Covert redirect is a structural vulnerability in OAuth-based protocols. It was widely publicized in early May. Identity and security experts had long known about, but don’t have an easy fix. Once the media learned covert redirect isn’t as serious… Continue reading
When, not if, endpoints get compromised OAuth tokens and other credentials become collateral damage. That means cyber-attackers may also compromise any resources available through OAuth 2.0, such as accounts at sites accessed through some social login systems or (potentially) HIPAA-protected… Continue reading
As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the… Continue reading
Broad deployments of federated identity have arrived in the form of social login. But in 2013 we find federation on the horns of a dilemma; can it be both broad and strong?
Federated identity, especially in the form OAuth… Continue reading
You thought you heard a click behind that site’s “Sign in with Facebook” button. But did you also hear the inaudible sigh of your personal data disappearing into the maw of yet another application?
Social login is the ability to… Continue reading
I recently developed a “history of federated identity” diagram and marveled at how it was similar, in many ways, to slides I created while working at Burton Group in 2004. Let’s take a look at a few diagrams and see… Continue reading