📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page

Was this helpful?

  1. Access Control: Advanced

Authentication

In the previous part about authentication, we mainly talked about how you have to store passwords securely, and how password authentication mechanisms must be protected.

In modern environments, application developers not often program authentication software themselves anymore. The authentication logic is often decoupled from the applications being developed using federation standards such as SAML and OpenId Connect (OIDC). The authentication logic can then be easily centralized. Also, the use of passwords considered old-fashioned, and many developers like to offer alternative ways of authentication based on something you are or something you have.

In this chapter, we will talk about these topics:

  • Federation standards (with a focus on OpenId Connect)

  • Alternative authentication mechanisms

  • FIDO2 or the WebAuthn standard

PreviousSSRF: how it works and how we can protect against itNextFederation

Last updated 3 years ago

Was this helpful?