Identifiers

• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• Breaking Password Dependencies: Challenges in the Final Mile at Microsoft - The primary source of account hacks is password spraying (on legacy auth like SMTP, IMAP, POP, etc.), second is replay attack. Takeaway: password are insecure, use and enforce MFA.
• Beyond Passwords: 2FA, U2F and Google Advanced Protection - An excellent walk-trough over all these technologies.
• A Comparative Long-Term Study of Fallback Authentication - Key take-away: “schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.”
• How effective is basic account hygiene at preventing hijacking - Google security team's data shows 2FA blocks 100% of automated bot hacks.
• Your Pa\$\$word doesn't matter - Same conclusion as above from Microsoft: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
• Compromising online accounts by cracking voicemail systems - Or why you should not rely on automated phone calls as a method to reach the user and reset passwords, 2FA or for any kind of verification. Not unlike SMS-based 2FA, it is currently insecure and can be compromised by the way of its weakest link: voicemail systems.
• Getting 2FA Right in 2019 - On the UX aspects of 2FA.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• SMS Multifactor Authentication in Antarctica - Doesn't work because there are no cellphone towers at stations in Antarctica.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• Authelia - Open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal.
• Kanidm - Simple, secure and fast identity management platform.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google - “Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. (…) Surprisingly, we found that a significant cause of this insecurity is that users often don't answer truthfully. (…) On the usability side, we show that secret answers have surprisingly poor memorability”.
• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.
• Your Pa\$\$word doesn't matter - Same conclusion as above from Microsoft: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

SMS-based

• SMS 2FA auth is deprecated by NIST - NIST has said that 2FA via SMS is bad and awful since 2016.
• SMS: The most popular and least secure 2FA method
• Is SMS 2FA Secure? No. - Definitive research project demonstrating successful attempts at SIM swapping.
• Hackers Hit Twitter C.E.O. Jack Dorsey in a 'SIM Swap.' You're at Risk, Too.
• The Most Expensive Lesson Of My Life: Details of SIM port hack
• SIM swap horror story
• AWS is on its way to deprecate SMS-based 2FA - “We encourage you to use MFA through a U2F security key, hardware device, or virtual (software-based) MFA device. You can continue using this feature until January 31, 2019.”

JWT

• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JSON Web Token
• Learn how to use JWT for Authentication - Learn how to use JWT to secure your web app.
• Managing a Secure JSON Web Token Implementation - JWT has all sorts of flexibility that make it hard to use well.
• Hardcoded secrets, unverified tokens, and other common JWT mistakes - A good recap of all JWT pitfalls.
• Adding JSON Web Token API Keys to a DenyList - On token invalidation.
• Stop using JWT for sessions - And [why your "solution" doesn't work](http://cryto.net/%7Ejoepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/), because [stateless JWT tokens cannot be invalidated or updated](https://news.ycombinator.com/item?id=18354141). They will introduce either size issues or security issues depending on where you store them. Stateful JWT tokens are functionally the same as session cookies, but without the battle-tested and well-reviewed implementations or client support.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JOSE is a Bad Standard That Everyone Should Avoid - The standards are either completely broken or complex minefields hard to navigate.
• JWT.io - Allows you to decode, verify and generate JWT.
• `loginsrv` - Standalone minimalistic login server providing a JWT login for multiple login backends (htpasswd, OSIAM, user/password, HTTP basic authentication, OAuth2: GitHub, Google, Bitbucket, Facebook, GitLab).
• `loginsrv` - Standalone minimalistic login server providing a JWT login for multiple login backends (htpasswd, OSIAM, user/password, HTTP basic authentication, OAuth2: GitHub, Google, Bitbucket, Facebook, GitLab).
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• Learn how to use JWT for Authentication - Learn how to use JWT to secure your web app.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• `loginsrv` - Standalone minimalistic login server providing a JWT login for multiple login backends (htpasswd, OSIAM, user/password, HTTP basic authentication, OAuth2: GitHub, Google, Bitbucket, Facebook, GitLab).
• jwtXploiter - A tool to test security of json web token.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• Using JSON Web Tokens as API Keys - Compared to API keys, JWTs offers granular security, homogeneous auth architecture, decentralized issuance, OAuth2 compliance, debuggability, expiration control, device management.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.

SMS-based

• An argument for passwordless - Passwords are not the be-all and end-all of user authentication. This article tries to tell you why.
• Magic Links – Are they Actually Outdated? - What are magic links, their origin, pros and cons.

WebAuthn

• FIDO2 project - friendly name of *passkeys*.
• WebAuthn guide - Introduce WebAuthn as a standard supported by all major browsers, and allowing “servers to register and authenticate users using public key cryptography instead of a password”.
• Clearing up some misconceptions about Passkeys - Or why passkeys are not worse than passwords.

Security key

• Getting started with security keys - A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.
• Solo - Open security key supporting FIDO2 & U2F over USB + NFC.
• OpenSK - Open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
• YubiKey Guide - Guide to using YubiKey as a SmartCard for storing GPG encryption, signing and authentication keys, which can also be used for SSH. Many of the principles in this document are applicable to other smart card devices.
• YubiKey at Datadog - Guide to setup Yubikey, U2F, GPG, git, SSH, Keybase, VMware Fusion and Docker Content Trust.
• Solo - Open security key supporting FIDO2 & U2F over USB + NFC.
• Webauthn and security keys - Describe how authentication works with security keys, details the protocols, and how they articulates with WebAuthn. Key takeaway: “There is no way to create a U2F key with webauthn however. (…) So complete the transition to webauthn of your login process first, then transition registration.”

Public-Key Infrastructure (PKI)

• PKI for busy people - Quick overview of the important stuff.
• Everything you should know about certificates and PKI but are too afraid to ask - PKI lets you define a system cryptographically. It's universal and vendor neutral.
• `lemur` - Acts as a broker between CAs and environments, providing a central portal for developers to issue TLS certificates with 'sane' defaults.
• CFSSL - A swiss army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.
• JA3 - Method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.
• Everything you should know about certificates and PKI but are too afraid to ask - PKI lets you define a system cryptographically. It's universal and vendor neutral.

• Cryptographic Right Answers - An up to date set of recommendations for developers who are not cryptography engineers. There's even a [shorter summary](https://news.ycombinator.com/item?id=16749140) available.
• Real World Crypto Symposium - Aims to bring together cryptography researchers with developers, focusing on uses in real-world environments such as the Internet, the cloud, and embedded devices.
• An Overview of Cryptography - “This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today.”
• Papers we love: Cryptography - Foundational papers of cryptography.
• Lifetimes of cryptographic hash functions - “If you are using compare-by-hash to generate addresses for data that can be supplied by malicious users, you should have a plan to migrate to a new hash every few years”.
• Cryptographic Right Answers - An up to date set of recommendations for developers who are not cryptography engineers. There's even a [shorter summary](https://news.ycombinator.com/item?id=16749140) available.

Identifiers

• Awesome Identifiers - A benchmark of all identifier formats.
• Awesome GUID - Funny take on the global aspect of unique identifiers.
• Security Recommendations for Any Device that Depends on Randomly-Generated Numbers - “The phrase ‘random number generator’ should be parsed as follows: It is a random generator of numbers. It is not a generator of random numbers.”
• RFC #4122: UUID - Security Considerations - “Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access)”. UUIDs are designed to be unique, not to be random or unpredictable: do not use UUIDs as a secret.

Identifiers

• BeyondCorp: A New Approach to Enterprise Security - Quick overview of Google's Zero-trust Network initiative.
• What is BeyondCorp? What is Identity-Aware Proxy? - More companies add extra layers of VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight security gain. There's a better way.
• oathkeeper - Identity & Access Proxy and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white paper.
• transcend - BeyondCorp-inspired Access Proxy server.
• Pomerium - An identity-aware proxy that enables secure access to internal applications.

Identifiers

• API Tokens: A Tedious Survey - An overview and comparison of all token-based authentication schemes for end-user APIs.
• A Child's Garden of Inter-Service Authentication Schemes - In the same spirit as above, but this time at the service level.
• Scaling backend authentication at Facebook - How-to in a nutshell: 1. Small root of trust; 2. TLS isn't enough; 3. Certificate-based tokens; 4. Crypto Auth Tokens (CATs). See the [slides](https://rwc.iacr.org/2018/Slides/Lewi.pdf) for more details.

Identifiers

• The new NIST password guidance - A summary of [NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) covering new password complexity guidelines.
• Password Storage Cheat Sheet - The only way to slow down offline attacks is by carefully choosing hash algorithms that are as resource intensive as possible.
• Password expiration is dead - Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and MFA.
• Practical Recommendations for Stronger, More Usable Passwords - This study recommend the association of: blocklist checks against commonly leaked passwords, password policies without character-class requirements, minimum-strength policies.
• Dumb Password Rules - Shaming sites with dumb password rules.
• Plain Text Offenders - Public shaming of websites storing passwords in plain text.
• How to change the hashing scheme of already hashed user's passwords - Good news: you're not stuck with a legacy password saving scheme. Here is a trick to transparently upgrade to stronger hashing algorithm.
• Password Manager Resources - A collection of password rules, change URLs and quirks by sites.
• Banks, Arbitrary Password Restrictions and Why They Don't Matter - “Arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.”

Policy models

• Access Control Lists - based_access_control). In this section we explore lots of different patterns and architectures.
• Why Authorization is Hard - Because it needs multiple tradeoffs on Enforcement which is required in so many places, on Decision architecture to split business logic from authorization logic, and on Modeling to balance power and complexity.
• The never-ending product requirements of user authorization - How a simple authorization model based on roles is not enough and gets complicated fast due to product packaging, data locality, enterprise organizations and compliance.
• RBAC like it was meant to be - How we got from DAC (unix permissions, secret URL), to MAC (DRM, MFA, 2FA, SELinux), to RBAC. Details how the latter allows for better modeling of policies, ACLs, users and groups.
• The Case for Granular Permissions - Discuss the limitations of RBAC and how ABAC (Attribute-Based Access Control) addresses them.
• In Search For a Perfect Access Control System - The historical origins of authorization schemes. Hints at the future of sharing, trust and delegation between different teams and organizations.
• Semantic-based Automated Reasoning for AWS Access Policies using SMT - Zelkova is how AWS does it. This system perform symbolic analysis of IAM policies, and solve the reachability of resources according user's rights and access constraints. Also see the higher-level [introduction given at re:inforce 2019](https://youtu.be/x6wsTFnU3eY?t=2111).
• Zanzibar: Google's Consistent, Global Authorization System - Scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use. [Other bits not in the paper](https://twitter.com/LeaKissner/status/1136626971566149633). [Zanzibar Academy](https://zanzibar.academy/) is a site dedicated to explaining how Zanzibar works.
• authz system that is built around labeled security and RBAC concepts
• Authorization Academy - An in-depth, vendor-agnostic treatment of authorization that emphasizes mental models. This guide shows the reader how to think about their authorization needs in order to make good decisions about their authorization architecture and model.
• SpiceDB - An open source database system for managing security-critical application permissions inspired by Zanzibar.
• AWS IAM Roles, a tale of unnecessary complexity - The history of fast-growing AWS explains how the current scheme came to be, and how it compares to GCP's resource hierarchy.
• GCP's IAM syntax is better than AWS's - The minutiae of permission design in GCP improves the developer's experience.

AWS policy tools

• AWS IAM policies
• Become an AWS IAM Policy Ninja - “In my nearly 5 years at Amazon, I carve out a little time each day, each week to look through the forums, customer tickets to try to find out where people are having trouble.”
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.
• Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.

Macaroons

• Google's Macaroons in Five Minutes or Less - If I'm given a Macaroon that authorizes me to perform some action(s) under certain restrictions, I can non-interactively build a second Macaroon with stricter restrictions that I can then give to you.
• Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud - Google's original paper.
• Google paper's author compares Macaroons and JWTs - As a consumer/verifier of macaroons, they allow you (through third-party caveats) to defer some authorization decisions to someone else. JWTs don't.

Open-source policy frameworks

• Keto - Policy decision point. It uses a set of access control policies, similar to AWS policies, in order to determine whether a subject is authorized to perform a certain action on a resource.
• Ladon - Access control library, inspired by AWS.
• Casbin - Open-source access control library for Golang projects.
• Open Policy Agent - An open-source general-purpose decision engine to create and enforce attribute-based access control (ABAC) policies.
• Topaz - An open-source project which combines the policy-as-code and decision logging of OPA with a Zanzibar-modeled directory.
• Open Policy Administration Layer - Open Source administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to OPA agents. OPAL brings open-policy up to the speed needed by live applications.
• Gubernator - High performance rate-limiting micro-service and library.
• Oso - A batteries-included library for building authorization in your application.
• Cerbos - An authorization endpoint to write context-aware access control policies.
• Warrant - A relationship based access control (ReBAC) engine (inspired by Google Zanzibar) also capable of enforcing any authorization paradigm, including RBAC and ABAC.
• Biscuit - Biscuit merge concepts from cookies, JWTs, macaroons and Open Policy Agent. “It provide a logic language based on Datalog to write authorization policies. It can store data, like JWT, or small conditions like Macaroons, but it is also able to represent more complex rules like role-based access control, delegation, hierarchies.”

Macaroons

• OAuth 2.0
• An Illustrated Guide to OAuth and OpenID Connect - Explain how these standards work using simplified illustrations.
• OAuth 2 Simplified - A reference article describing the protocol in simplified format to help developers and service providers implement it.
• OAuth 2.0 and OpenID Connect (in plain English) - Starts with an historical context on how these standards came to be, clears up the innacuracies in the vocabulary, then details the protocols and its pitfalls to make it less intimidating.
• Everything You Need to Know About OAuth (2.0) - A good overview with a practical case study on how Teleport, an open-source remote access tool, allows users to log in through GitHub SSO.
• OAuth in one picture - A nice summary card.
• How to Implement a Secure Central Authentication Service in Six Steps - Got multiple legacy systems to merge with their own login methods and accounts? Here is how to merge all that mess by the way of OIDC.
• Open-Sourcing BuzzFeed's SSO Experience - OAuth2-friendly adaptation of the Central Authentication Service (CAS) protocol. You'll find there good OAuth user flow diagrams.
• OAuth 2.0 Security Best Current Practice - “Updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application”.
• Hidden OAuth attack vectors - How to identify and exploit some of the key vulnerabilities found in OAuth 2.0 authentication mechanisms.
• Hydra - Open-source OIDC & OAuth2 Server.
• Keycloak - Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP and AD directories, password policies.
• authentik - Open-source Identity Provider similar to Keycloak.
• The Decline of OpenID - OpenID is being replaced in the public web to a mix of OAuth 1, OAuth 2 or other proprietary SSO protocols.
• Why Mastercard Doesn't Use OAuth 2.0 - “They did this to provide message-level integrity. OAuth 2 switched to transport-level confidentiality/integrity.” (which TLS provides) ([source](https://news.ycombinator.com/item?id=17486165)).
• OAuth 2.0 and the Road to Hell - The resignation letter from the lead author and editor of the Oauth 2.0 specification.
• Keycloak - Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP and AD directories, password policies.
• The problem with OAuth for Authentication - “The problem is that OAuth 2.0 is a Delegated Authorization protocol, and not a Authentication protocol.” 10 years after, this article is still the best explanation on [why use OpenID Connect instead of plain OAuth2](https://security.stackexchange.com/a/260519)?

Macaroons

• What's the Difference Between OAuth, OpenID Connect, and SAML? - Identity is hard. Another take on the different protocol is always welcome to help makes sense of it all.
• How SAML 2.0 Authentication Works - Overview of the how and why of SSO and SAML.
• Web Single Sign-On, the SAML 2.0 perspective - Another naive explanation of SAML workflow in the context of corporate SSO implementation.
• The Beer Drinker's Guide to SAML - SAML is arcane at times. A another analogy might helps get more sense out of it.
• SAML is insecure by design - Not only weird, SAML is also insecure by design, as it relies on signatures based on XML canonicalization, not XML byte stream. Which means you can exploit XML parser/encoder differences.
• The Difficulties of SAML Single Logout - On the technical and UX issues of single logout implementations.
• The SSO Wall of Shame - A documented rant on the exessive pricing practiced by SaaS providers to activate SSO on their product. The author's point is, as a core security feature, SSO should be reasonnably priced and not part of an exclusive tier.
• SAML vs. OAuth - “OAuth is a protocol for authorization: it ensures Bob goes to the right parking lot. In contrast, SAML is a protocol for authentication, or allowing Bob to get past the guardhouse.”
• The Difference Between SAML 2.0 and OAuth 2.0 - “Even though SAML was actually designed to be widely applicable, its contemporary usage is typically shifted towards enterprise SSO scenarios. On the other hand, OAuth was designed for use with applications on the Internet, especially for delegated authorisation.”

Macaroons

• Secret at Scale at Netflix - Solution based on blind signatures. See the [slides](https://rwc.iacr.org/2018/Slides/Mehta.pdf).
• High Availability in Google's Internal KMS - Not GCP's KMS, but the one at the core of their infrastructure. See the [slides](https://rwc.iacr.org/2018/Slides/Kanagala.pdf).
• HashiCorp Vault - Secure, store and tightly control access to tokens, passwords, certificates, encryption keys.
• `sops` - Encrypts the values of YAML and JSON files, not the keys.
• `gitleaks` - Audit git repos for secrets.
• `truffleHog` - Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

Hardware Security Module (HSM)

• HSM: What they are and why it's likely that you've (indirectly) used one today - Really basic overview of HSM usages.
• Tidbits on AWS Cloud HSM hardware - AWS CloudHSM Classic is backed by SafeNet's Luna HSM, current CloudHSM rely on Cavium's Nitrox, which allows for partitionable "virtual HSMs".
• CrypTech - An open hardware HSM.
• Keystone - Open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture.
• Everybody be cool, this is a robbery! - A case study of vulnerability and exploitability of a HSM (in French, sorry).

Hardware Security Module (HSM)

• Trust and safety 101 - A great introduction on the domain and its responsabilities.
• What the Heck is Trust and Safety? - A couple of real use-case to demonstrate the role of a TnS team.
• Awesome List of Billing and Payments: Fraud links - Section dedicated to fraud management for billing and payment, from our sister repository.

User Identity

• Know You Customer (KYC)
• The Laws of Identity - Is this paper aims at identity metasystem, its laws still provides great insights at smaller scale, especially the first law: to always allow user control and ask for consent to earn trust.
• How Uber Got Lost - “To limit "friction" Uber allowed riders to sign up without requiring them to provide identity beyond an email — easily faked — or a phone number. (…) Vehicles were stolen and burned; drivers were assaulted, robbed and occasionally murdered. The company stuck with the low-friction sign-up system, even as violence increased.”
• A Comparison of Personal Name Matching: Techniques and Practical Issues - Customer name matching has lots of application, from account deduplication to fraud monitoring.
• Facebook Dangerous Individuals and Organizations List - Some groups and content are illegal in some juridictions. This is an example of a blocklist.
• Facebook Dangerous Individuals and Organizations List - Some groups and content are illegal in some juridictions. This is an example of a blocklist.

Fraud

• After Car2Go eased its background checks, 75 of its vehicles were stolen in one day. - Why background check are sometimes necessary.
• Investigation into the Unusual Signups - A really detailed analysis of suspicious contributor signups on OpenStreetMap. This beautiful and high-level report demonstrating an orchestrated and directed campaign might serve as a template for fraud reports.
• MIDAS: Detecting Microcluster Anomalies in Edge Streams - A proposed method to “detects microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, in edge streams, using constant time and memory.”

Moderation

• Still Logged In: What AR and VR Can Learn from MMOs - “If you host an online community, where people can harm another person: you are on the hook. And if you can't afford to be on the hook, don't host an online community”.
• You either die an MVP or live long enough to build content moderation - “You can think about the solution space for this problem by considering three dimensions: cost, accuracy and speed. And two approaches: human review and machine review. Humans are great in one of these dimensions: accuracy. The downside is that humans are expensive and slow. Machines, or robots, are great at the other two dimensions: cost and speed - they're much cheaper and faster. But the goal is to find a robot solution that is also sufficiently accurate for your needs.”
• The despair and darkness of people will get to you - Moderation of huge social networks is performed by an army of outsourced subcontractors. These people are exposed to the worst and generally ends up with PTSD.
• The Cleaners - A documentary on these teams of underpaid people removing posts and deleting accounts.
• Keep out the bad apples: How to moderate a marketplace - “With great power comes great responsibility. Some of my tips and tricks to make your marketplace a safer place.”

Threat Intelligence

• Standards related to Threat Intelligence - Open standards, tools and methodologies to support threat intelligence analysis.
• Browser Fingerprinting: A survey - Fingerprints can be used as a source of signals to identify bots and fraudsters.
• The challenges of file formats - At one point you will let users upload files in your system. Here is a [corpus of suspicious media files](https://github.com/corkami/pocs) that can be leveraged by scammers =to bypass security or fool users.
• PhoneInfoga - Tools to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with a very good accuracy. Then search for footprints on search engines to try to find the VoIP provider or identify the owner.
• MISP taxonomies and classification - Tags to organize information on “threat intelligence including cyber security indicators, financial fraud or counter-terrorism information.”

Captcha

• Awesome Captcha - Reference all open-source captcha libraries, integration, alternatives and cracking tools.
• reCaptcha - reCaptcha is still an effective, economical and quick solution when your company can't afford to have a dedicated team to fight bots and spammers at internet scale.
• You (probably) don't need ReCAPTCHA - Starts with a rant on how the service is a privacy nightmare and is tedious UI-wise, then list alternatives.
• Anti-captcha - Captchas solving service.

Captcha

• Bloom Filter - Perfect for this use-case, as bloom filters are designed to quickly check if an element is not in a (large) set. Variations of bloom filters exist for specific data types.

Hostnames and Subdomains

• The Public Suffix List - Mozilla's registry of public suffixes, under which Internet users can (or historically could) directly register names.
• #1 - blacklist/blob/master/subdomain-blacklist.txt), [#3](https://github.com/nccgroup/typofinder/blob/master/TypoMagic/datasources/subdomains.txt), [#4](https://www.quora.com/How-do-sites-prevent-vanity-URLs-from-colliding-with-future-features).
• `common-domain-prefix-suffix-list.tsv` - Top-5000 most common domain prefix/suffix list.
• `xkeyscorerules100.txt` - NSA's [XKeyscore](https://en.wikipedia.org/wiki/XKeyscore) matching rules for TOR and other anonymity preserving tools.
• AMF site blocklist - Official French denylist of money-related fraud sites.

Emails

• Temporary Email Address Domains - A list of domains for disposable and temporary email addresses. Useful for filtering your email list to increase open rates (sending email to these domains likely will not be opened).

Reserved IDs

• General List of Reserved Words - This is a general list of words you may want to consider reserving, in a system where users can pick any name.
• Hostnames and usernames to reserve - List of all the names that should be restricted from registration in automated systems.

Profanity

• Privacy Enhancing Technologies Decision Tree - A flowchart to select the right tool depending on data type and context.
• Paper we love: Privacy - A collection of scientific studies of schemes providing privacy by design.
• IRMA Authentication - Open-source app and protocol that offers privacy-friendly attribute based authentication and signing using [Camenisch and Lysyanskaya's Idemix](https://privacybydesign.foundation/publications/).
• Have I been Pwned? - Data breach index.
• Automated security testing for Software Developers - Most privacy breaches were allowed by known vulnerabilities in third-party dependencies. Here is how to detect them by the way of CI/CD.
• World's Biggest Data Breaches & Hacks - Don't be the next company leaking your customer's data.

Anonymization

• The False Allure of Hashing for Anonymization - Hashing is not sufficient for anonymization no. But still it is good enough for pseudonymization (which is allowed by the GDPR).
• Four cents to deanonymize: Companies reverse hashed email addresses - “Hashed email addresses can be easily reversed and linked to an individual”.
• Why differential privacy is awesome - Explain the intuition behind [differential privacy](https://en.wikipedia.org/wiki/Differential_privacy), a theoretical framework which allow sharing of aggregated data without compromising confidentiality. See follow-up articles with [more details](https://desfontain.es/privacy/differential-privacy-in-more-detail.html) and [practical aspects](https://desfontain.es/privacy/differential-privacy-in-practice.html).
• Diffix: High-Utility Database Anonymization - Diffix try to provide anonymization, avoid pseudonymization and preserve data quality. [Written in Elixir at Aircloak](https://elixirforum.com/t/aircloak-anonymized-analitycs/10930), it acts as an SQL proxy between the analyst and an unmodified live database.

GDPR

• GDPR Tracker - Europe's reference site.
• GDPR – A Practical guide for Developers - A one-page summary of the above.
• GDPR Tracker - Track the GDPR compliance of cloud services and subprocessors.
• Dark Patterns after the GDPR - This paper demonstrates that, because of the lack of GDPR law enforcements, dark patterns and implied consent are ubiquitous.
• GDPR Enforcement Tracker - List of GDPR fines and penalties.

GDPR

• The 2020 State of SaaS Product Onboarding - Covers all the important facets of user onboarding.
• User Onboarding Teardowns - A huge list of deconstructed first-time user signups.
• Discover UI Design Decisions Of Leading Companies - From Leaked Screenshots & A/B Tests.
• Conversion Optimization - A collection of tactics to increase the chance of users finishing the account creation funnel.
• Trello User Onboarding - A detailed case study, nicely presented, on how to improve user onboarding.
• 11 Tips for Better Signup / Login UX - Some basic tips on the login form.
• Don't get clever with login forms - Create login forms that are simple, linkable, predictable, and play nicely with password managers.
• Why are the username and password on two different pages? - To support both SSO and password-based login. Now if breaking the login funnel in 2 steps is too infuriating to users, solve this as Dropbox does: [an AJAX request when you enter your username](https://news.ycombinator.com/item?id=19174355).
• HTML attributes to improve your users' two factor authentication experience - “In this post we will look at the humble `<input>` element and the HTML attributes that will help speed up our users' two factor authentication experience”.
• Remove password masking - Summarizes the results from an academic study investigating the impact removing password masking has on consumer trust.
• For anybody who thinks "I could build that in a weekend," this is how Slack decides to send a notification - Notifications are hard. Really hard.

GDPR

• AWS Security, Identity & Compliance announcements - The source of all new features added to the IAM perimeter.
• GCP IAM release notes - Also of note: [Identity](https://cloud.google.com/identity/docs/release-notes), [Identity Platform](https://cloud.google.com/identity-platform/docs/release-notes), [Resource Manager](https://cloud.google.com/resource-manager/docs/release-notes), [Key Management Service/HSM](https://cloud.google.com/kms/docs/release-notes), [Access Context Manager](https://cloud.google.com/access-context-manager/docs/release-notes), [Identity-Aware Proxy](https://cloud.google.com/iap/docs/release-notes), [Data Loss Prevention](https://cloud.google.com/dlp/docs/release-notes) and [Security Scanner](https://cloud.google.com/security-scanner/docs/release-notes).
• Unofficial Weekly Google Cloud Platform newsletter - Relevant keywords: [`IAM`](https://www.gcpweekly.com/gcp-resources/tag/iam/) and [`Security`](https://www.gcpweekly.com/gcp-resources/tag/security/).
• DigitalOcean Accounts changelog - All the latest accounts updates on DO.
• 163 AWS services explained in one line each - Help makes sense of their huge service catalog. In the same spirit: [AWS in simple terms](https://netrixllc.com/blog/aws-services-in-simple-terms/) & [AWS In Plain English](https://expeditedsecurity.com/aws-in-plain-english/).
• Google Cloud Developer's Cheat Sheet - Describe all GCP products in 4 words or less.

GDPR

• cryptoanarchy.wiki - Cypherpunks overlaps with security. This wiki compiles information about the movement, its history and the people/events of note.

GDPR

• 1\ - quote-ref)