We’re pleased to announce that Recommendation X.1285, incorporating the OpenID Connect Core 1.0 – errata set 2 specification, has been officially published by the International Telecommunication Union. Following the formal adoption in April 2025, which we announced in May, the specification is now publicly available. This publication marks a significant milestone as the first OpenID […] The post OpenID Connect Core 1.0 now published as ITU standard first appeared on OpenID Foundation.| OpenID Foundation
OpenID Foundation and FIDO Alliance partner on enterprise security. Learn how FIDO authentication and Shared Signals Framework work together.| OpenID Foundation - Helping people assert their identity wherever they choose
(Spoiler Alert: the answer might be “both”!) This is a slightly technical article trying to capture how two different types of authentication mechanisms, federated login and passkeys, compare. Despite how similar they might look to the user because of the design of the login page, they are ultimately quite different things! When websites require you Continue Reading The post Comparing Federated Logins and Passkeys: Which One Fits Your Needs? appeared first on Spherical Cow Consulting.| Spherical Cow Consulting
The OTP plugin for Devise I help to maintain goes 2.0 this week. Here is what’s new and how to upgrade.| Notes to self
APIs have a reputation for being the weakest link in an enterprise’s cybersecurity. This can become a self-fulfilling prophecy, as APIs’ supposed vulnerabilities make them a popular target for potential attackers and cybercriminals. This can cause all manner of security issues, as APIs can be made to divulge a wealth of sensitive information using valid ...| Nordic APIs
Blind and low-vision users face the same password challenges as everyone else, but the tools meant to make security easier often end up getting in the way. A study from the CISPA Helmholtz Center for Information Security and DePaul University found that poor accessibility in password managers can lead people to risky habits such as reusing passwords. Researchers spoke with blind and low-vision participants who manage passwords for both personal and work accounts. Everyone in … More → The ...| Help Net Security
For years, the promise of a truly passwordless enterprise has felt just out of reach. We’ve had passwordless for web apps, but the desktop remained a stubborn holdout. We’ve seen the consumer world embrace passkeys, but the solutions were built for convenience, not the rigorous security and compliance demands of the enterprise. This created a dangerous gap, a world where employees could access a sensitive cloud application with a phishing-resistant passkey, only to log in to their worksta...| HYPR Blog
The RevOps Tightrope: When "Just Connect It" Becomes a Breach Vector If you're in Revenue Operations, Marketing Ops, or Sales Ops, your core mandate is velocity. Every week, someone needs to integrate a new tool: "Can we connect Drift to Salesforce?" "Can we push this data into HubSpot?" "Can you just give marketing API access?" You approve the OAuth tokens, you connect the "trusted" apps, and you enable the business to move fast. You assume the security team has your back.| HYPR Blog
Discover how HYPR’s SVP of Worldwide Sales, Doug McLaughlin, breaks down the journey from contract to deployment, and why successful enterprise transformation in identity security takes more than technology. It’s about partnership, collaboration, and driving lasting change across global organizations.| blog.hypr.com
Stolen credentials remain one of the most common entry points for attackers, according to the Verizon Data Breach Investigations Report. Phishing campaigns, credential stuffing, and other credential-based attacks continue to evolve, targeting both cloud and on-premises systems. To reduce reliance on passwords alone, many organizations have turned to multi-factor authentication (MFA). But not all MFA... The post YubiKey guide: What is a YubiKey and why should you use one? appeared first on Spe...| Specops Software
70% of Americans feel overwhelmed by passwords, yet only half choose secure ones despite knowing the risks. The problem isn't user education—it's psychology. Discover why users resist better authentication and the UX design principles that make security feel human, not mechanical.| Deepak Gupta | AI & Cybersecurity Innovation Leader | Founder's Journey from ...
The OpenID Foundation has today released a critical new whitepaper addressing one of the most pressing challenges facing organizations deploying AI agents – how to securely authenticate and authorize these autonomous systems while maintaining proper governance and accountability. Identity Management for Agentic AI: The new frontier of authorization, authentication, and security for an AI agent […] The post New whitepaper tackles AI agent identity challenges first appeared on OpenID Founda...| OpenID Foundation
Explore the pros & cons of CIAM certification for authentication & software development. Learn about career benefits, core skills validated, and how it compares to other certifications.| Security Boulevard
Today, two Decentralized Identity Foundation (DIF) members brought their expertise to the "Trusted Digital Identity for People & AI” panel at the "Digital@UNGA", part of the 80th U.N. General Assembly.| Decentralized Identity Foundation
* Caveats apply.| Tyranid's Lair
A change to a Graph beta API meant that some data used to create the user password and authentication report was no longer available. A script update was required. The experience underlines the truth that developers should not rely on the Graph beta APIs because the APIs are prone to change at any time as Microsoft moves them along to become production-ready.| Office 365 for IT Pros
The HYPR Affirm Help Desk app equips agents with phishing-resistant, multi-factor identity verification at NIST IAL2 assurance—fast. It shifts help desks from prime fraud targets to powerful lines of defense.| blog.hypr.com
🚀 Developers: Boost user signups by 90% with Google One Tap Login! This complete 2025 guide covers implementation, security considerations, and 5 powerful alternatives including WebAuthn passkeys. Real code examples + decision framework included. Perfect for B2B SaaS and modern web apps.| Deepak Gupta | AI & Cybersecurity Innovation Leader | Founder's Journey from ...
Let's learn how to add API authentication with the Rails 8 auth generator: exploring the different approaches and integrating it with a frontend application.| Avo's Publication Feed
Laposte.net will send unauthenticated emails to spam or reject them. SPF and/or DKIM must pass and align with the From domain.| EmailKarma
Discover how to secure self-service password reset and account recovery with modern identity verification. Learn how HYPR Affirm eliminates account takeover risks and reduces IT costs.| blog.hypr.com
At first glance, these companies couldn’t be more different. A cleaning products giant, an iconic British retailer, a tech behemoth, and Las Vegas entertainment empire. Different industries, different locations, and different business models entirely. Yet they all share something unfortunate: they’ve all fallen victim to a similar form of cyberattack in 2025. Not through sophisticated... The post [New whitepaper] How to secure your service desk against social engineering attacks appeared ...| Specops Software
This tutorial shows how to connect to Centrifugo when using Keycloak SSO flow for user authentication. Here we build a simple demo app using React and Vite.|
Authentication migrations fail 40% of the time, costing millions in downtime. Learn the strategies security leaders use to avoid disaster, choose the right vendors, and build future-proof identity infrastructure that won't lock you in.| Deepak Gupta | AI & Cybersecurity Innovation Leader | Founder's Journey from ...
Advanced identity fraud is not only about a deepfake. 46% of global organizations experienced synthetic identity fraud in the past year.| Help Net Security
In a previous blog post, we explored the technical side of passkeys (also known as discoverable credentials or resident keys), what they are, how they work, and why they’re a strong alternative to passwords. If you’re a curious techie, check that out first.| blog.compass-security.com
Covers the mystery of the fabric-cicd authentication that never was. To help others who experience similar issues with fabric-cicd.| K Chant
Mobile apps are more exposed than web apps. Learn layered strategies to secure secrets, block MitM attacks, and stop bot farms.| Nordic APIs
.jpg)
ESPHome vulnerability - A critical vulnerability has been discovered in the ESPHome web server component on the ESP-IDF platform.| Cyber Security News
The Central Bank of the UAE has drawn a line in the sand. By March 2026, the era of the SMS and One-Time Passwords will be over for the nation's financial institutions. This is not a minor policy tweak. It's a seismic shift. For years, the SMS/OTP has been the default security blanket for digital banking. A familiar, but flawed, solution. But the CBUAE's directive acknowledges a harsh reality: in the face of sophisticated phishing, SIM-swapping, and social engineering attacks, this legacy met...| HYPR Blog
Explore NIST's new digital identity guidelines on Identity Proofing, Digital Authentication, and Federated Identity Management for improved IAM practices.| blog.hypr.com
Good news for cloud-first organizations: we’re pleased to announce Specops uReset is now joining Specops Secure Service Desk as being supported for customers who have fully migrated to the Entra ID cloud. Specops uReset is now available for cloud-only environments, bringing enterprise-grade self-service password reset capabilities directly to your cloud infrastructure. Whether your team is... The post Specops expands cloud offering to self-service password resets appeared first on Specops S...| Specops Software
Today, your identity on the Internet is essentially owned by the big email providers and social networks. Google, Yahoo, Facebook, Twitter - chances are you use one of these services to conveniently log into other services as YOU. You don't need to remember a new password for each service, and the service providers don't have to verify your "identity". What you gain in convenience, you lose in privacy, and that's turned out really well, hasn't it?| Go To Hellman
Learn how to prevent unauthorized API access with scoped tokens, gateways, WAFs, TLS, rate limits, and input validation.| Nordic APIs
The New York State Department of Financial Services (NYDFS) has long been a leader in setting cybersecurity standards for the financial services and insurance sectors. Under 23 NYCRR Part 500, regulated entities are required to implement a comprehensive cybersecurity program that addresses governance, access controls, incident response, and ongoing risk management.| HYPR Blog
Choosing the right identity verification (IDV) partner is one of the most critical security decisions you'll make. As organizations fortify their defenses, it’s clear that verifying the identity of your workforce requires a fundamentally different approach than verifying customers. The stakes are simply higher. For customer verification, the primary goal is often a smooth, low-friction sign-up process. For your workforce, the goal is ironclad security to prevent a breach. The reality is tha...| HYPR Blog
Helpdesks are critical support hubs, but their central role makes them prime targets for sophisticated social engineering attacks. These attacks exploit human psychology, tricking helpdesk personnel into divulging sensitive information or compromising security, often by targeting credential resets. When attackers convince an agent to reset a legitimate user's password, they bypass security, gaining unauthorized access to sensitive systems and data. The devastating impact was demonstrated by t...| HYPR Blog
Candidate fraud is on the rise, costing companies time, money, and trust. Learn how identity verification helps HR teams detect fake applicants, stop deepfakes, and secure the hiring process.| blog.hypr.com
Organizations should consider three-factor authentication (3FA), but the new device can't be used to authenticate from a foreign device.| Help Net Security
In this video for Help Net Security, Dan Lohrmann talks about MFA and how everyone should consider it to protect their identity and accounts.| Help Net Security
Keyavi Data issued a set of best practices for keeping personal and business data out of criminal hands using MFA.| Help Net Security
With identity becoming a top way attackers gain access to corporate networks, security admins must take control of Windows authentication and access policies.| CSO Online
Why build auth logic when your database can do it better? Learn how SQL Server user impersonation creates stronger security boundaries with less application complexity.| Alonso Network
Is your account safe? Here are some cyber-security tips to help you prevent any hackers accessing your information.| The Daily Rind
Hear advice from Mikael Svall, Outpost24 OffSec expert, on securing your service desk against social engineering.| Specops Software
Moving to authentik, simplified with dynamic migration| authentik Blog
We chose not to pursue AI just for the sake of being able to say we are AI-powered.| authentik Blog
The fundamental building blocks in authentik allow admins to customise their users' authentication experience.| authentik Blog
If you’re the first security hire, here’s how to make an impact without making yourself unpopular.| authentik Blog
Today, I'm going to answer a question asked by Łukasz Biały on Twitter: Is there a way to get field-level RBAC (Role-Based Access Control)? It turns out there is! However, Caliban's approach to authentication and authorization is quite flexible. In...| Pierre Ricadat's Tech Blog
Teen hackers behind a £440M cyberattack expose the flaws in legacy identity systems. Learn how HYPR stops Scattered Spider with deterministic security.| blog.hypr.com
Many organizations are interested in using passkeys instead of conventional passwords, but how much better are they? Despite rising concerns about password security and a growing trend towards passkeys and […] The post Passkey Authentication, ITProToday appeared first on J Wolfgang Goerlich.| J Wolfgang Goerlich
Nearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.| The Cloudflare Blog
In cryptography, the process of authenticating a user (or app/service) is known as entity authentication or identification (to distinguish it from message authentication or data origin authentication). There are lots of ways to do this. In this post I’m going to talk about authentication schemes based on public key cryptography. It turns out that the […]| Neil Madden
Understanding DKIM FBL (Feedback) Configuration | EmailKarma.net| EmailKarma.net
Cyber risks are everywhere in today’s digital world. People and companies can lose money, have their data stolen, or have their identities stolen if they use weak passwords or old authentication methods. A strong password is the first thing that will protect you from hackers, but it’s not the only thing that will do the […]| Forthright Technology Partners
Let’s get one thing clear: Scattered Spider isn’t “back” – they never left. You’ve seen the headlines. MGM, Marks & Spencer, and others all fell victim to their schemes. Now, this relentless cybercrime collective has a new target in its crosshairs: the U.S. insurance industry. With recent cyberattacks rattling major providers like Aflac, Erie Insurance, and Philadelphia Insurance Companies, the threat isn't just looming; it's here. As it always has been. As Google Threat Intellige...| HYPR Blog
As the transition period for PCI DSS 4.0 draws to a close on March 31, 2025, PCI DSS 4.0.1 stands as the current version of the standard. More importantly, the March 31, 2025 deadline for full compliance with all new and customized PCI DSS 4.0 requirements is live. What's New in PCI DSS 4.0.1? PCI DSS 4.0.1 represents a limited but important revision to version 4.0. While it doesn't introduce new requirements, it provides crucial clarifications that impact how organizations implement securi...| HYPR Blog
Read HYPR's HR 2025 field guide to prevent interview and onboarding fraud. Get 10 actionable items you can implement today to protect your workforce.| blog.hypr.com
Learn how to implement Passwordless Authentication in Rails with the NoPassword gem using the email and OAuth flows.| avohq.io
I’m excited to to be travelling to Bonn, Germany, and to speak at the upcoming Cloud Identity Summit 2022, which will be held September 22nd at adesso SE, close to the city of Bonn. This is my second time speaking at the Cloud Identity Summit, the first time was in 2020 and that was a […]| GoToGuy Blog
This post looks at an alternative way of implementing a native app authentication and authorization. At present, a web browser is used to implement authentication of native applications when using OAuth and OpenID Connect. The alternative approach implemented in the post is based on the OAuth 2.0 for First-Party Applications draft and adapted to be […]| Software Engineering
ASP.NET Core provides great extension points for handling OpenID Connect error events. This blog looks at implementing error handling in an ASP.NET Core application implemented using ASP.NET Core I…| Software Engineering
HYPR and HID have partnered to deliver one converged access solution with hardware- and software-based passkeys in a single platform. Whether your workforce needs smart cards for regulated environments, mobile-device credentials for remote workers, or both, this solution flexes to your policies and compliance requirements.| blog.hypr.com
Verification and authentication have some overlap, but there are some key differences you should know. Learn more here.| Telesign
Why Phishing-Resistant MFA Isn’t Optional Anymore The escalating sophistication of phishing and social engineering attacks has pushed organizations towards stronger authentication methods. Phishing-resistant multi-factor authentication (MFA), particularly solutions leveraging FIDO2/WebAuthn standards, is a big leap forward in security posture. Many organizations utilize hardware-based FIDO2 authenticators like YubiKeys by Yubico, widely recognized as a gold standard for physical tokens, pre...| HYPR Blog
How Weak Identity Security Posture Affects Organizations The report paints a clear picture: fraudsters are refining their strategies, targeting high-value credentials and exploiting vulnerabilities across all channels. Several statistics stand out, demanding immediate attention from security and risk leaders.| HYPR Blog
Learn how to add a Sign in With Apple feature to your Rails application to improve user sign-ups.| avohq.io
Breaking down the limitations of SSH key-based authentication and showing how SSH certificates enable modern, manageable infrastructure access.| Infisical Blog
Learn how to solve the secret zero problem in cloud-native authentication.| Infisical Blog
This video brings attention to the importance of implementing 2FA, 3FA, MFA and upgrading your security awareness efforts.| Help Net Security
Consumers are concerned about the risks associated with GenAI and deepfakes, including the potential for online fraud or identity theft.| Help Net Security
Telesign and PingOne offer a modern approach to fraud protection—intelligent, adaptive, and designed for scale.| Telesign
Learn how behavioral biometrics continuously verifies identity and add extra authentication security.| Specops Software
This blog implements client assertions using an OAuth client credential flow in ASP.NET Core. Client assertions provide a secure way for client authentication without sharing a secret, enhancing th…| Software Engineering
Sharing Email Marketing Knowledge and News with the Digital Marketing Community.| emailkarma.net
Learn how to add social login with the Rails 8 auth generator with single and multiple accounts.| avohq.io
Learn how to implement user confirmation using the Rails Auth generator flow| avohq.io
Let's learn how to implement authentication without a gem in a Rails 8 application.| avohq.io
As CEO of HYPR, I spend a lot of time thinking about the future of identity security. And right now, one of the most significant shifts we're witnessing is driven by the rapid advancement of Artificial Intelligence. While AI offers incredible potential, it also presents formidable challenges, particularly in the realm of identity verification. The uncomfortable truth is that the era of relying solely on scanning a driver's license or passport to prove someone is who they claim to be is rapidl...| HYPR Blog
Why the Troy Hunt Phishing Attack is a Wake-Up Call for MFA Inadequacy| blog.hypr.com
Let’s be blunt. For decades, we’ve been participating in a digital ritual of masochism. A frantic scramble to concoct increasingly complex strings of characters – a chaotic blend of upper and lowercase letters, numbers, and symbols that resemble the ramblings of a caffeinated squirrel. We’ve been told this is “security.” I say it’s a carefully […] The post The Password is Dead. I Repeat, DEAD. (And Honestly, Good Riddance.) appeared first on Poly Plugins.| Poly Plugins
EiffelStudio 24.05 brings significant .NET Core advancements (net8.0, PDB, debugging), improved graphical environment with new editor commands, and updated libraries. Learn more about this powerful release.| Eiffel Software - The Home of EiffelStudio
Rigid security protocols can frustrate employees, slow productivity and lead to unsafe workaround, according to Ivanti.| Help Net Security
The fundamental problem with standards is captured by XKCD 927. XKCD https://xkcd.com/927/ Single sign-on systems have the same proble...| go-to-hellman.blogspot.com
Unlock Seamless Security: Combining Physical and Digital Access with HYPR and IDEMIA Your organization spans a physical and a virtual environment, but how well aligned are your strategies for securing both? With the rise of hybrid work models, the challenge of securing sensitive information against increasingly sophisticated online and in-person threats has become more critical than ever. In a groundbreaking move to address these challenges, HYPR and IDEMIA have joined forces. This powerful p...| HYPR Blog
The 2025 State of Passwordless Identity Assurance Report revolves around the Identity Renaissance: the exploration of business success when it’s unburdened by security vulnerabilities and inefficiencies.| blog.hypr.com
Explore the differences between SSH authentication methods and why SSH certificates are the superior choice for securing your servers.| Infisical Blog
Learn about user authentication as a critical security process that protects systems from unauthorized access. .| Telesign
Don’t we all know the hassle of managing loads of passwords, trying to come up with secure and unique ones only to try afterwards to remember them? Or always staying on high alert whether the URL is definitely the valid one for the website we are trying to visit?| blog.compass-security.com
Client assertions is a method of client authentication which can be used in OpenID Connect. This provides an alternative to client secrets. This approach enhances security by using signed tokens (J…| Software Engineering
SMS-based, two-factor authentication (2FA) has long been a staple security measure for many online services, including Gmail. However, as the tech industry shifts towards more secure authentication methods, it has become evident that SMS codes are no longer the ideal solution. In a recent reveal, a Gmail spokesperson has confirmed that Google is planning to phase out SMS codes for authentication, marking a significant change for billions of users worldwide.| HYPR Blog
Wouldn't it be great if you could take those policies for a test drive before unleashing them on your users? Now you can.| blog.hypr.com
Organizations agree that passwordless authentication is the future, but getting there represents a significant change management challenge.| Help Net Security
Kerberos is an authenticated key agreement protocol based on the Needham-Schroeder protocol. That's too complicated -- let's break it down a little.| syfuhs.net
Learn how password shucking attacks rehashed or pre-hashed passwords by stripping your password hashes of their strong outer password hashing algorithm.| Scott Brady
Learn how to integrate sign up forms with password generators by using the autocomplete and passwordrules HTML attributes.| Scott Brady - scottbrady.io
New Pluralsight course on all things user authentication and how to implement them in ASP.NET Core| Scott Brady - scottbrady.io
A look at the advantages and disadvantages of using software tokens as an authentication factor, focussing on TOTP.| Scott Brady - scottbrady.io
