IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [authentication]

the process of establishing the authenticity of a person or other entity. Not to be confused with authorization - defining access rights to resources.

Authentication: establishing the authenticity of a person or other entity. Abbreviated "authn". Not to be confused with defining access rights to resources, which is the topic of authorization (authz)

See more at http://en.wikipedia.org/wiki/Authentication

An update on the state of the art and a research agenda is in the IEEE Security and Privacy Magazine special issue for January/February 2012: Authentication—Are We Doing Well Enough?

4516 questions
130
votes
20 answers

How should I securely type a password in front of a lot of people?

I am a manager in an office where the company does not provide a company email, so I use my personal email. Often, I will receive jobs lists by email from my general manager. How should I log in to my email in front of my co-workers so that they…
Annalise Carla
  • 1,345
  • 2
  • 9
  • 7
111
votes
13 answers

Secure way to log in to a website on someone else's computer

Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke…
today
  • 1,081
  • 2
  • 7
  • 8
102
votes
3 answers

Token-based authentication - Securing the token

I have developed a backend REST API for a mobile app and I am now looking to implement token-based authentication for it to avoid having to prompt the user to login on every run of the app. What I had in mind was on the initial request the user…
James
  • 1,708
  • 3
  • 14
  • 18
67
votes
14 answers

Sending passwords to someone remotely

As someone who usually works with people in other countries it has always been a problem to send login information to each-other. For development login details like debug databases etc sure I can send them over in clear text email or something but…
user36976
  • 3,243
  • 4
  • 16
  • 22
34
votes
7 answers

Silently Limiting Login Attempts

I've seen the following login rate limiting approach used on a web site I worked on, but I can't figure out if it's a good idea: After any failed login attempt, the site locks the user account for a fraction of a second. When the account is locked,…
James_pic
  • 2,580
  • 2
  • 20
  • 22
28
votes
6 answers

Passwordless authentication - how and when to invalidate a login code

Our system uses passwordless login to send user a login code+link by e-mail by which they can login. We found one of our customers has a mail scanner that actually follows those links. We invalidate the login codes on use to the reduce the attack…
Joel Harkes
  • 383
  • 3
  • 6
25
votes
5 answers

Why is "something you know" the weakest factor of authentication?

Quoting from CompTIA Security+ guide The first factor of authentication (something you know, such as password or PIN) is the weakest factor. Why? it makes sense when we say that humans/users are the weakest factor in any system from security…
Ulkoma
  • 8,773
  • 17
  • 68
  • 96
24
votes
9 answers

is there a safe way to login to my gmail account from a public pc?

Sometimes i need to use a public pc to access my gmail account, is there a safe way to login and keep my password safe in case there was a keylogger or a trojan on that pc? are there tools that could help in that case?
Tareq Ibrahim
  • 343
  • 1
  • 2
  • 5
22
votes
6 answers

Web authentication - password vs key file

There is a corporate web mail site (PHP + MySQL) for limited numbers of users who are employees of a company working remotely with the corporate web portal. Each user has a login and password. I'm thinking about replacing usual text passwords with…
user164863
  • 389
  • 3
  • 7
22
votes
4 answers

How long should 2 factor authentication codes be?

I've noticed that many services that offer 2 factor authentication have jumped from using four digits to six. However, it seems counterproductive to me because the digits are random, the digits (should) expire, and with six digits, you may have to…
Max Savin
  • 321
  • 2
  • 3
21
votes
11 answers

How would you prevent someone from selling his persistent cookie to someone who is not an institution member and wants to gain access?

Most of our publishers sell subscriptions to institutions and people get access by being identified as part of the institution. This institution authentication happens with IP ranges or Shibboleth, but not all institutions support Shibboleth or…
Dimitris
  • 235
  • 1
  • 2
  • 4
21
votes
10 answers

Why don't we use single input authentication?

Two input authentication uses both username (may be available publicly) and password (kept secret). For the sake of comparison, assume the length of username is the same as the length of password, i.e., n characters. Also assume we can only use case…
Display Name
  • 339
  • 2
  • 7
19
votes
5 answers

How many Stack Exchange logins should I have?

On Stack Exchange's Add Login Credential page, one can add logins with Google, Facebook, Yahoo, etc. How many logins should I have to provide best combination of: The least chance of a hacker gaining access to my Stack Exchange account. The best…
The Guy with The Hat
  • 297
  • 2
  • 13
14
votes
1 answer

Sending access token through GET request

According to Instagram's Documents, we send an access-token through a GET request over HTTPS. Isn't this considered insecure? Because I've read that you shouldn't even send passwords over a GET request. For /media/media-id (the first…
testinggnitset ser
  • 165
  • 1
  • 1
  • 5
13
votes
4 answers

Password-free logins using your email address only?

The state of logins is horrendous. With each site having it's own rules for passwords, it can be very hard to remember what variation you used on any given site. Logins are pure pain. One thing I love about Craigslist is that it did away with…
Mario
  • 423
  • 4
  • 11
1
2 3
16 17