authentication – text/plain

Protecting Auth Tokens

Authenticating to websites in browsers is complicated. There are numerous different approaches: Each of these authentication mechanisms has different user-experience effects and security properties. Sometimes, multiple systems are used at once, with, for example, a Web Forms login being bolstered by multifactor authentication. In most cases, however, Authentication mechanisms are only used to verify theContinue reading “Protecting Auth Tokens”

Browser SSO / Automatic Signin

Last Update: 8 March 2024 Over the years, I’ve written a bunch about authentication in browsers, and today I aim to shed some light on another authentication feature that is not super-well understood: Browser SSO. Recently, a user expressed surprise that after using the browser’s “Clear browsing data” option to delete everything, when they revisitedContinue reading “Browser SSO / Automatic Signin”

Auth Flows in a Partitioned World

Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages served by the IdP and when the IdP receives a HTTP request from an XmlHttpRequest/fetchContinue reading “Auth Flows in a Partitioned World”

Attack Techniques: Spoofing via UserInfo

I received the following phishing lure by SMS a few days back: The syntax of URLs is complicated, and even tech-savvy users often misinterpret them. In the case of the URL above, the actual site’s hostname is brefjobgfodsebsidbg.com, and the misleading http://www.att.net:911 text is just a phony username:password pair making up the UserInfo component ofContinue reading “Attack Techniques: Spoofing via UserInfo”

Attack Techniques: Phishing via Local Files

One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email lure with a HTML file attachment (for me, often with the .shtml file extension): When the user opens the file, a HTML-based credential prompt isContinue reading “Attack Techniques: Phishing via Local Files”

Passkeys – Syncable WebAuthN credentials

Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security with multi-factor authentication (e.g. one-time codes via SMS, ToTP authenticators, etc) and usability improvements (e.g.Continue reading “Passkeys – Syncable WebAuthN credentials”

The “Magical” Back Button

From the mailbag: Eric, when I am on bing.com in Edge or Chrome and I type https://portal.microsoft.com in the address bar, I go through some authentication redirections and end up on the Office website. If I then click the browser’s Back button, I go back to bing.com. But if I try the same thing inContinue reading “The “Magical” Back Button”

Web Proxy Authentication

Last year, I wrote about how the new Microsoft Edge’s adoption of the Chromium stack changed proxy determination away from the Windows Service (WinHTTP Proxy Service) to similar but not identical code in Chromium. This change mostly goes unnoticed, but it can have performance and functionality implications. In today’s post, I want to explore anotherContinue reading “Web Proxy Authentication”

Sandboxing vs. Elevated Browsing (As Administrator)

The Web Browser is the most security-critical application on most users’ systems– it accepts untrusted input from servers anywhere in the world, parses that input using dozens to hundreds of parsers, and renders the result locally as fast as it can. For performance reasons, almost all code in almost all browsers is written in memory-unsafeContinue reading “Sandboxing vs. Elevated Browsing (As Administrator)”

Seamless Single Sign-On

There are many different authentication primitives built into browsers. The most common include Web Forms authentication, HTTP authentication, client certificate authentication, and the new WebAuthN standard. Numerous different authentication frameworks build atop these, and many enterprise websites support more than one scheme. Each of the underlying authentication primitives has different characteristics: client certificate authentication isContinue reading “Seamless Single Sign-On”