https://miscreants.github.io/blog.trailofbits.com/categories/authentication/Recent content in authentication on The Trail of Bits BlogHugoen-usThu, 25 Jan 2024 09:00:22 -0500https://miscreants.github.io/blog.trailofbits.com/2024/01/25/we-build-x-509-chains-so-you-dont-have-to/Thu, 25 Jan 2024 09:00:22 -0500https://miscreants.github.io/blog.trailofbits.com/2024/01/25/we-build-x-509-chains-so-you-dont-have-to/For the past eight months, Trail of Bits has worked with the Python Cryptographic Authority to build cryptography-x509-verification, a brand-new, pure-Rust implementation of the X.509 path validation algorithm that TLS and other encryption and authentication protocols are built on. Our implementation is fast, standards-conforming, and memory-safe, giving the Python ecosystem a modern […]https://miscreants.github.io/blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/Thu, 20 Jun 2019 06:50:12 -0400https://miscreants.github.io/blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/Since March, Trail of Bits has been working with the Python Software Foundation to add two-factor authentication (2FA) to Warehouse, the codebase that powers PyPI. As of today, PyPI members can enable time-based OTP (TOTP) and WebAuthn (currently in beta). If you have an account on PyPI, go enable your preferred 2FA method before you […]https://miscreants.github.io/blog.trailofbits.com/2016/07/11/why-i-didnt-catch-any-pokemon-today/Mon, 11 Jul 2016 23:37:27 -0400https://miscreants.github.io/blog.trailofbits.com/2016/07/11/why-i-didnt-catch-any-pokemon-today/tl;dr While the internet went crazy today, we went fact finding. Here are our notes on Pokemon Go’s permissions to your Google account. Here’s what Jay and I set out to do at around 6pm today: Find what permissions Pokemon Go is actually requesting Investigate what the permissions actually do Replicate the permissions in a test app […]https://miscreants.github.io/blog.trailofbits.com/2016/06/28/start-using-the-secure-enclave-crypto-api/Tue, 28 Jun 2016 07:50:42 -0400https://miscreants.github.io/blog.trailofbits.com/2016/06/28/start-using-the-secure-enclave-crypto-api/tl;dr – Tidas is now open source. Let us know if your company wants help trying it out. When Apple quietly released the Secure Enclave Crypto API in iOS 9 (kSecAttrTokenIDSecureEnclave), it allowed developers to liberate their users from the annoyance of strong passwords or OAuth. That is, if the developers could make do without […]https://miscreants.github.io/blog.trailofbits.com/2016/02/09/tidas-a-new-service-for-building-password-less-apps/Tue, 09 Feb 2016 06:50:54 -0500https://miscreants.github.io/blog.trailofbits.com/2016/02/09/tidas-a-new-service-for-building-password-less-apps/For most mobile app developers, password management has as much appeal as a visit to the dentist. You do it because you have to, but it is annoying and easy to screw up, even when using standard libraries or protocols like OAUTH. Your users feel the same way. Even if they know to use strong […]https://miscreants.github.io/blog.trailofbits.com/2014/09/02/enabling-two-factor-authentication-2fa-for-apple-id-and-dropbox/Tue, 02 Sep 2014 17:00:37 -0400https://miscreants.github.io/blog.trailofbits.com/2014/09/02/enabling-two-factor-authentication-2fa-for-apple-id-and-dropbox/Step-by-step guide to enabling SMS-based two-factor authentication on your Apple ID and Dropbox accounts to protect against password-based attacks.