Authentication
26 items tagged with "authentication"
Anti-Patterns4
Plaintext Password Storage
Storing user passwords as readable text or with reversible/fast encoding, so a single database breach exposes every credential.
Default Credentials
Shipping or deploying systems with vendor default usernames and passwords left unchanged, an instantly exploitable and heavily automated attack vector.
No MFA on Privileged Access
Protecting administrator, root, and high-value accounts with a single password, so one phishing or credential leak yields full takeover.
JWT none Algorithm Acceptance
Accepting JSON Web Tokens with alg:none or trusting the token's own algorithm header, letting attackers forge tokens with no valid signature.
Tutorials2
Regulations2
Revised Payment Services Directive
EU directive regulating electronic payments, opening bank data to licensed third parties and mandating strong customer authentication.
FFIEC Information Security Guidance
US interagency guidance and examination standards for information security and IT risk management at financial institutions.
Comparisons2
OAuth 2.0 vs SAML
OAuth 2.0 is a token-based authorization framework for APIs and apps; SAML is an XML-based standard for enterprise single sign-on and federation.
JWT vs Server Sessions
JWTs are self-contained, stateless tokens; server sessions store state server-side with an opaque ID. Both manage authenticated user state.
FAQs9
How do I generate a DSN token?
Run vibgrate dsn create --workspace ws-abc123 to generate an HMAC-signed DSN token. Use --region eu for EU data residency. Use --write .vibgrate/.dsn ...
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework: it lets an application obtain delegated access to resources on a user's behalf without sharing the user's cre...
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format that carries claims as a base64url-encoded header, payload, and signature separated by dots...
Sessions vs tokens: what is the difference for authentication?
Session-based authentication stores state on the server and gives the client an opaque session ID, usually in a cookie; the server looks up the sessio...
What is mutual TLS (mTLS)?
Mutual TLS extends standard TLS so that both the client and the server present and verify certificates, rather than only the client verifying the serv...
What is the difference between an access token and a refresh token?
An access token is a short-lived credential a client sends with each request to prove it is authorized to call an API, typically expiring in minutes. ...
What is an API key and how is it different from a token?
An API key is a static secret string that identifies and authenticates a calling application or project, usually passed in a header and tied to a set ...
What is multi-factor authentication (MFA)?
Multi-factor authentication requires a user to present two or more independent proofs of identity from different categories: something you know (a pas...
What is the difference between OAuth 2.0 and OpenID Connect?
OAuth 2.0 is an authorization framework that lets an application obtain delegated, scoped access to a user's resources without sharing their password,...
Glossaries4
OpenID Connect (OIDC)
OpenID Connect is an authentication layer built on top of OAuth 2.0 that lets applications verify a user's identity and obtain basic profile information using an ID token.
JSON Web Token (JWT)
A JSON Web Token is a compact, URL-safe, digitally signed token that encodes claims as JSON, commonly used to transmit identity and authorization data between parties.
Multi-Factor Authentication (MFA)
Multi-factor authentication is a security method that requires two or more independent forms of verification, drawn from different categories, before granting access.
Single Sign-On (SSO)
Single sign-on is an authentication scheme that lets a user log in once and gain access to multiple independent applications without re-entering credentials for each.