The hottest Authentication Substack posts right now

And their main takeaways
Category
Top Technology Topics

An Interview With Brian Daugherty

ciamweekly 62 implied HN points 16 Feb 26
🕹 Technology Authentication
  1. CIAM helps make users' day-to-day identity and access flow secure and seamless across devices, apps, and multiple personas.
  2. The CIAM landscape is complex with many protocols and legacy systems, which creates hard choices, maintenance burdens, and organizational resistance to adopting better practices.
  3. LLMs and agentic tools will both simplify CIAM design and implementation and create new trust and security risks, driving rapid changes in protocols and products.

Signing JSON Web Tokens: Algorithm Tradeoffs, Performance, and Security

ciamweekly 62 implied HN points 09 Feb 26
🕹 Technology Authentication
  1. Pick your JWT algorithm based on tradeoffs: HMAC (HS) is very fast and simple but uses a shared secret and cannot provide non-repudiation, while asymmetric algorithms let you separate signing and verification.
  2. Prefer modern asymmetric schemes when possible: RSA-PSS is safer than old PKCS#1 v1.5, ECDSA gives small fast signatures but demands perfect nonce randomness, and EdDSA (Ed25519) is usually the best choice because it’s fast, secure, and uses deterministic nonces.
  3. Match algorithm to your environment and tooling: RSA has the widest compatibility but large signatures and slower signing, ECDSA risks come from RNG mistakes, and EdDSA may require checking HSM/KMS and library support before committing.

An Interview With Peter Fernandez

ciamweekly 125 implied HN points 19 Jan 26
🕹 Technology Authentication
  1. CIAM is more than just security — it’s the gateway to seamless experiences across devices and providers using federation, MFA, and passkeys, and it’s becoming essential for B2B SaaS.
  2. Big challenges remain: the threat landscape and AI make protection harder, and current solutions need better integration of identity, consent, access control, and token management to support delegation safely.
  3. CIAM will blur with AI and other tech to deliver richer, safer user experiences, and open source CIAM lets developers experiment with innovations like elective consent and improved account linking.

Different Types of CIAM Systems

ciamweekly 62 implied HN points 02 Feb 26
🕹 Technology Authentication
  1. CIAM comes in seven main flavors (B2E, B2C, B2B2C, B2B2E, B2D, B2G, B2A), each reflecting a different relationship between the product and its users like customers, employees, developers, governments, or agents.
  2. Pick CIAM features based on who your users are: consumer-facing (B2C) systems prioritize smooth UX, social/passwordless logins, and marketing integration, while B2B2C and B2B2E need tenant segmentation, delegated admin tools, and strong federation/provisioning.
  3. Niche CIAM types have special nonfunctional and compliance needs — B2D requires rich APIs and docs, B2G needs government compliance, and B2A demands separate agent identities, different throttling, and a new threat model.

Hashing Other Values

ciamweekly 62 implied HN points 26 Jan 26
🕹 Technology Authentication
  1. Hash secrets that are created by your system, stored long-term elsewhere, high value, must stay secret, and are never needed in plaintext. Examples include MFA recovery codes, static API keys, and client secrets.
  2. Don’t hash values you must use in plaintext or that are public, because hashing either breaks functionality or is pointless; examples are private keys (used to sign) and public client identifiers.
  3. Hashing at rest is good defense-in-depth but not foolproof — short or simple secrets can be reversed with rainbow tables and hashed values must never be logged, so make secrets complex and rotate them if they get exposed.
Get a weekly roundup of the best Substack posts, by hacker news affinity:

Password Storage

ciamweekly 62 implied HN points 12 Jan 26
🕹 Technology Authentication
  1. Never store passwords in plain text or as reversible encrypted values; use a one-way password hashing algorithm (for example Argon2 or PBKDF2) chosen for your security and performance needs.
  2. Use a unique random salt per user and a tunable work factor (iterations/memory) that you increase over time as hardware improves, and consider adding a pepper stored separately for extra protection.
  3. Encrypt your database at rest as part of defense in depth, and remember hashed passwords are non-recoverable so you can verify passwords but not retrieve the plaintext.

An Interview With Brian Baker

ciamweekly 62 implied HN points 22 Dec 25
🕹 Technology Authentication
  1. CIAM helps teams move fast while managing risk by providing plug-and-play identity services so businesses can deploy strong security without building large security orgs.
  2. Usability is the biggest adoption barrier: simple, embedded sign-up/sign-in flows (think three fields, passkeys, device-aware MFA, no redirects/popups or CAPTCHAs) keep real users from abandoning.
  3. CIAM’s future is shifting from pure security to selling user knowledge and insights, with AI and increased regulation driving investment and new product opportunities.

🧠 Knowledge Series #23: Passkeys explained

Department of Product 314 implied HN points 06 Feb 24
🕹 Technology Authentication
  1. Passkeys are digital keys replacing traditional passwords, enhancing security and creating unique keys for each account and device.
  2. Major companies like Uber, Apple, Google, and Microsoft are actively supporting and implementing passkeys for a passwordless future.
  3. Product teams can implement passkeys by understanding how they work and following a step-by-step guide for integration.

JWTs - Use Responsibly

Permit.io’s Substack 59 implied HN points 23 May 24
🕹 Technology Authentication
  1. JWTs are great for authentication but should be used carefully. They are not meant for detailed permission checks and can create security issues if misused.
  2. They are static once issued, meaning any changes to a user's role won't be reflected until the token expires. This can lead to potential security risks.
  3. JWTs are suitable for stateless, distributed systems and coarse-grained authorization, but for fine-grained control, other tools should be used.

Look out! Hackers are coming for your travel account

Elliott Confidential 137 implied HN points 11 Feb 24
🕹 Technology Authentication
  1. Use two-factor authentication and authenticator apps to protect your online travel accounts from hackers.
  2. Enable login notifications and maximize security settings on platforms to monitor any unauthorized access to your accounts.
  3. Avoid using simple or repeated passwords, practice safe Wi-Fi usage, and be cautious of urgent emails or suspicious links to prevent hacking incidents.

I coded the security system myself, it is very secure, because it doesn't work.

Permit.io’s Substack 99 implied HN points 15 Feb 24
🕹 Technology Authentication
  1. Before building your own security system, think about whether it's really necessary. You might find better solutions that are already out there.
  2. Developers often dislike focusing on security tasks because they can be boring. It’s typically more efficient to use existing security tools instead of creating something new.
  3. There are standard systems like OAuth and JWT for handling security, and using open-source or developer platforms can save you a lot of headaches.

Trends in CIAM

ciamweekly 250 implied HN points 18 Nov 24
🕹 Technology Authentication
  1. There are many new startups in authentication since Auth0 was bought. This is because developers can easily build and use these tools themselves.
  2. Self-hosting is becoming popular again with modern solutions available. Some companies make it tough to download these options so users rely on their SaaS services instead.
  3. Many businesses are moving away from creating their own authentication systems. They see it as something best handled by specialized vendors, which helps them focus on their main goals.

Identity 101: Authentication and Authorization

Identity, Authenticity, and Security 2 HN points 04 Sep 24
🕹 Technology Authentication
  1. Authentication is about proving who you are. It's like showing your ID before entering a building.
  2. Authorization is about what you are allowed to do. It's like having a VIP pass that lets you access certain areas.
  3. Both authentication and authorization are important for keeping applications secure. They help protect personal data and maintain trust with users.

Microsoft Sentinel SOC 101: How to Detect and Mitigate Login Attempts Using Legacy Auth with Microsoft Sentinel

Rod’s Blog 119 implied HN points 24 Oct 23
🕹 Technology Authentication
  1. Legacy authentication poses a significant security risk as it makes it easier for attackers to compromise user accounts.
  2. Microsoft Entra ID recommends disabling legacy authentication to improve security.
  3. Microsoft Sentinel can help detect and mitigate login attempts using legacy authentication by analyzing sign-in logs, creating alerts, and taking appropriate actions.

Introducing the Restaurant Booking API

microapis.io 98 implied HN points 24 Mar 23
🕹 Technology Authentication
  1. The post introduces the Restaurant Booking API series with educational tutorials and practical examples.
  2. The API will cater to customers and restaurant owners, allowing tasks like booking tables and managing menus.
  3. Key URL paths in the API include '/restaurants', '/owners', and '/customers', with detailed functionalities for each.

Brief: Going Passwordless - the New Trend in Online Security

Rod’s Blog 19 implied HN points 08 Feb 24
🕹 Technology Authentication
  1. Passwordless authentication aims to improve security by eliminating the need for traditional passwords and using methods like biometrics or hardware tokens instead.
  2. Going passwordless reduces the risk of password breaches and phishing attacks, making the login process faster and more convenient for users.
  3. Challenges of going passwordless include user trust in new technologies, compatibility issues, privacy concerns, and suitability for certain online services.

Passkeys, Phishing-Resistant MFA, and the Passwordless Revolution

Identity Revive 38 implied HN points 04 Feb 25
🕹 Technology Authentication
  1. Passkeys use a public-private key system for logging in. This makes them safer than passwords because the private key never leaves your device, reducing the risk of hacking.
  2. Passkeys can sync across devices or stay on one device, offering flexibility for users. This means you can log in from different devices easily without needing to remember passwords.
  3. Major companies like Apple, Google, and Microsoft support passkeys, making them easy to use on different platforms. This helps create a passwordless future that's more secure and user-friendly.

A tale of iCloud account recovery

Kamil’s Substack 3 HN points 14 May 24
🕹 Technology Authentication
  1. During iCloud account recovery, you may be asked for credit card details that are actually verified by running a charge, causing issues even with correct information.
  2. Securing your own email account can involve user-controlled methods like two-factor authentication with a physical token, whereas iCloud's security measures are more restrictive and dictated by the service provider.
  3. Recovering an iCloud account might involve providing credit card details, which are tested by running a transaction, leading to potential issues if the card details change.

What are OWASP’s Top 10 API vulnerabilities?

microapis.io 3 HN points 27 Feb 23
🕹 Technology Authentication
  1. OWASP's Top 10 API vulnerabilities include issues like broken user authentication, excessive data exposure, and lack of resources & rate limiting.
  2. Broken Object Level Authorization can lead to attackers accessing information they shouldn't.
  3. API security is crucial due to the growing use of APIs, potential risks, and the significant impact of poor API security on organizations.

Lỗ hổng chuyển tiền hay là suy nghĩ như một hacker

Thái | Hacker | Kỹ sư tin tặc 19 implied HN points 04 Jan 20
🕹 Technology Authentication
  1. When designing an API for money transfers in a mobile banking system, it's crucial to consider user authentication and authorization to prevent fraudulent activities.
  2. In mobile apps, the challenge lies in implementing user authentication without standard mechanisms like HTTP cookies, requiring solutions like OAuth or JWT.
  3. Creating security solutions for mobile banking requires a blend of applied security and product security expertise, emphasizing the importance of identity access management beyond just finding vulnerabilities.

B2C vs B2B vs B2B2E CIAM

ciamweekly 1 HN point 11 Mar 24
🕹 Technology Authentication
  1. B2C, B2B, and B2B2E applications require different approaches to customer identity and access management (CIAM) systems.
  2. B2C applications aim at end consumers, requiring smooth registration and authentication processes due to user choice.
  3. B2B and B2B2E applications cater to business and employee users, with focus on organization structures, payment collection, and different authentication needs.

CIAM MFA

ciamweekly 1 HN point 20 Feb 24
🕹 Technology Authentication
  1. Multi-factor authentication (MFA) is crucial for online security, but it may not be foolproof.
  2. Different situations call for different MFA methods; what works for a bank may not work for a restaurant.
  3. There is no one-size-fits-all MFA solution; consider user behavior, application needs, and user investment in your service.

Chữ A đầu tiên: authentication

Thái | Hacker | Kỹ sư tin tặc 19 implied HN points 17 Jul 07
🕹 Technology Authentication
  1. Authentication is the first step in the security realm, involving proving if you are who you claim to be through factors like something you have, something you are, something you know, or something you trust.
  2. Using multi-factor authentication, especially two or three factors, enhances security by requiring multiple types of proof for identity verification.
  3. Security measures in authentication should balance safety and convenience, as perfect security doesn't exist. Implementing n-factor authentication beyond three can become too inconvenient.

Of users and direct messaging (pt. 1)

AnyCable Broadcasts 0 implied HN points 16 Feb 22
🕹 Technology Authentication
  1. The post discusses the preliminary work for adding a direct messaging feature, such as setting up user profiles and authentication via Rails `has_secure_password`.
  2. Links to resources like Rails `has_secure_password` documentation, Turbo Frames, and Stimulus JS are provided for further learning.
  3. The use of Turbo Frames and Stimulus JS for managing state and persisting elements across page loads is highlighted.

Exploring Rails 7, Hotwire and AnyCable speedy streams

AnyCable Broadcasts 0 implied HN points 23 Dec 21
🕹 Technology Authentication
  1. The post explores building a new Rails 7 application with features like `--css=tailwind`, Turbo Frames and Streams, and configuring AnyCable with JWT authentication and speedy streams.
  2. The screencast series 'AnyCasts' covers real-time web app development using Ruby and other languages, alongside Hotwire and Stimulus Reflex.
  3. Resources include the Rails 7 release announcement, Turbo Frames documentation, AnyCable blog, and plugins like AnyCable Rails JWT for JWT identification in AnyCable.

AnyCable v1.2: JWT identification and "hot streams"

AnyCable Broadcasts 0 implied HN points 29 Sep 21
🕹 Technology Authentication
  1. AnyCable v1.2 introduces JWT identification and 'hot streams' for powering up efficient Hotwire frontends by moving functions from Ruby to Go.
  2. JWT identification standardizes authentication for WebSockets, protects from cross-site WebSocket hijacking, and boosts performance by removing the need for RPC calls.
  3. Combining JWT identification with signed streams in AnyCable allows the creation of subscriptions without touching RPC, offering improved efficiency for Hotwire and CableReady functionality.

6 security advancements that Plang offers for the user

Ingig 0 implied HN points 13 Apr 24
🕹 Technology Authentication
  1. Plang has built-in security mechanisms, preventing common issues like SQL injection and XSS, allowing developers to focus more on functionality.
  2. Plang offers password-less authentication using ECC, enhancing security and providing a user-friendly login experience.
  3. Plang promotes privacy through local data storage, preventing large-scale breaches and unauthorized access to sensitive information.

Seldom Considered CIAM Attack Vectors

ciamweekly 0 implied HN points 12 Feb 24
🕹 Technology Authentication
  1. Implement email verification in CIAM systems to connect new accounts to valid email owners, reducing account takeovers and bot attacks.
  2. When changing login identifiers in CIAM systems, re-verification is crucial to prevent unauthorized access and alert users of potential attacks.
  3. Account recovery in CIAM systems should not be sent to unverified accounts and should implement additional security measures like session invalidation and multi-factor authentication.

Changelog

trydeepwork 0 implied HN points 07 May 23
🕹 Technology Authentication
  1. Users can now move tasks between power goals and delete them
  2. Significant UI improvements to tasks and badges for completed challenges
  3. Improved integration with Firebase Analytics for better tracking

Introducing Microservices

Overflow 0 implied HN points 29 May 23
🕹 Technology Authentication
  1. Microservices architecture provides a solution to the challenges of monolithic applications by structuring an application as a collection of loosely coupled services.
  2. Transitioning from a monolith to microservices involves splitting different modules into independent services, offering flexibility in programming languages, databases, and scaling components of the application independently.
  3. Microservices offer benefits like continuous delivery, easy testing, fault tolerance, and better scalability compared to monolithic applications, making them a favorite among developers.