Default passwords (in this case voicemail PIN) strike again! There are many #AuthN systems around that support sending OTPs by a phone call as an alternative/fallback to SMS (and is an accessibility requirement). Unfortunately, they can't account for this attack vector.
(Oh, and use Signal, not Telegram)
#Identity #Security
https://gbhackers.com/hackers-hijack-telegram-accounts/

Excited to be speaking at @fossasia
This year, I'm diving deep into Identity and Access Management (#IAM) for #OSS.

All are welcome and I encourage all knowledge levels to attend: Don't be intimidated by "advanced security"! I'm breaking down complex concepts into easy-to-understand explanations, with a historical perspective to give context.

Explore #AuthN #AuthZ
@keycloak Primer
Best Practices for #OSS

iRODS PAM Interactive Authentication Plugin v0.1.0 is released!

https://irods.org/2024/08/initial-release-of-the-irods-pam-interactive-auth-plugin/

Interesting attack method. "They are merging, wonder if they screwed up transfer? Yup."

https://www.theregister.com/2024/07/15/squarespace_fingered_for_dns_hijackings/

“At this point I think that #Passkeys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords through a desire to capture markets and promote hype.”

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

Big sadge

Dans son guide "Recommandations relatives à l'authentification multifacteur et aux mots de passe", l'ANSSI nous explique que l'authentification forte doit mettre en oeuvre un protocole cryptographique et résister aux attaques par rejeu, et aux attaques de l'homme du milieu.... Puis s'en va nous donner des exemples d'authentification forte...

Dans cette liste, on y retrouve TOTP...

Les TOTP sont parfaitement vulnérables aux attaques par rejeu, une fois interceptés par un site de hameçonnage. Ils sont également parfaitement attaquables par MITM...

En outre, on retrouve dans la liste FIDO2.

FIDO2 est attaquable par MITM si l'on ne met pas en oeuvre la mesure dite de "channel binding" ou "token binding". À ma connaissance, cette fonctionnalité n'est prise en charge par aucun navigateur. Même Chrome l'a retiré.

https://groups.google.com/a/chromium.org/g/blink-dev/c/OkdLUyYmY1E/m/w2ESAeshBgAJ

Ils sont beaux, les guides #ANSSI depuis quelques années... ​​

Edit : Cette communauté est formidable <3 Merci à toutes et tous celleux qui se sont proposé.es !

Besoin d'aide pour une relecture

J'ai rédigé ces derniers temps un cours "Identité et méthodes d'authentification" pour une grande école parisienne. Niveau Bac+5.

Ce cours sera ultérieurement publié en licence libre (probablement CC-0 ou CC-BY).

Je dois donner ce cours mercredi. Est-ce qu'un gentil ou une gentille fédinaute compétent.e ou pas sur le sujet spécifique aurait le temps de relire ce que j'ai produit ce week-end et me faire un retour ? Ca fait environ 20 pages de texte brut police 12, alinéa simple.

Neither @protonmail nor @Tutanota support passkeys as a password-less authentication method, and at least @protonmail does not support security key/passkey only 2FA. (I don't know if @Tutanota does)

I mean, these providers are supposed to be top-notch secure email providers. Why are they so far behind? Any serious alternatives? Paying customer here.

Blogged: Implement a secure web application using nx Standalone Angular and an ASP.NET Core server

https://damienbod.com/2023/09/11/implement-a-secure-web-application-using-nx-standalone-angular-and-an-asp-net-core-server/

I'm looking for an open source #IAM provider with good recommendations... I'm considering Auth0 (out of laziness), but definitely not interested in AD or Google direct - does anyone know a good open-source tool to use for authentication? Hosting my own is fine, but rolling my own is re-inventing the wheel a bit too much.

Federation supported or not, either fine.

Some listed here: https://medevel.com/5-iam-enterprise/ such as #KeyCloak and #OpenIAM

maybe i'm getting old, but i feel the recent trend towards #passwordless with #passkeys / #authn might be a bad idea.

passwords (with all their problems) are a low-tech thing. depending on the people having access to a high-end device with their keys seems highly rich-tech-bro-in-the-western-world

#TIL that you don’t need an #auth library like #Laravel’s fortify. Just host an AuthN provider and implement #oidc or #ldap.

If you ship a desktop app, you don’t need #AuthN because the user is authenticated through their login into their computer.

If you ship to a business, they will have an LDAP or OIDC server or will host one when needed.

If you ship an app with online account, you can just host #Keycloak or #Authentic or pay #auth0.

More below:

https://www.reddit.com/r/golang/comments/ykel0b/simple_web_app_how_to_do_auth/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

#Passkeys question, I have Yubikeys set as the second factor on numerous accounts. What if I want to use passkey for those accounts stored on a Yubikey, will using passkey mean I need an OTP code or have to use a different Yubikey? Or will passkeys eliminate the second factor as it has seemed to do with my Google account, I just signed in using a passkey and wasn't asked for my second factor. I should have really done far more reading on this matter.
#Fido2 #authN

As we recap our fantastic #EverythingOpen talks, next up is William Brown @firstyear from @SUSE who walks us through #passkeys for #web #authn, showing us their ambiguities, how they work, what their limitations are, and what we need to be thinking about when we implement them.

Another fabulous talk from William.

https://www.youtube.com/watch?v=V-7zMIgGO1U

I will be speaking about application security at the Azure Bootcamp Switzerland in Bern, a technology conference focusing on the Microsoft Azure Cloud. I really recommend this. Please come a say hello, would love to meet you, really looking forward.

https://www.azurebootcamp.ch/

Thanks for organizing Manuel Meyer Stefan Johner Stefan Roth

Hee hee - one of my favorite uses for ChatGPT is asking it to describe topics in the style of a pirate.

"Ye see, as a pirate, the most important thing is to make sure we trust the person we're dealing with. We don't want no scallywags or imposters stealin' our booty or getting the better of us!"

Working on a project with non-InfoSec folks I was reminded that not everyone's gotten the message. All the contributors were accessing the collaboration platform with the admin's credentials ('cause it was easier than creating separate accounts). #sigh

Next in our #EverythingOpen Speaker Spotlight series, because we know you're all #nightowls - is @firstyear William Brown, who's presenting:

"Web #authn, #passkeys and you - the future of #authentication"

https://2023.everythingopen.au/schedule/presentation/2/

Qqn sait où on peut trouver plus d'info sur le protocole en "double anonymat" que le gouv veut déployer en mars pour restreindre l'accès à certains sites, dont les sites porno ?
J'ai vu un schéma et moralement, ça ressemble a du "sous-privacy pass", mais je voudrais bien étudier la spec ou le code.

Blogged: Use multiple identity providers from a Blazor WASM ASP.NET Core App secured using BFF

https://damienbod.com/2023/02/14/use-multiple-identity-providers-from-a-blazor-wasm-asp-net-core-app-secured-using-bff/