authentication

  1. Is it good or bad practice to allow a user to change their username?
  2. iOS : Possible cache DB security issue?
  3. Google App Script as public gateway for database (spreadsheet)
  4. Possible to use *only* U2F authentication?

  5. How does a user get authenticated on server B if they are already authenticated on server A through OAuth2?

  6. Best practices for generating and using random timed OTP
  7. In the context of FIDO U2F, when is a new ephemeral key reused, or cached?

  8. Sharing access-tokens in response header?
  9. How to implement cross-domain, auto-login SSO without browser redirects for unlogged users?

  10. How to Pass Authorization Header in HTTP Request when using HTML5 Player (Audio tag) for security
  11. SAML token and service calls
  12. Is BASIC-Auth secure if done over HTTPS?
  13. How to secure refresh token API's?

  14. Preventing a Burp and Intercept
  15. API security where the server is also client-side

  16. What to do for my Web API authentication scheme?
  17. How is fingerprint authentication integrated with a backend server?
  18. JWT as a nonce in sessionless backends

  19. How to ensure Nuget Packages are safe for confidential information?
  20. Aren't the current implementations for multi-factor authentication heavily dependent on a single point of failure?

  21. Is OAuth always the right choice (and when isn't it)

  22. Should we prevent this login XSS attack?

  23. Tools or recipe usable by a non-professional to check their Wifi security for common issues?
  24. Is tokenless (specifically SMS) 2FA a security compromise over OTP tokens?

  25. Does PKCS 1.5 padding make it possible for an attacker to extract the private key or not? Is PKCS 1.5 safe to use in authentication context?
  26. How to properly secure an ActiveMQ instance, and what are all of the different files for?

  27. ​Multi-factor Out of Band Token authentication options suitable as per NIST recommendations 800-63B (published in June, 2017)

  28. How can a system grant constant access without using a constant key?

  29. Can EAP be used to authenticate to a service?

  30. A password substitute?

  31. Changes in security measures after gaining objectively big social following in a short time period?

  32. Exploitability of scenario

  33. What is a AUTH-KEY in the security of the computers?

  34. 3rd Party Authentication protocol

  35. How to locate IP for a computer trying to login to my Wikipedia account?
  36. Security differences between fb connect and openid connect

  37. Restrict mobile phones to specific Access Point (WIFI Router)

  38. Why would an attacker authenticate to my Google Search Console?

  39. How secure is PIN code + substitution authentication?
  40. Secure REST API and Single Page App by using external OAuth 2 Authorization Code
  41. A security audit wants encypted user/pass for login in asp.net - this seems pointless or is it not?

  42. Is a user being able to view their own UID a security risk?
  43. Benefits to client-side password hashing on top of other security mechanisms

  44. Password Reset Chatbot with Authentication through text message

  45. Is this password scheme as secure as public-key authentication?

  46. What to do about "approved" direct banking MITM sites like sofort.com?
  47. How do ID services authenticate Active Directory credentials for Single Sign On?

  48. Data integrity and authentication of an Arduino using JSON Web Tokens and HMACs

  49. Securely using JWTs with CSRF protection and refresh tokens
  50. How would you protect a user against a malicious client?
  51. Facebook login with profile picture?

  52. Equifax Data Breach 2017

  53. How does a device send the Wi-Fi password to the router?

  54. Secure preshared key 2 way authentication

  55. Login details security using salt and hash, and a login role in postgresql

  56. What scenarios really benefit from signed JWTs?

  57. Can I know who tried to login to my Google account?

  58. Renewing certificates in web services using mutual (2-way) authentication
  59. How does choosing where a password is stored affect non-repudiation? (or private key storage)

  60. Is this an insecure implementation of multi-site sessions?
  61. How dangerous is it to trust an “Example Server Certificate”?

  62. Are HTTPonly cookies secure enough for implementing "remember me" functionality?

  63. Kerberos composite authentication that reflects user's origin
  64. HMAC based algorithm for publicly sharing authenticated messages

  65. How do I make sure it is actually authenticated user performing an action?

  66. When does OpenID Connect return JSON?
  67. What are the risks with using the same token for Mobile auth and Web auth?
  68. Client certs vs. tokens

  69. 3 or 4 characters long username from security point of view
  70. Organizarion replaces (?) website SSL certifcate with self-signed cert. Is this secure?
  71. Windows Active Directory: How do endpoints authenticate the Domain Controller?

  72. Preventing replay attacks with JWT
  73. How secure is E-Z Pass?

  74. HTTPS Inspection: how to detect at (own) server? / does it break Apache digest authentication?
  75. Security implications of using Bash script as a SSH login shell

  76. Limiting database lookups by token metadata
  77. How can I detect if IETF TokenBinding is in use for bearer tokens?

  78. JWT authentication or cookies?

  79. Should I check if the token is valid each time a user navigates on my app?

  80. OpenID Connect: Why use authorization code flow?

  81. What access does installing custom certificate file give?

  82. wireless security - Authentication and Association

  83. Brute force prevention: where and when?
  84. How can I force a specific device to re-authenticate?
  85. One time password with Hardware Token
  86. Under HIPAA, is it allowable to remember/store user credentials?

  87. What's the standard way for server to server integration (cross internet) authentication

  88. TLS-RSA vs TLS-ECDHE-RSA vs static DH

  89. How does AWS authentication work?

  90. Converting my LAN to use a correctly set up public CA and formal access control approaches?
  91. How should I tell an organisation that they are vulnerable when I wasn't given permission to check?

  92. What’s the security risk when setting the Gnome keyring password to blank on an FED system with autologin?

  93. Win2012R2 TLS1.2 Mutual authentication - change cipher specs from server side after no certificate from client?
  94. Create a Secure QR Code Reward System?

  95. Authentication in WPA from a user's perspective
  96. Cybersecurity "Airport model"

  97. How do OTT providers protect LIVE streams?
  98. PTH & Salted Passwords
  99. How secure is this authentication approach compared to hashing?
  100. Is there any benefit to keep sending UN/PW to the server over Session ID ( i.e., Stateless vs Stateful)