
As an industry, we can do much better. But of course, #PII is money. This tends to incentivize businesses to only propose #security solutions which don't interfere with consuming user #data.
Attention people building #authentication mechanisms for web sites and apps! Numeric verification codes sent via text or email are not actually a context in which bigger is better! 6 digits is enough. More than 6 is bad #UX, because the average person can remember 6 for long enough to get them from the message to the app, but more than that is hard for many. There's a lot of research on this. Go look it up and stop using codes longer than 6 digits. #infosec #AppDev #WebDev #SecurityEngineering
Fail2ban sshd rule is active but not working! #ssh #authentication #fail2ban
What's going on here?
I authenticate using @apple, @linkedin, etc.,
via their respective auth services, but retain control of the post-login identifier.
My Link In Bio style profile doc determines my canonical identity😀
#SSI #SSO #Identity #Authentication #CreatorEconomy #IndieAuth
🎓 #InAcademia, the real-time online student validation service, has continued to grow in 2022!
The service is now operational in 🇳🇱 🇩🇪 🇩🇰 🇪🇸 🇫🇷 🇮🇹 🇸🇪 🇹🇷 🇦🇹 🇮🇸 🇫🇮
Read about #NRENs activities in Trust & Identity (and much more) in the 2022 GÉANT #Compendium of NRENs 👉
https://resources.geant.org/wp-content/uploads/2023/07/Compendium-2022-2023-IX.pdf
More about InAcademia at https://inacademia.org
#TrustAndIdentity #IAM #IdentityAndAccessManagement #eduGAIN #authentication #validation #privacy #students #academia
Here's a screencast demonstration of Single Sign-On facilitated by loosely-coupling #Identity and #Authentication, courtesy of the #IndieAuth protocol.
#SSI #CreatorEconomy #YouID #VirtuosoRDBMS #SPARQL #Screencast #HowTo
A huge tech player with a bajillion customers just enabled passkey support: Amazon. Here's how to enable them for login that in my experience is fast and easy and, according to a ton of experts I've spoken to, vastly more secure than passwords.
https://www.amazon.com/gp/help/customer/display.html?nodeId=TPphmhSWBgcI9Ak87p
Updated Post: How to setup SSH login with Public Key Authentication
#authentication #publickey #sshcommands #Cloud #DedicatedHosting #Guides #VPS
https://blog.radwebhosting.com/how-to-setup-ssh-login-with-public-key-authentication
Exploring authentik today... I think I'm liking this...
Been thinking to get a USB fingerprint reader for a mini desktop PC I have running Fedora 38. Any recommendations?
I just got #T2 authenticated today.
I've had my share of being impersonated online, so if there is an "official" authentication system available, I take the opportunity (but not Twitter and Meta, they rejected me multiple times).
So, I guess before this week ended, there's something good that happened. It at least lifted my soul.
Here's my profile: https://t2.social/YourOnlyOne
If you want invites, ping me up, I still have a few left.
#T2social #SNS #verified #verification #authentication #authenticated #YourOnlyOne
#FIDO2 - the superior Multi Factor #Authentication Framework
https://media.ccc.de/v/camp2023-57174-fido2
(50min) by @cy
Great overview/intro talk about #2FA using #WebAuthN, hardware security tokens, #TOTP and #passkeys.
Furthermore: why FIDO2 does have some advantages compared to passkeys when #security is more important than convenience. Passkeys leaks your private key to the #cloud provider.
ICYMI: Jesse Hagewood shows you how to integrate Google Authenticator with SSH logins https://www.linux-magazine.com/Issues/2023/269/Multifactor-Authentication-with-SSH #authentication #SSH #Linux #password #MFA #TOTP
Storm-0558 hacks of Microsoft Exchange
In mid-July 2023, Microsoft reported that a Chinese hacking group tracked as '#Storm0558' breached the email accounts of 25 organizations, including US and Western European government agencies, using #forged #authentication #tokens from a stolen Microsoft consumer #signing #key.
Using this stolen key, the Chinese threat actors exploited a zero-day vulnerability in the #GetAccessTokenForResource API function for Outlook Web Access in Exchange Online (#OWA) to forge authorization tokens.
These tokens allowed the threat actors to impersonate Azure accounts and access email accounts for numerous government agencies and organizations to monitor and steal email.
After these attacks, Microsoft faced a lot of criticism for not providing adequate #logging to Microsoft customers for free. Instead, Microsft required customers to purchase additional licenses to obtain logging data that could have helped detect these attacks.
After working with CISA to identify crucial logging data needed to #detect #attacks, Microsoft announced that they now offer it for free to all Microsoft customers.
US cyber safety board to analyze Microsoft Exchange hack of govt emails
The Department of Homeland Security's Cyber Safety Review Board (#CSRB) has announced plans to conduct an in-depth review of #cloud #security practices following recent Chinese #hacks of #Microsoft #Exchange accounts used by US government agencies.
The CSRB is a collaboration of public and private sectors, created to conduct in-depth investigations that offer a better understanding of critical events, discern root causes, and issue informed recommendations on cybersecurity.
In this case, CSRB will explore how the government, industry, and cloud service providers (CSPs) can bolster #identity #management and #authentication in the cloud and develop actionable #cybersecurity recommendations for all stakeholders.
Microsoft Signing Key Stolen by Chinese - Schneier on Security
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used #forged #authentication #tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers.
The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.
Actually, two things went badly wrong here. The first is that Azure accepted an #expired #signing #key, implying a vulnerability in whatever is supposed to check key validity.
The second is that this key was supposed to remain in the the system’s #Hardware #Security #Module—and not be in software. This implies a really serious breach of good security practice.
The fact that #Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad
https://www.schneier.com/blog/archives/2023/08/microsoft-signing-key-stolen-by-chinese.html
🌩️
Cloud Authentication Services
There is a sea of Cloud Auth / Identity management providers.
There was a time I used to roll my own, but as security is getting complicated, it seems for startups & small to medium businesses it is better to use a cloud auth provider.
Please share your thoughts on your experience with this as I look into this area.
So far I have come across:
4/ #Phishing is a numbers game & difficulty + cost of faking a voice, have limited the use certain presumably effective themes (e.g. call from your lawyer or mom).
Those same factors have led to some companies going going hard on "my voice is my password" #authentication.
I'm glad my job doesn't include protecting financial institutions #fintech & consumers from #deepfake speech.
Or handling their #insurance .
Because the next few years are going to be a bloodbath.
Microsoft Signing Key Stolen by Chinese
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user ema... https://www.schneier.com/blog/archives/2023/08/microsoft-signing-key-stolen-by-chinese.html
#authentication #Uncategorized #cybersecurity #backdoors #Microsoft #hacking #China #keys
When exposing an application, consider a an #APIGateway to protect it from attacks. Rate Limiting comes to mind first, but it shouldn’t stop there. We can factor many features in the API Gateway and should be bold in moving them from our apps. In this post, I’ll show how to implement authentication at the Gateway API stage.
https://blog.frankel.ch/authentication-api-gateway/
#authentication #keycloack #SpringSecurity #SystemArchitecture
@arstechnica Letting big tech make all these decisions on their own is pretty risky.
Due to the probably coming assault of intelligent bot-fueled personalised propaganda (probably by December this year), it will become necessary to prove one’s humanness very soon.
But that doesn’t have to be where privacy ends if nation-states step in as the legal providers #human #authentication and guarantee #anonymity at least in from the corporate world.
But they payrolled the politicians.
For Oppenheimer weekend, I broke out a couple of mementos from the two summers that I worked at Los Alamos in a support role for their high performance computing group. (ASCI Blue Mountain was just coming online around that time.)
These are two-factor authentication devices that were required to log in anywhere and are very similar to today's time-based one-time passwords (TOTP) that are in growing use today.
#LANL #LosAlamos #Security #Authentication #TOTP #BlueMountain
I predict that passkeys will be a big deal. In my tests using them for Google login, then with CVS just prompting me to migrate to them from password authentication, they were indeed pretty simple to use. 1Password is testing the ability to store passkeys and now the ability to unlock your passkey vault with passkeys. My latest story: https://www.cnet.com/tech/services-and-software/1password-tests-passkeys-for-unlocking-your-password-vault/
#passkeys #authentication #Security #1Password
70% of Google account users have 2-factor authentication protection now. My predictions: passkey technology will help with this, making MFA easier to accomplish and less vulnerable than login codes via SMS. https://blog.google/technology/safety-security/the-past-present-and-future-of-authentication/
#authentication #passkeys #security #Google #MFA
#Development #Launches
Introducing passwordless authentication on GitHub.com · GitHub users can now start securing their accounts with passkeys https://ilo.im/142na7
_____
#GitHub #PasswordLess #Authentication #Security #WebDevelopment #WebDev #Frontend #Backend #Device #SecurityKeys #PassKeys
When I try to login to http://schizo.social using my mas.to account it doesn't work if I have the #mastodon #PWA installed 😩
It's probably because the PWA handles mas.to urls but doesn't redirect with the query params correctly...
My PhD thesis on the usability, security, and privacy of Risk-Based Authentication (RBA) is now published. For free, for everyone, as I believe that publicly funded research should be open to the public.
On 239 pages, you will learn how to strengthen password-based authentication with RBA while being privacy-enhanced and accepted by users.
Thesis PDF: https://doi.org/10.13154/294-9901
Defense Slides: https://www.stephanwiefling.de/slides/rba-thesis-defense23.pdf
#password #ux #hci #authentication #cybersecurity #privacy #openaccess #phd
Pulling SYSTEM out of #Windows GINA — #Authentication #Bypass to SYSTEM shell in #ManageEngine #ADSelfService Plus Windows GINA Client
// by @pedrib1337@twitter.com
https://github.com/pedrib/PoC/blob/master/advisories/ManageEngine/adselfpwnplus/adselfpwnplus.md
Question about implementation of #Passkeys. As I understand it, having a user login with passkey but without UV (User Verification) is not necessarily MFA as it could just be a stolen security key (Something you have).
How is (or should) #MFA with Passkeys implemented in practice? By setting UV as "required"? Or by setting UV as "preferred" and then based on the user response prompt for another factor (eg. #TOTP) in case there was no UV? I am a bit confused about how to fit Passkeys into the current #authentication logic.
#passwords #fido #fido2 #webauthn #identitymanagement #iam #oauth #openid
🚧 Brute-Forcing One-Time Passwords 🚧
My last two threads discussed the probability of brute-forcing OTPs, how to do it effectively and how to defend against attacks.
Here is an overview of the topics covered:
1. Bernoulli Processes 🧮
https://infosec.exchange/@kpwn/110520985360492457
2. Increasing and Decreasing Probabilities 🤞
https://infosec.exchange/@kpwn/110561329301840527
Here's everything compiled into a blog post 📰
https://kpwn.de/2023/06/brute-forcing-one-time-passwords/
Do you find my content valuable?
🔔 Follow me for more web security content.
🔁 Also, boost this toot to spread the word!
#Infosec #CyberSecurity #BugBounty #Pentesting #Hacking #Passwords #OTP #Authentication
Just logged into CVS and they prompted me to enroll a passkey. Super easy. 3 steps and I'm done. (For this browser, on this laptop — sync is the next hurdle.)
#passwordless #authentication #passkey
OAuth Authentication with Enhance?
Yes, please.
Read @ryanbethel latest post on how to set it up.
https://begin.com/blog/posts/2023-06-15-oauth-authentication
One-time passwords are often used for authentication.
This thread will show you how likely they are to be guessed.
Part 1: Bernoulli Processes 🧮
#Infosec #CyberSecurity #BugBounty #Pentesting #Passwords #OTP #Authentication
🔒 Verify email and phone for new accounts
Verify a phone number or email address as a method for account recovery.
by @ryanbethel
Bet you a nickel Apple at WWDC will announce some passkey support for accessing its own services, e.g. iCloud
#Passkey #authentication #WWDC #Apple
Usually I polish my work a bit more before releasing it publicly, but I really wanted to give people interested in making fediverse apps for everyone a bit of a head start.
Here's a very work-in-progress authentication server I use for my fediverse connections data visualization project:
https://github.com/stefanbohacek/auth-server
#fediverse #mastodon #calckey #oauth #authentication #nodejs #development
🔒 Authentication for a Username and Password flow
Continuing our series on authentication. Build a username password authentication flow for an Enhance app.
by @ryanbethel
https://begin.com/blog/posts/2023-05-26-password-username-auth-flow
Newbie question: what is best #mfa #authentication method for #offline networks? I am playing around with a lab environment where I want good mfa inside but don’t want it to connect to the internet. My current point of view is: I can not place #Fido there since it „needs“ internet in many ways.. right? . My current way of thinking is i build a PKI into this network and use it with #yubikey acting as a Smartcard but not #u2f or #fido2 . Am I wrong ? Is there better options?
If passkeys are easy enough to use, will people be less inclined to stay logged in via cookies? (Password managers have shifted me this direction.) Will websites cut down on the "stay logged in" option? Because there's a market for cookie credentials to break into accounts.
#Security #PasswordManager #passkey #login #authentication
#Development #Reviews
Why is OAuth still hard in 2023? · “We implemented OAuth for the 50 most popular APIs. It is still a mess.” https://ilo.im/12kb1l
_____
#WebDevelopment #WebDev #Frontend #Backend #API #OAuth #OpenStandard #Authentication #AccessControl
@Migueldeicaza Here is a new Issue requesting #hardware #SecurityKeys (e.g. #yubikey) for #SSH #authentication in the #LaTerminal #ios #app by #Xibbon.
Give it a vote if you think this is useful!
Passkeys: What the Heck and Why?
🔑 https://css-tricks.com/passkeys-what-the-heck-and-why/
--
#authentication #passwords #key #security #infosec #passkeys #fido
I decided to implement #WebAuthN to #authenticate on my site.
This is my first time using the navigator.credentials #API. Anyone got any good articles or tips for me?
#webDevelopment #webDev #frontend #credentials #web #browser #auth #authentication #login