Usable Security: Magic Links & Passkeys
→ Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over
Ricky Mondello on why passkeys and “magic links” can be considered complementary technologies and how both can seamlessly coexist to serve passkeys enthusiasts and people who don’t yet have a passkey or don’t want a passkey.
↳ Great read on usable security!
→ Magic/Tragic Email Links: Don’t make them the only option
Guillaume Ross shares his oppinion on “magic links” and why they are a usability nightmare, especially when they are forced upon the user: Broken cross-device flows and anti-mobile by design. He recommends offering passkeys as a robust alternative.
→ You’re thinking about passkeys wrong
Combining magic links for initial sign-up and then prominently feature a CTA to set up a passkey or leverage Conditional UI for subsequent sign-ins is what Yawar Amin recommends doing. The result is a close to symmetric auth experience for users independent of the device they use.
→ WebAuthn Conditional UI (Passkeys Autofill) Technical Explanation
WebAuthn’s Conditional UI, also known as passkey autofill, enhances user experience by seamlessly integrating passkeys into the login process alongside traditional password autofills, which streamlines authentication and reduces user errors. This is a comprehensive resource by Corbado summarising the technical intricacies of how it works & how to implement it.
→ Passkeys: they’re not perfect but they’re getting better
The UK’s National Cyber Security Centre (NCSC) believes that passkeys are the future of modern authentication and recommends adoption. This endorsement acknowledges several shortcomings and challenges that still have to be solved: Including (but not limited to) inconsistent user experiences, migration issues, and device loss scenarios that many regular web users won’t be familiar with (yet).
↳ Also see my “Critical Notes on FIDO2 Passkeys” from a little over two years ago.
Threats & Vulnerabilities: Undetectable Automation
→ Undetectable Automation: SeleniumBase Chrome Devtools Protocol (CDP)
It seems bypassing traditional anti-bot solutions was never easier. SeleniumBase chief architect Michael Mintz demos how the SeleniumBase Chrome Devtools Protocol Mode (CDP) counters common CAPTCHAs by all major vendors (Google, Cloudflare, Kasada, DataDome, Shape Security, Akamai, PerimeterX, Imperva, … you name it).
→ Password Spraying with Selenium and Fireprox
Ben Kofman demonstrates how malicious actors create pass-through proxies using AWS API Gateway that rotate the source IP address with every request with Selenium to run e.g. automated password spraying attacks, bypassing IP based rate-limiting controls.
→ Millions of Accounts Vulnerable due to Google’s OAuth Flaw
It’s a long known reality that old, suspended domains can become a security nightmare for former owners. This time, the approach of re-registering former business domains was found working quite well with Google. Apparently, Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain, using it to re-create email accounts for former employees.
Privacy: In-App Tracking & Signal Deanonymization
→ Everyone knows your location: tracking myself down through in-app ads
This is a brilliant self-experimental case study by Timsh on data collection, data trades and the bigger picture. Turns out, geo information is being collected even though you disabled location services. Additionally, real-time data brokers reconstruct user profile data with the assistance of numerous “pseudonymized” IDs.
→ Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platforms
By exploiting Cloudflare caching, the security researcher Daniel “Hackermondev” discovered a method to find a person’s location within a 400-km radius through a unique 0-click deanonymization attack on platforms like Signal and Discord.
→ TikTok, AliExpress, SHEIN & Co surrender Europeans’ data to authoritarian China
NOYB has filed GDPR complaints against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China. While four of them openly admit to sending Europeans’ personal data to China, the other two say that they transfer data to undisclosed “third countries”.
↳ Surprise!
Auth Toys & Tools: Open Policy Agent
→ Announcing OPA 1.0: A New Standard for Policy as Code
After 10 years of work from over 450 developers, OPA 1.0 is finally here. Those integrating with OPA’s Go packages are encouraged to update their applications to use the new v1 packages.