Directory Migration Services
The Challenges With Legacy Directory Services
Organizations around the world pursuing Zero Trust, Cloud Security, and Digital Business initiatives are now constrained by IAM and customer IAM (CIAM) solutions built on decades-old LDAP directory services. These older directories aren’t designed… Continue reading
May Calendar: Richmond IAM Users Group, DC FAIR Chapter, and European Identity Conference
April showers, May flowers. A busy April is drawing to a close. We are back from RSA, and left one post so far on the KuppingerCole web site. Another is expected soon on “Passwordless Authentication? FIDO, Finally, Almost…”
The OAuth Standards Stack: An Architectural Perspective
The OAuth standards stack is racing to keep up with the growing inter-connectedness of cloud, IOT, social networks, e-commerce, individuals, and enterprises on today’s Internet. The menu of new standards options can seem bewildering – especially since some are still… Continue reading
Token Bindings to Gear Up Authentication Assurance
In last year’s “Passwords are Overloaded, Not Dead” I voiced skepticism that security’s oldest construct would be replaced anytime soon. But many in the industry continue working to replace passwords, and while their marketing slogans may… Continue reading
Securing the API Economy
An API management market has created new architecture patterns to secure the API economy. Why? Because today’s application program interfaces (APIs) are not your father’s APIs. Once, APIs primarily linked modules of code on the same computer. Once,… Continue reading
Dark Lords of the Internet
In last week’s Covert Redirects and Perverse Incentives I described an open redirect vulnerability in the OAuth protocol which social login providers may not fix because it would require locking out third parties with slack security practices but lucrative business… Continue reading
Covert OAuth Redirects and Perverse Incentives
Covert redirect is a structural vulnerability in OAuth-based protocols. It was widely publicized in early May. Identity and security experts had long known about, but don’t have an easy fix. Once the media learned covert redirect isn’t as serious… Continue reading
OAuth-Protected Access at Facebook and Twitter Breached from Leaky Buffer Service
On October 26, 2013 tens of thousands of Facebook and Twitter users got a nasty shock. Hackers broke into a service called “Buffer”, plundered OAuth access tokens and posted to their accounts. Luckily, it was all just to promote… Continue reading
Managing OAuth Risks in Mobile Applications
When, not if, endpoints get compromised OAuth tokens and other credentials become collateral damage. That means cyber-attackers may also compromise any resources available through OAuth 2.0, such as accounts at sites accessed through some social login systems or (potentially) HIPAA-protected… Continue reading
Proposed OAuth 2.0 Assurance Session at IIW
As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the… Continue reading