Inautilo<p><a href="https://mastodon.social/tags/Development" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Development</span></a> <a href="https://mastodon.social/tags/Analyses" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Analyses</span></a><br>Passkeys and modern authentication · Let’s consider whether this is really what we want <a href="https://ilo.im/166klm" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">ilo.im/166klm</span><span class="invisible"></span></a></p><p>_____<br><a href="https://mastodon.social/tags/Business" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Business</span></a> <a href="https://mastodon.social/tags/BigWeb" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigWeb</span></a> <a href="https://mastodon.social/tags/Gatekeepers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Gatekeepers</span></a> <a href="https://mastodon.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.social/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://mastodon.social/tags/PasswordManagers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManagers</span></a> <a href="https://mastodon.social/tags/WebDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDev</span></a> <a href="https://mastodon.social/tags/Frontend" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Frontend</span></a> <a href="https://mastodon.social/tags/Backend" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backend</span></a> <a href="https://mastodon.social/tags/Pitfalls" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Pitfalls</span></a></p>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
201active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#authentication
6 posts · 5 participants · 0 posts today
Paco Hope #resist<p>A small rant on passkeys and authN.</p><p>I get how <a href="https://infosec.exchange/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> are meant to be good. But I feel like it’s more wealthy privilege and tech bro myopia. This blog post raises interesting (but orthogonal) points to what I will say here.</p><p>If you only use modern devices with modern software, if you’re pretty competent and literate on modern tech things like passwords and such, maybe passkeys work for you. Especially if the passkey always belongs to the person sitting at the keyboard/device.</p><p>As soon as you get into the real world you have people helping people. You don’t have a world where the person doing the stuff is always the principal who you are authenticating. People help elderly relatives who can’t manage on their own. People help folks who are perfectly competent to decide for themselves, but physically unable to see or do some of the things that are required. People help folks like children or certain kinds of adults who are not able to decide for themselves.</p><p>These people who help people need to be different people at different times. I might be me one moment, my elderly mother-in-law the next moment, and my pre-teen child the next. Very few people login exclusively as themselves. AND THATS OK!</p><p>Some folks share devices because they can’t afford each person to have their own. Auto-enrolling and storing a passkey in a browser is a terrible idea on a shared device.</p><p>I knew a sysadmin who administered an online forum. He typed with a mouth stick. The process of opening an app, getting a 6-digit code, and keying that in before it expired was just not realistic. The admin accounts on that system can’t have MFA turned on, because the stupid software is all-or-none: either it’s mandatory for all admins or can’t be activated by any admins!</p><p>Passkeys are an authentication system that is controlled—not by the user—but by some fickle, unregulated tech company. They don’t care and can’t be made to care.</p><p>User names and <a href="https://infosec.exchange/tags/passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwords</span></a> are the worst form of <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a>, except for all the others. </p><p><a href="https://lucumr.pocoo.org/2025/9/2/passkeys/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lucumr.pocoo.org/2025/9/2/pass</span><span class="invisible">keys/</span></a></p>
Some Bits: Nelson's Linkblog<p>Passkeys in current deployment: Interesting stories from the reality of passkeys. Particularly interested how non-technical people are getting autoenrolled with them.<br><a href="https://lucumr.pocoo.org/2025/9/2/passkeys/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">lucumr.pocoo.org/2025/9/2/pass</span><span class="invisible">keys/</span></a><br> <a href="https://tech.lgbt/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://tech.lgbt/tags/passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passkeys</span></a> <a href="https://tech.lgbt/tags/identity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>identity</span></a> <a href="https://tech.lgbt/tags/login" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>login</span></a> #+</p>
Nishant Kaushik<p>In my first FIDO Alliance blog post, I cut through the noise around “passkeys being hacked” and clarify that the real issues lie in compromised environments, not in the technology. For product teams and leaders evaluating authentication strategies, the takeaway is straightforward: passkeys remain one of our strongest defenses against phishing and credential theft — when they’re implemented thoughtfully and paired with good security hygiene.</p><p>If you’ve been hesitant because of scary headlines, I hope this helps turn things back to reality: passkeys are here to stay, and they’re a major step forward.</p><p>Read the full thoughts here: <a href="https://fidoalliance.org/passkeys-are-not-broken-the-conversation-about-them-often-is" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">fidoalliance.org/passkeys-are-</span><span class="invisible">not-broken-the-conversation-about-them-often-is</span></a></p><p><a href="https://infosec.exchange/tags/Passkeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passkeys</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/Passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwordless</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/UsePasskeys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UsePasskeys</span></a> <a href="https://infosec.exchange/tags/Misinformation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Misinformation</span></a></p>
PrivacyDigest<p>The Ongoing Fallout from a <a href="https://mas.to/tags/Breach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Breach</span></a> at <a href="https://mas.to/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> <a href="https://mas.to/tags/Chatbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chatbot</span></a> Maker <a href="https://mas.to/tags/Salesloft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Salesloft</span></a></p><p>…AI chatbot is used by a broad swath of corporate America to convert customer interaction into <a href="https://mas.to/tags/Salesforce" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Salesforce</span></a> leads, has left many companies racing to invalidate the stolen <a href="https://mas.to/tags/credentials" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>credentials</span></a> before <a href="https://mas.to/tags/hackers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackers</span></a> can <a href="https://mas.to/tags/exploit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exploit</span></a> them. Now <a href="https://mas.to/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid <a href="https://mas.to/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mas.to/tags/tokens" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tokens</span></a> for hundreds of online services<br><a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p><p><a href="https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/09/th</span><span class="invisible">e-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/</span></a></p>
PrivacyDigest<p>The Ongoing Fallout from a <a href="https://mas.to/tags/Breach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Breach</span></a> at <a href="https://mas.to/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> <a href="https://mas.to/tags/Chatbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Chatbot</span></a> Maker <a href="https://mas.to/tags/Salesloft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Salesloft</span></a></p><p>…AI chatbot is used by a broad swath of corporate America to convert customer interaction into <a href="https://mas.to/tags/Salesforce" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Salesforce</span></a> leads, has left many companies racing to invalidate the stolen <a href="https://mas.to/tags/credentials" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>credentials</span></a> before <a href="https://mas.to/tags/hackers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hackers</span></a> can <a href="https://mas.to/tags/exploit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exploit</span></a> them. Now <a href="https://mas.to/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid <a href="https://mas.to/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mas.to/tags/tokens" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tokens</span></a> for hundreds of online services<br><a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p><p><a href="https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">krebsonsecurity.com/2025/09/th</span><span class="invisible">e-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://fedifreu.de/@smartphone" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>smartphone</span></a></span> : if the device you use to login to a server is compromised, it is game over anyway - regardless where the OTP comes from.</p><p>How it works: to prevent that you have to log in again for each transaction with the website, immediately after logging in, the website sends a 1FA session cookie (or "JWT") to your browser. Your browser will include that cookie in any request or instruction sent to the server, so that the server "knows" that it's you - who has already logged in.</p><p>So such a 1FA session cookie replaces your MFA login credentials!</p><p>Note that there are hardly any websites that bind (bind server side) session cookies to the client's IP-address. As a result, if an attacker with backdoor access to your device copies (or steals) a 1FA session cookie from your compromised device, they can use that cookie (from any client IP-address) to access your account. That is, without having to log in, i.e. without having to enter your password, nor any 2FA (T)OTP code.</p><p>Furthermore, most people are not aware that a TOTP app is a STUPID password manager: shared secrets (stored on both the server and client) need to be backed up in a secure manner (which is not typical) while such apps do not detect fake AitM (Attacker in the Middle) websites: they're not phishing resistant.</p><p>Therefore:<br>1️⃣ Make sure your client device and browser never get compromised (that would mean "game over').</p><p>2️⃣ Use a password manager that only reveals the correct credentials if the website name (aka domain name) matches the one stored in the password database. On Android and iOS/iPadOS, "Autofill" helps do just that - without requiring a browser add-on. Note: do NOT manually search the password manager database if a there is "no hit" because of an unrecognized domain name, i.e.<br> mailchimp-sso dot com<br>is NOT<br> mailchimp dot com<br>(see <a href="https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">troyhunt.com/a-sneaky-phish-ju</span><span class="invisible">st-grabbed-my-mailchimp-mailing-list/</span></a>).</p><p>3️⃣ Use a strong (long, unpredictable, not re-used but memorable) master password for your password manager and prevent "forgot it" lock-out (you may want to write it down on paper somewhere and/or share it with someone you trust).</p><p>4️⃣ Make sure you back up the password manager's database after each change, preferably in multiple locations, at least one offline. Including TOTP data in the password manager database *does* increase the risk of compromising all at once, but making sure you have access to secure backups reduces the risk of account lock-out. It's always about balancing risks.</p><p>5️⃣ Slightly unrelated: use a browser that supports "https only" and enable it. Said "https only" is a misnomer: it means "warn if http is used because https is not possible".<br>NOTE: never share any confidential info with, or trust content from, a website via a non-https connection. Also note that https (including the required certificate) do NOT AT ALL warrant a trustworthy website. In fact https only guarantees a secure connection (E2EE) between your browser and the website whose "name" (domain name) is shown in your browser's address bar. Unfortunately, in case of "Men in the Middle" proxies like CloudFlare, the shown domain name may NOT point to the actual webserver (in such a case, Cloudflare knows your password as well).</p><p><span class="h-card" translate="no"><a href="https://mastodon.com.br/@rodsilva" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rodsilva</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@eff" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>eff</span></a></span> <br> </p><p><a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/OTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTP</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/FakeWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsites</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/EvilGinx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EvilGinx</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/Risk" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Risk</span></a> <a href="https://infosec.exchange/tags/Risks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Risks</span></a> <a href="https://infosec.exchange/tags/AccountLockout" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AccountLockout</span></a> <a href="https://infosec.exchange/tags/AccountTakeOver" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AccountTakeOver</span></a> <a href="https://infosec.exchange/tags/SessionCookie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SessionCookie</span></a> <a href="https://infosec.exchange/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> <a href="https://infosec.exchange/tags/WebSession" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebSession</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a></p>
gtbarry<p>New NIST guide explains how to detect morphed images</p><p>Face Analysis Technology Evaluation (FATE) explains morphing in simple terms and offers advice on how to respond. It is meant to help organizations set up detection systems in places where morphed photos might appear, such as passport offices or border crossings. </p><p><a href="https://mastodon.social/tags/NIST" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NIST</span></a> <a href="https://mastodon.social/tags/photography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>photography</span></a> <a href="https://mastodon.social/tags/FATE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FATE</span></a> <a href="https://mastodon.social/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://mastodon.social/tags/images" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>images</span></a> <a href="https://mastodon.social/tags/imaging" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>imaging</span></a> <a href="https://mastodon.social/tags/GenAI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GenAI</span></a> <a href="https://mastodon.social/tags/technology" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technology</span></a> <a href="https://mastodon.social/tags/tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tech</span></a></p><p><a href="https://www.helpnetsecurity.com/2025/08/18/nist-guide-detect-morphed-images/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">helpnetsecurity.com/2025/08/18</span><span class="invisible">/nist-guide-detect-morphed-images/</span></a></p>
Inautilo<p><a href="https://mastodon.social/tags/Development" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Development</span></a> <a href="https://mastodon.social/tags/Guides" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Guides</span></a><br>An illustrated guide to OAuth · How delegated access works behind the scenes <a href="https://ilo.im/166dtf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">ilo.im/166dtf</span><span class="invisible"></span></a></p><p>_____<br><a href="https://mastodon.social/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authorization</span></a> <a href="https://mastodon.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://mastodon.social/tags/OAuth" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OAuth</span></a> <a href="https://mastodon.social/tags/ClientServer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ClientServer</span></a> <a href="https://mastodon.social/tags/ThirdParty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ThirdParty</span></a> <a href="https://mastodon.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://mastodon.social/tags/WebDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebDev</span></a> <a href="https://mastodon.social/tags/Frontend" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Frontend</span></a> <a href="https://mastodon.social/tags/Backend" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backend</span></a></p>
Miguel Afonso Caetano<p>"Even the very idea that we could arrive at a broadly accepted consensus on facts – regardless of their content – has grown more remote. It is down these knowledge sinkholes that the sense of ‘selfdom’ gets further elaborated, sometimes in tragic ways, through the belief that the self is the only true source of its own enlightenment.</p><p>The combination of epistemological self-centredness and hyperconnectivity makes people susceptible to diffuse forms of ‘supersense’-making (to borrow a term from Hannah Arendt). Seeking some meaningful truth, people search for significant clues scattered across the internet, using commercial algorithms and recommender systems to connect the disparate pieces of information they venture upon into some sort of coherent worldview. What may begin as a playful existential quest can easily crystallise into reality-bending beliefs that thrive on and foster new social types and politically potent associations. At its peak, QAnon exemplified the interactions between the searching disposition, digital mediations and for-profit targeting. Its members saw themselves as critical thinkers uniquely equipped to discover hidden truths and interpret byzantine clues. They ferociously denied being part of a cult, since, as one of them put it to the researcher Peter Forberg, ‘no cult tells you to think for yourself.’</p><p>One might think that the advent of LLMs will counter these tendencies. Perhaps if properly integrated with a search engine, an LLM might distil vast amounts of information into coherent responses that do not pander. It can certainly provide seemingly authoritative summaries that look like answers, though its inner workings remain essentially opaque. But it is not clear whether such systems – even if they work as advertised – can solve the problem of reliable knowledge in a balkanised public sphere."</p><p><a href="https://aeon.co/essays/the-sovereign-individual-and-the-paradox-of-the-digital-age" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">aeon.co/essays/the-sovereign-i</span><span class="invisible">ndividual-and-the-paradox-of-the-digital-age</span></a></p><p><a href="https://tldr.nettime.org/tags/Algorithms" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Algorithms</span></a> <a href="https://tldr.nettime.org/tags/Authenticity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticity</span></a> <a href="https://tldr.nettime.org/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://tldr.nettime.org/tags/SelfSovereignty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SelfSovereignty</span></a> <a href="https://tldr.nettime.org/tags/Individualism" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Individualism</span></a> <a href="https://tldr.nettime.org/tags/SocialMedia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SocialMedia</span></a> </p><p><a href="https://aeon.co/essays/the-sovereign-individual-and-the-paradox-of-the-digital-age" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">aeon.co/essays/the-sovereign-i</span><span class="invisible">ndividual-and-the-paradox-of-the-digital-age</span></a></p>
Alexander Hanff<p>So I <a href="https://eupolicy.social/tags/created" class="mention hashtag" rel="tag">#<span>created</span></a> an <a href="https://eupolicy.social/tags/app" class="mention hashtag" rel="tag">#<span>app</span></a> that opens a mixed <a href="https://eupolicy.social/tags/immersive" class="mention hashtag" rel="tag">#<span>immersive</span></a> space and anchors to the head of the user (creating a HUD effect).</p><p>Then I added wake word functionality so it would work like <a href="https://eupolicy.social/tags/Siri" class="mention hashtag" rel="tag">#<span>Siri</span></a> </p><p>Then I went back to my <a href="https://eupolicy.social/tags/Agent" class="mention hashtag" rel="tag">#<span>Agent</span></a> code and added some new <a href="https://eupolicy.social/tags/OpenAI" class="mention hashtag" rel="tag">#<span>OpenAI</span></a> compatible <a href="https://eupolicy.social/tags/API" class="mention hashtag" rel="tag">#<span>API</span></a> endpoints with <a href="https://eupolicy.social/tags/authentication" class="mention hashtag" rel="tag">#<span>authentication</span></a> </p><p>Then I connected my VisionOS app to the API... now I have a fully functioning AI Agent directly in VisionOS but that wasn't enough...</p>
Pyrzout :vm:<p>New NIST guide explains how to detect morphed images <a href="https://www.helpnetsecurity.com/2025/08/18/nist-guide-detect-morphed-images/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">helpnetsecurity.com/2025/08/18</span><span class="invisible">/nist-guide-detect-morphed-images/</span></a> <a href="https://social.skynetcloud.site/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://social.skynetcloud.site/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://social.skynetcloud.site/tags/Don" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Don</span></a>'tmiss <a href="https://social.skynetcloud.site/tags/research" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>research</span></a> <a href="https://social.skynetcloud.site/tags/how" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>how</span></a>-to <a href="https://social.skynetcloud.site/tags/scams" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scams</span></a> <a href="https://social.skynetcloud.site/tags/News" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>News</span></a> <a href="https://social.skynetcloud.site/tags/NIST" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NIST</span></a> <a href="https://social.skynetcloud.site/tags/tips" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tips</span></a></p>
Threat Insight<p>Proofpoint threat researchers have uncovered a way to sidestep FIDO-based authentication, a protection method used to block credential phishing and account takeover (ATO).</p><p>Blog: <a href="https://www.proofpoint.com/us/blog/threat-insight/dont-phish-let-me-down-fido-authentication-downgrade" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">proofpoint.com/us/blog/threat-</span><span class="invisible">insight/dont-phish-let-me-down-fido-authentication-downgrade</span></a></p><p>While the tactic has not yet been observed in the wild, the discovery is a significant emerging threat and exposes targets to adversary-in-the-middle (AiTM) threats.</p><p>Read our blog to understand how this potential threat questions the reliability of FIDO (Fast Identity Online) passkey implementations, an authentication method currently viewed as robust for verifying user identities and recommended for improving online security. </p><p><a href="https://infosec.exchange/tags/FIDO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FIDO</span></a> <a href="https://infosec.exchange/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> <a href="https://infosec.exchange/tags/ATO" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ATO</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://kolektiva.social/@LukefromDC" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>LukefromDC</span></a></span> wrote:<br>> "Some people (myself included) will never reveal a real birthday online and will respond to a request for a birthday with a fake, will check an "I am over 18" box or button, but will close the tab for anything more."</p><p>Sure, but the European Commission wants civillians to start using EUDIW (EUropean Digital Identity Wallet, aka EDIW) soon. If a website demands authentication using such an app, cheating will not be easy. You'll have two choices: abort or do what's being asked.</p><p>Website owners mostly, if not always, demand more PII than strictly necessary. Lying will become a lot harder when using EDIW than filling in forms.</p><p>> "I have NoScript (on the desktop) and Privacy Browser(on phones) set up to block 3ed party code unless explicitly enabled every time."</p><p>I too use NoScript as much as possible. However, IMO it does not solve any risks associated with mandatory authentication.</p><p>> "Any unique age verification token is a tracker by definition BTW."</p><p>That is not necessarily true, at least according to the app's specification. There are all kinds of (possibly unexpected) tricks using (asymmetric) cryptography that can be played.</p><p>All of which does not mean that I'm a fan, on the contrary. Reliable authentication (including partial, such as proving being e.g. 18+), online in particular, is HARD.</p><p>It gets even harder if neither the verifier, nor the person being (partially) authenticated, benefits.</p><p>And the more privacy-friendly the less reliable it becomes - and the harder it gets to detect fraud.</p><p><span class="h-card" translate="no"><a href="https://sigmoid.social/@drgroftehauge" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>drgroftehauge</span></a></span> <span class="h-card" translate="no"><a href="https://manganiello.social/users/fabio" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fabio</span></a></span> <span class="h-card" translate="no"><a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SylvieLorxu</span></a></span> </p><p><a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/AgeVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AgeVerification</span></a> <a href="https://infosec.exchange/tags/Fraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fraud</span></a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityFraud</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/eID" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eID</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/RemoteAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RemoteAuthentication</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://kolektiva.social/@LukefromDC" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>LukefromDC</span></a></span> : it won't be that bad (it will be bad, but in a different way).</p><p>ANY website may ask a user to confirm they are 18+ (or whatever age).</p><p>There will be a huge amount of AitM (Attacker in the Middle) websites where naive people will be lured to (using fake emails, SMS, chat app messages or falsified QR-codes) and asked to confirm their age.</p><p>That AitM website will subsequently obtain a "ticket" (session cookie) from a real "relying party" website (with a potentially very different type of content than the victim is told).</p><p>Those "tickets" will be sold (or traded for watching ads and/or paying with privacy).</p><p>Reliable authentication requires a trustworthy identity verifier (even if identification is restricted to age+).</p><p><span class="h-card" translate="no"><a href="https://sigmoid.social/@drgroftehauge" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>drgroftehauge</span></a></span> <span class="h-card" translate="no"><a href="https://manganiello.social/users/fabio" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>fabio</span></a></span> <span class="h-card" translate="no"><a href="https://chaos.social/@SylvieLorxu" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SylvieLorxu</span></a></span> </p><p><a href="https://infosec.exchange/tags/AgeVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AgeVerification</span></a> <a href="https://infosec.exchange/tags/ByPass" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ByPass</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/IdentityVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityVerification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/ForSale" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ForSale</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jwildeboer</span></a></span> : modern certificates are used for authentication only, not for secure connections.</p><p>OTOH, if you have no certainty that your software is communicating with the server you intended, a secure connection to it is pointless - but the connection remains secure.</p><p>Using TLS v1.3, the connection is even secured before the server is authenticated (if, after encrypting the connection, the authentication of the server fails, then the client should at least warn the user - if not immediately disconnect).</p><p>Yes, I know, these are boring details, but they are misunderstood way too often by people who SHOULD know how this works (I know you do, but please don't simplify things too much).<br> </p><p><a href="https://infosec.exchange/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a> <a href="https://infosec.exchange/tags/https" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>https</span></a> <a href="https://infosec.exchange/tags/X509" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>X509</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Certs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certs</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/TLSv1_3" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLSv1_3</span></a> <a href="https://infosec.exchange/tags/ForwardSecrecy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ForwardSecrecy</span></a> <a href="https://infosec.exchange/tags/DH" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DH</span></a> <a href="https://infosec.exchange/tags/DHE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DHE</span></a> <a href="https://infosec.exchange/tags/DiffieHellman" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DiffieHellman</span></a></p>
|7eter l-|. l3oling 🧰<p>ANN: :ruby: omniauth-identity v3.1.4</p><p>Release Notes: <a href="https://dev.to/galtzo/ann-omniauth-identity-v314-2371" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dev.to/galtzo/ann-omniauth-ide</span><span class="invisible">ntity-v314-2371</span></a></p><p><a href="https://ruby.social/tags/Ruby" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ruby</span></a> <a href="https://ruby.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://ruby.social/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://ruby.social/tags/Rails" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rails</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@adfichter" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>adfichter</span></a></span> : I'm trying to warn people for such holes.</p><p>Published earlier this month: <a href="https://www.heise.de/en/news/BSI-and-ANSSI-warn-against-VideoIdent-for-the-EU-digital-wallet-10476045.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/en/news/BSI-and-ANSSI</span><span class="invisible">-warn-against-VideoIdent-for-the-EU-digital-wallet-10476045.html</span></a> (there of course is a German version as well).</p><p>It refers to a recent joint publication (in English) by the German BSI and the French ANSSI titled:</p><p>"Remote ldentity Proofing for EUDI Wallet Onboarding: Strengthening Assurance Against Evolving Threats"</p><p>(EUDI Wallet = European Digital Identity Wallet aka EDIW aka EUDIW).</p><p>It's about the risks of VideoIdent (getting bigger every day, see e.g. <a href="https://www.theverge.com/report/714402/uk-age-verification-bypass-death-stranding-reddit-discord" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">theverge.com/report/714402/uk-</span><span class="invisible">age-verification-bypass-death-stranding-reddit-discord</span></a> - not to mention AI).</p><p>However, like in their previous publication (PDF: <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.pdf?__blob=publicationFile&v=3" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsi.bund.de/SharedDocs/Downloa</span><span class="invisible">ds/EN/BSI/Publications/ANSSI-BSI-joint-releases/ANSSI-BSI_joint-release_2023.pdf?__blob=publicationFile&v=3</span></a>) they ignore one HUGE risk: AitM's (Attacker in the Middle).</p><p>The unmentioned gaping security hole here are fake websites, where people are being directed to via falsified emails, SMS, chat app messages and possibly QR-codes.</p><p>Step 1️⃣:<br>————<br>Victim (contacts AitM site as instructed)<br> |<br> | "Please give me my EDIW"<br> v<br>AitM site: contacts site below and forwards<br> |<br> | "Please give me my EDIW"<br> v<br>True EDIW identity verification site</p><p>Step 2️⃣:<br>————<br>Victim<br> ^<br> | "Please perform VideoIdent"<br> |<br>AitM site: forwards<br> ^<br> | "Please perform VideoIdent"<br> |<br>True EDIW identity verification site</p><p>Step 3️⃣:<br>————<br>Victim<br> |<br> | VideoIdent showing victim<br> v<br>AitM site: forwards<br> |<br> | VideoIdent showing victim<br> v<br>True EDIW identity verification site</p><p>Step 4️⃣:<br>————<br>Victim<br> ^<br> | "Something went wrong"<br> |<br>AitM site: stores victim's EDIW on their device<br> ^<br> | EDIW<br> |<br>True EDIW identity verification site</p><p>The same may happen to people who are tricked into *authenticating* using EDIW on AitM websites.</p><p><span class="h-card" translate="no"><a href="https://mastodon.nl/@ellent" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ellent</span></a></span> <br> </p><p><a href="https://infosec.exchange/tags/EDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EDIW</span></a> <a href="https://infosec.exchange/tags/EUDIW" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EUDIW</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/VideoIdent" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>VideoIdent</span></a> <a href="https://infosec.exchange/tags/OnlineAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OnlineAuthentication</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/Identification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identification</span></a> <a href="https://infosec.exchange/tags/IdentityFraud" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IdentityFraud</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a></p>
Serge from Babka<p>Another approach would be if Alice could generate multiple Passkeys and hand them out to individuals she trusts, and then retaining the ability to revoke them. Sadly many sites don't yet support Passkeys, and this model still lets someone like Mal revoke Alice's access, so that's not great.</p><p>Bitwarden has a feature whereby Alice can share a password with Eve but not let her see it or export it. This could work pretty well, except that if the site requires 2FA from a SMS text message (vs TOTP or a token) or if Eve has the knowhow to intercept the password.</p><p>I still think that what we ultimately want is attenuated scopes because then we can track all actions by the delegated party.</p><p>I do wonder if this need is niche or if the current solution of "good faith password sharing" works well enough often enough that it's not risen to the level of concern for developers.</p><p>2/2</p><p><a href="https://babka.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://babka.social/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authorization</span></a> <a href="https://babka.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://babka.social/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://babka.social/tags/Passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwordless</span></a> <a href="https://babka.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Programming</span></a></p>
Serge from Babka<p>I've been thinking about delegated authority on websites lately.</p><p>It would be convenient if I could delegate certain functions to people, for example allowing someone like my accountant to have access to some of my financial records.</p><p>Some organizations make this easy, allowing me to have multiple accounts.</p><p>Other services don't offer this, nor do they offer any kind of OAuth type of delegated authorization or capabilities model.</p><p>I've been thinking about ways around this.</p><p>One very wacky way would be if Alice could have a a "special browser" that would tie into some service she runs. Bob would log in with his credentials and then behind the scenes the application logs in as Alice.</p><p>This would be very complicated to implement though.</p><p>1/</p><p><a href="https://babka.social/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://babka.social/tags/Authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authorization</span></a> <a href="https://babka.social/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://babka.social/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://babka.social/tags/Passwordless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwordless</span></a> <a href="https://babka.social/tags/Programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Programming</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload