Tag Archives: authentication

Revealing Passwords

The Microsoft Edge browser, Edge Legacy, and Internet Explorer all offer a convenient mechanism for users to unmask their typing as they edit a password field: Clicking the little eye icon disables the masking dots so that users can see the characters they’re typing: This feature can be very useful for those of us whoContinue reading “Revealing Passwords”

Client Certificate Authentication

While most HTTPS sites only authenticate the server (using a certificate sent by the website), HTTPS also supports a mutual authentication mode, whereby the client supplies a certificate that authenticates the visiting user’s identity. Such a certificate might be stored on a SmartCard, or used as a part of an OS identity feature like WindowsContinue reading “Client Certificate Authentication”

Browser Password Managers: Threat Models

All major browsers have a built-in password manager. So we should use them, right? I Do Should You? The easy answer is “Yes, use your browser’s password manager!“ The more nuanced answer begins: “Tell me about your threat model?” As when evaluating almost any security feature, my threat model might not match your threat model,Continue reading “Browser Password Managers: Threat Models”

Challenges with Federated Identity in modern browsers

Many websites offer a “Log in” capability where they don’t manage the user’s account; instead, they offer visitors the ability to “Login with <identity provider>.” When the user clicks the Login button on the original relying party (RP) website, they are navigated to a login page at the identity provider (IP) (e.g. login.microsoft.com) and then redirectedContinue reading “Challenges with Federated Identity in modern browsers”

Protect Your Accounts with 2FA

You should enable “2-Step Verification” for logins to your Google account. Google Authenticator is an app that runs on your iOS or Android phone and gives out 6 digit codes that must be entered when you log in on a device. This can’t really prevent phishing (because a phishing page will just ask you forContinue reading “Protect Your Accounts with 2FA”

Private Browsing Mode

Note: This blog post was originally written before the new Chromium-based Microsoft Edge was announced. As a consequence, it includes discussion of the behavior of the Legacy Microsoft Edge browser. The new Chromium-based Edge behaves largely the same way as Google Chrome. Last Update: 13 June 2025 InPrivate Mode was introduced in Internet Explorer 8Continue reading “Private Browsing Mode”