authentication

  1. Freshness of Entity Authentication

  2. Does google's reCAPTCHA mitigate DDoS attacks?

  3. how is security maintained in session and JWT?
  4. What additional protection required for authentication and messages sending in addition to TLS?

  5. How to improve the authorization and client-server interaction scheme?

  6. Bridging TLS handshake to leave private key in browser

  7. What are the risks with logging in with Google or FB auth to third party sites?

  8. Reason to use only secrets as API keys?
  9. Why do APIs use API Keys instead of Usernames?

  10. Could this authentication/authorization flow be attacked without compromising the Authority Server?

  11. Does PKCS 1.5 padding make it possible for an attacker to extract the private key or not? Is PKCS 1.5 safe to use in authentication context?

  12. ​Multi-factor Out of Band Token authentication options suitable as per NIST recommendations 800-63B (published in June, 2017)
  13. Third party exchange authentication
  14. What is a AUTH-KEY in the security of the computers?

  15. Mutual authentication in OpenVPN
  16. In what cases is it ok keep a user logged in or provide auto login if an app starts?
  17. How to (easily?) protect a mobile authentication endpoint?

  18. OEM Software Reseller

  19. Will this auth scheme be secure and protect user passwords/hashes?

  20. Should Javascript & IFrames be used to refresh sessions when Master Cookie Domains are used?
  21. Penetration testing - how to fix a vulnerability?
  22. Is Paypal's 2FA Security really this bad?

  23. Login details security using salt and hash, and a login role in postgresql
  24. Handling the loss of a phone with FIDO UAF
  25. Passive authentication
  26. Can I have push notification authentication without a third party app?

  27. Are there any security risks associated with having static files on the server be publicly available?

  28. How safe is PassportJS out of the box?

  29. Why would an attacker authenticate to my Google Search Console?

  30. Remove irc whowas history
  31. iPhone passcode security
  32. OAuth2 and Authentication
  33. Is there a benefit to setting up a security key on an account that already has phone-based 2FA?

  34. Secure preshared key 2 way authentication
  35. Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

  36. How to make CNG certificates available for mutual authentication in browser?

  37. Can an intruder still possibly succeed with pass-the-hash or pass-the-ticket on Windows 10 / Server 2016 networks where Credential Guard is enabled?
  38. Attack vectors for brute-forcing website passwords
  39. Non Confidential OAuth2 flow

  40. Differentiate between internal and external network calls

  41. Creating a 3rd party tool that requires a user's auth token for the service
  42. How to give someone access to a file, on a website, securely without relying on a single password?
  43. New user auth to prevent man in the middle compromise

  44. What access does installing custom certificate file give?
  45. Is it possible for an 802.1x network (PEAP/MSCHAPv2) to have no certificate?
  46. How does choosing where a password is stored affect non-repudiation? (or private key storage)

  47. Temp Blocking Login without IP or Cookie

  48. Kerberos composite authentication that reflects user's origin

  49. When does OpenID Connect return JSON?

  50. secure public facing wallet API accessed by mobile devices
  51. Kerberos - Forcing a successful TGT request

  52. Is BASIC-Auth secure if done over HTTPS?

  53. User authentication + database encryption with same password

  54. What is the point in having arbitrary username requirements?

  55. Why do we authenticate by prompting a user to enter both username and password? Does prompting the password only suffice?

  56. Preventing replay attacks with JWT
  57. Is there a security benefit to requiring a login before and after a captcha test?
  58. Taking password letters not whole one, is this secure?

  59. How can i find what hashing algorithm was used?

  60. Has a benefit been demonstrated for credit card machines asking for ZIP code?

  61. GUI exe BruteForce login test

  62. How to avoid response manipulation in NodeJS Application?

  63. 3 or 4 characters long username from security point of view
  64. System to verify personal information without revealing

  65. How to store `client_secret` privately on frontend applications?
  66. Tools or recipe usable by a non-professional to check their Wifi security for common issues?

  67. Storage of certificates and keys in hardware security modules (Use-case TLS)

  68. How to determine and compare risk in methods for document exchange
  69. AD authentication / authoraztion + WAM
  70. When do you use OpenID vs. OpenID Connect

  71. Concepts to support local and external authentication: JWT, Cookies, HttpOnly, ...?

  72. Is using OAuth2 services like Google or Facebook Single Sign-On a privacy concern?
  73. Authentication of an indefinite number of technicians in an offline scenario
  74. Authentication in WPA from a user's perspective
  75. What is the best protocol for an organisation to make phone calls to clients, where the client is required to verify their identity?

  76. OAuth2 vs API Key
  77. What is the use of client.pfx and server.pfx?
  78. Is there any way to authenticate a HTTP client only once?
  79. How to generate a unique and uncopyable VPN certificate/key for a specific client hardware device?

  80. Secure access to an aplication from internet

  81. What are the formal methods to analyze Authentication Protocol
  82. Google App Script as public gateway for database (spreadsheet)

  83. How does a user get authenticated on server B if they are already authenticated on server A through OAuth2?
  84. How smart is storing passwords and usernames in files?
  85. In the context of FIDO U2F, when is a new ephemeral key reused, or cached?
  86. Sharing access-tokens in response header?
  87. SAML token and service calls

  88. Store splitted JWT for CSRF protection and refresh strategy

  89. How to secure refresh token API's?

  90. How can PHP unserialize() object injection be used to bypass authentication?
  91. Should user account be locked after X amount of failed logins?

  92. Basic Authentication with WebAPI and HTML/JS Client?

  93. OWASP ZAP bruteforce by password not username

  94. Can this be bypassed with SQL Injection?

  95. Is login limiting still needed if we employ multi-factor authentication?

  96. How to supply HTTP Basic Authentication details in OWASP ZAP proxy?

  97. HTTPS basic auth protected AJAX Token

  98. OAuth2 auth server reusing the access token

  99. Fuzzing a mips interactive binary
  100. Wanted: Secure login/authentication strategy for website with AND without JavaScript in 2018