IAM

In the same spirit as above, but this time at the service level.

An overview and comparison of all token-based authentication schemes for end-user APIs.

How-to in a nutshell: 1. Small root of trust; 2. TLS isn't enough; 3. Certificate-based tokens; 4. Crypto Auth Tokens (CATs). See the slides for more details.

A comprehensive list of (maintained) tools for AWS IAM.

Set of services and libraries supporting service authentication and role-based authorization for provisioning and configuration.

An in-depth, vendor-agnostic treatment of authorization that emphasizes mental models. This guide shows the reader how to think about their authorization needs in order to make good decisions about their authorization architecture and model.

The history of fast-growing AWS explains how the current scheme came to be, and how it compares to GCP's resource hierarchy.

“In my nearly 5 years at Amazon, I carve out a little time each day, each week to look through the forums, customer tickets to try to find out where people are having trouble.”

Biscuit merge concepts from cookies, JWTs, macaroons and Open Policy Agent. “It provide a logic language based on Datalog to write authorization policies. It can store data, like JWT, or small conditions like Macaroons, but it is also able to represent more complex rules like role-based access control, delegation, hierarchies.”

Open-source access control library for Golang projects.

An authorization endpoint to write context-aware access control policies.

A self-service tool for AWS that provides end-users and administrators credentials and console access to the onboarded accounts based on their authorization level of managing permissions across multiple accounts, while encouraging least-privilege permissions.

The minutiae of permission design in GCP improves the developer's experience.

As a consumer/verifier of macaroons, they allow you (through third-party caveats) to defer some authorization decisions to someone else. JWTs don't.

If I'm given a Macaroon that authorizes me to perform some action(s) under certain restrictions, I can non-interactively build a second Macaroon with stricter restrictions that I can then give to you.

High performance rate-limiting micro-service and library.

AWS IAM policy statement generator with fluent interface. Helps with creating type safe IAM policies and writing more restrictive/secure statements by offering conditions and ARN generation via IntelliSense. Available for Node.js, Python, .Net and Java.

GitOps for IAM. The Terraform of Cloud IAM. IAMbic is a multi-cloud identity and access management (IAM) control plane that centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in version control.

The historical origins of authorization schemes. Hints at the future of sharing, trust and delegation between different teams and organizations.

Policy decision point. It uses a set of access control policies, similar to AWS policies, in order to determine whether a subject is authorized to perform a certain action on a resource.

Access control library, inspired by AWS.

Google's original paper.

Open Source administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to OPA agents. OPAL brings open-policy up to the speed needed by live applications.

An open-source general-purpose decision engine to create and enforce ABAC policies.

A batteries-included library for building authorization in your application.

Another open-source authorization as a service inspired by Google Zanzibar, and see how it compares to other Zanzibar-inspired tools.

Writing security-conscious IAM Policies by hand can be very tedious and inefficient. Policy Sentry helps users to create least-privilege policies in a matter of seconds.

Parse and process AWS policies, statements, ARNs, and wildcards.

How we got from DAC (unix permissions, secret URL), to MAC (DRM, MFA, 2FA, SELinux), to RBAC. Details how the latter allows for better modeling of policies, ACLs, users and groups.

Zelkova is how AWS does it. This system perform symbolic analysis of IAM policies, and solve the reachability of resources according user's rights and access constraints. Also see the higher-level introduction given at re:inforce 2019.

Discover how assigning identities to services (non-user principals) can simplify authentication, enhance security, and streamline authorization in complex distributed systems. A useful guide for IAM teams managing microservices and APIs.

An open source database system for managing security-critical application permissions inspired by Zanzibar.

Discuss the limitations of RBAC and how ABAC (Attribute-Based Access Control) addresses them.

How a simple authorization model based on roles is not enough and gets complicated fast due to product packaging, data locality, enterprise organizations and compliance.

An open-source project which combines the policy-as-code and decision logging of OPA with a Zanzibar-modeled directory.

A relationship based access control (ReBAC) engine (inspired by Google Zanzibar) also capable of enforcing any authorization paradigm, including RBAC and ABAC.

Because it needs multiple tradeoffs on Enforcement which is required in so many places, on Decision architecture to split business logic from authorization logic, and on Modeling to balance power and complexity.

Scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use. Other bits not in the paper. Zanzibar Academy is a site dedicated to explaining how Zanzibar works.

Subdomain denylists: , , , .

Subdomain denylists: , , , .

Subdomain denylists: , , , .

Subdomain denylists: , , , .

Official French denylist of money-related fraud sites.

Perfect for this use-case, as bloom filters are designed to quickly check if an element is not in a (large) set. Variations of bloom filters exist for specific data types.

A list of temporary email providers. And its derivative Python module.

An hourly updated list of subdomains gathered from certificate transparency logs.

CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly.

This is a general list of words you may want to consider reserving, in a system where users can pick any name.

List of all the names that should be restricted from registration in automated systems.

Radix trees might come handy to speed-up IP blocklists.

Profanity blocklist from Shutterstock.

Cross-language temporary (disposable/throwaway) email detection library.

A list of domains for disposable and temporary email addresses. Useful for filtering your email list to increase open rates (sending email to these domains likely will not be opened).

Mozilla's registry of public suffixes, under which Internet users can (or historically could) directly register names.

Top-5000 most common domain prefix/suffix list.

“A ruby gem to check if the owner of a given email address or website is working for THE MAN (a.k.a verifies government domains).” Good resource to hunt for potential government customers in your user base.

No more ads, tracking and other virtual garbage.

Consolidates reputable hosts files, and merges them into a unified hosts file with duplicates removed.

Extensive collection of list for security, privacy and parental control.

Uses a linear SVM model trained on 200k human-labeled samples of clean and profane text strings.

IP to ISP lookup library (includes ASN).

In the same spirit as above, but this time to flag academic users.

NSA's XKeyscore matching rules for TOR and other anonymity preserving tools.

Help makes sense of their huge service catalog. In the same spirit: AWS in simple terms & AWS In Plain English.

The source of all new features added to the IAM perimeter.

Ranking, popularity and activity status of open-source digital identity projects.

All the latest accounts updates on DO.

Also of note: Identity, Identity Platform, Resource Manager, Key Management Service/HSM, Access Context Manager, Identity-Aware Proxy, Data Loss Prevention and Security Scanner.

Describe all GCP products in 4 words or less.

Relevant keywords: `IAM` and `Security`.

“This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today.”

Funny take on the global aspect of unique identifiers.

A benchmark of all identifier formats.

An up to date set of recommendations for developers who are not cryptography engineers. There's even a shorter summary available.

“If you are using compare-by-hash to generate addresses for data that can be supplied by malicious users, you should have a plan to migrate to a new hash every few years”.

Foundational papers of cryptography.

Aims to bring together cryptography researchers with developers, focusing on uses in real-world environments such as the Internet, the cloud, and embedded devices.

“Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access)”. UUIDs are designed to be unique, not to be random or unpredictable: do not use UUIDs as a secret.

“The phrase ‘random number generator’ should be parsed as follows: It is a random generator of numbers. It is not a generator of random numbers.”

Cypherpunks overlaps with security. This wiki compiles information about the movement, its history and the people/events of note.

“When my 2FA code is entered incorrectly I'd like to know about it”.

Key take-away: “schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.”

Probably on the verge of paranoia, but might be a reason to rate limit 2FA validation attempts.

Open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal.

“We encourage you to use MFA through a U2F security key, hardware device, or virtual (software-based) MFA device. You can continue using this feature until January 31, 2019.”

An excellent walk-trough over all these technologies.

The primary source of account hacks is password spraying (on legacy auth like SMTP, IMAP, POP, etc.), second is replay attack. Takeaway: password are insecure, use and enforce MFA.

Or why you should not rely on automated phone calls as a method to reach the user and reset passwords, 2FA or for any kind of verification. Not unlike SMS-based 2FA, it is currently insecure and can be compromised by the way of its weakest link: voicemail systems.

On the UX aspects of 2FA.

Google security team's data shows 2FA blocks 100% of automated bot hacks.

Definitive research project demonstrating successful attempts at SIM swapping.

Simple, secure and fast identity management platform.

“Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. (…) Surprisingly, we found that a significant cause of this insecurity is that users often don't answer truthfully. (…) On the usability side, we show that secret answers have surprisingly poor memorability”.

NIST has said that 2FA via SMS is bad and awful since 2016.

Doesn't work because there are no cellphone towers at stations in Antarctica.

Same conclusion as above from Microsoft: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

A simple authentication system which only implements the relevant parts of the OAuth2 standards.

Explain how these standards work using simplified illustrations.

Open-source Identity Provider similar to Keycloak.

Open-source authentication-as-a-service solution. It includes the code for the server, AuthUI, the Portal, and Admin API.

A curated list of providers, services, libraries, and resources for OpenID Connect.

Microsoft's cloud-based identity and access management service for employees and external partners that supports OIDC, OAuth 2.0, and SAML.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based. Supports OIDC and OAuth 2, social logins, user management, 2FA based on Email and SMS.

Customer Identity and Access Management solution supporting OIDC.

How to identify and exploit some of the key vulnerabilities found in OAuth 2.0 authentication mechanisms.

Got multiple legacy systems to merge with their own login methods and accounts? Here is how to merge all that mess by the way of OIDC.

Open-source OIDC & OAuth2 Server Provider.

Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP and AD directories, password policies.

An IAM infrastructure for modern apps and SaaS products, supporting OIDC, OAuth 2.0 and SAML for authentication and authorization.

A reference article describing the protocol in simplified format to help developers and service providers implement it.

Starts with an historical context on how these standards came to be, clears up the innacuracies in the vocabulary, then details the protocols and its pitfalls to make it less intimidating.

“Updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application”.

A nice summary card.

OAuth2-friendly adaptation of the Central Authentication Service (CAS) protocol. You'll find there good OAuth user flow diagrams.

Enterprise Identity and Access Management platform supporting OpenID Connect protocol.

“PKCE is used to provide one more security layer to the authorization code flow in OAuth and OpenID Connect.”

An Open-Source solution built with Go and Angular to manage all your systems, users and service accounts together with their roles and external identities. ZITADEL provides you with OIDC, OAuth 2.0, login & register flows, passwordless and MFA authentication. All this is built on top of eventsourcing in combination with CQRS to provide a great audit trail.

“Overly permissive AWS IAM policies that allowed `s3:GetObject` to `*` (all) resources”, led to \$80 million fine for Capital One. The only reason why you can't overlook IAM as a business owner.

A little *click-baity*, but author admit that “It depends on how much you trust them to 1. Stay in business; 2. Not jack up your prices; 3. Not deprecate services out from under you; 4. Provide more value to you in business acceleration than they take away in flexibility.”

The majority of the features making B2B users happy will be implemented by the IAM perimeter.

Specification defining site resource for password updates.

“Arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.”

Shaming sites with dumb password rules.

Good news: you're not stuck with a legacy password saving scheme. Here is a trick to transparently upgrade to stronger hashing algorithm.

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and MFA.

A collection of password rules, change URLs and quirks by sites.

The only way to slow down offline attacks is by carefully choosing hash algorithms that are as resource intensive as possible.

Public shaming of websites storing passwords in plain text.

This study recommend the association of: blocklist checks against commonly leaked passwords, password policies without character-class requirements, minimum-strength policies.

A summary of NIST Special Publication 800-63B covering new password complexity guidelines.

On token invalidation.

Passwords are not the be-all and end-all of user authentication. This article tries to tell you why.

A swiss army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.

Or why passkeys are not worse than passwords.

PKI lets you define a system cryptographically. It's universal and vendor neutral.

A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.

A good recap of all JWT pitfalls.

Get up to speed on JWT with this article.

Method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.

The standards are either completely broken or complex minefields hard to navigate.

A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.

Allows you to decode, verify and generate JWT.

A tool to test security of json web token.

Learn how to use JWT to secure your web app.

What are magic links, their origin, pros and cons.

Open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

Quick overview of the important stuff.

Open security key supporting FIDO2 & U2F over USB + NFC.

And why your "solution" doesn't work, because stateless JWT tokens cannot be invalidated or updated. They will introduce either size issues or security issues depending on where you store them. Stateful JWT tokens are functionally the same as session cookies, but without the battle-tested and well-reviewed implementations or client support.

Compared to API keys, JWTs offers granular security, homogeneous auth architecture, decentralized issuance, OAuth2 compliance, debuggability, expiration control, device management.

Describe how authentication works with security keys, details the protocols, and how they articulates with WebAuthn. Key takeaway: “There is no way to create a U2F key with webauthn however. (…) So complete the transition to webauthn of your login process first, then transition registration.”

Introduce WebAuthn as a standard supported by all major browsers, and allowing “servers to register and authenticate users using public key cryptography instead of a password”.

Guide to setup Yubikey, U2F, GPG, git, SSH, Keybase, VMware Fusion and Docker Content Trust.

Guide to using YubiKey as a SmartCard for storing GPG encryption, signing and authentication keys, which can also be used for SSH. Many of the principles in this document are applicable to other smart card devices.

Acts as a broker between CAs and environments, providing a central portal for developers to issue TLS certificates with 'sane' defaults.

Standalone minimalistic login server providing a JWT login for multiple login backends (htpasswd, OSIAM, user/password, HTTP basic authentication, OAuth2: GitHub, Google, Bitbucket, Facebook, GitLab).

Most privacy breaches were allowed by known vulnerabilities in third-party dependencies. Here is how to detect them by the way of CI/CD.

This paper demonstrates that, because of the lack of GDPR law enforcements, dark patterns and implied consent are ubiquitous.

Diffix try to provide anonymization, avoid pseudonymization and preserve data quality. Written in Elixir at Aircloak, it acts as an SQL proxy between the analyst and an unmodified live database.

As the world becomes increasingly connected, the email marketing regulation landscape becomes more and more complex.

“Hashed email addresses can be easily reversed and linked to an individual”.

Best practices for developers.

Templates for personal use to have companies comply with "Data Access" requests.

List of GDPR fines and penalties.

Europe's reference site.

A one-page summary of the above.

Data breach index.

An alternative anonymity privacy model.

A collection of scientific studies of schemes providing privacy by design.

Context aware, pluggable and customizable data protection and PII data anonymization service for text and images.

A flowchart to select the right tool depending on data type and context.

Hashing is not sufficient for anonymization no. But still it is good enough for pseudonymization (which is allowed by the GDPR).

Explain the intuition behind differential privacy, a theoretical framework which allow sharing of aggregated data without compromising confidentiality. See follow-up articles with more details and practical aspects.

Don't be the next company leaking your customer's data.

Overview of the how and why of SSO and SAML.

Not only weird, SAML is also insecure by design, as it relies on signatures based on XML canonicalization, not XML byte stream. Which means you can exploit XML parser/encoder differences.

“OAuth is a protocol for authorization: it ensures Bob goes to the right parking lot. In contrast, SAML is a protocol for authentication, or allowing Bob to get past the guardhouse.”

SAML is arcane at times. A another analogy might helps get more sense out of it.

“Even though SAML was actually designed to be widely applicable, its contemporary usage is typically shifted towards enterprise SSO scenarios. On the other hand, OAuth was designed for use with applications on the Internet, especially for delegated authorisation.”

On the technical and UX issues of single logout implementations.

A documented rant on the excessive pricing practiced by SaaS providers to activate SSO on their product. The author's point is, as a core security feature, SSO should be reasonably priced and not part of an exclusive tier.

Another naive explanation of SAML workflow in the context of corporate SSO implementation.

Identity is hard. Another take on the different protocol is always welcome to help makes sense of it all.

An open hardware HSM.

A case study of vulnerability and exploitability of a HSM (in French, sorry).

Secure, store and tightly control access to tokens, passwords, certificates, encryption keys.

Not GCP's KMS, but the one at the core of their infrastructure. See the slides.

Really basic overview of HSM usages.

An alternative to HashiCorp Vault.

Open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture.

A system for managing and distributing secrets, which can fit well with a service oriented architecture (SOA).

A specification and a reference implementation for the secure transfer, storage and processing of data.

Solution based on blind signatures. See the slides.

AWS CloudHSM Classic is backed by SafeNet's Luna HSM, current CloudHSM rely on Cavium's Nitrox, which allows for partitionable "virtual HSMs".

Audit git repos for secrets.

Python module to check for weak RSA moduli in various key formats.

Editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.

Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

A Neo4J-based tool to map out dependencies and relationships between services and resources. Supports AWS, GCP, GSuite, Okta and GitHub.

Mozilla's security and access guidelines.

“This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities)”.

Customer name matching has lots of application, from account deduplication to fraud monitoring.

Why background check are sometimes necessary.

Captchas solving service.

Reference all open-source captcha libraries, integration, alternatives and cracking tools.

Section dedicated to fraud management for billing and payment, from our sister repository.

“A concise definition of Threat Intelligence: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.”

An open-source infrastructure for user identity and risk management.

Fingerprints can be used as a source of signals to identify bots and fraudsters.

Homoglyphs is a common phishing trick.

Some groups and content are illegal in some juridictions. This is an example of a blocklist.

Open-source platform for visualizing and manipulating large graphs.

“To limit "friction" Uber allowed riders to sign up without requiring them to provide identity beyond an email — easily faked — or a phone number. (…) Vehicles were stolen and burned; drivers were assaulted, robbed and occasionally murdered. The company stuck with the low-friction sign-up system, even as violence increased.”

A really detailed analysis of suspicious contributor signups on OpenStreetMap. This beautiful and high-level report demonstrating an orchestrated and directed campaign might serve as a template for fraud reports.

A proposed method to “detects microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, in edge streams, using constant time and memory.”

Tags to organize information on “threat intelligence including cyber security indicators, financial fraud or counter-terrorism information.”

CSV database of email addresses used by threat actor in phishing kits.

Tools to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with a very good accuracy. Then search for footprints on search engines to try to find the VoIP provider or identify the owner.

reCaptcha is still an effective, economical and quick solution when your company can't afford to have a dedicated team to fight bots and spammers at internet scale.

Collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Hunt down social media accounts by username across social networks.

An open source intelligence (OSINT) automation tool. It integrates with just about every data source available and uses a range of methods for data analysis, making that data easy to navigate.

Open standards, tools and methodologies to support threat intelligence analysis.

Wordlists for creating statistically likely usernames for use in username-enumeration, simulated password-attacks and other security testing tasks.

“If you host an online community, where people can harm another person: you are on the hook. And if you can't afford to be on the hook, don't host an online community”.

At one point you will let users upload files in your system. Here is a corpus of suspicious media files that can be leveraged by scammers =to bypass security or fool users.

A documentary on these teams of underpaid people removing posts and deleting accounts.

Moderation of huge social networks is performed by an army of outsourced subcontractors. These people are exposed to the worst and generally ends up with PTSD.

Is this paper aims at identity metasystem, its laws still provides great insights at smaller scale, especially the first law: to always allow user control and ask for consent to earn trust.

A great introduction on the domain and its responsibilities.

A couple of real use-case to demonstrate the role of a TnS team.

Starts with a rant on how the service is a privacy nightmare and is tedious UI-wise, then list alternatives.

“You can think about the solution space for this problem by considering three dimensions: cost, accuracy and speed. And two approaches: human review and machine review. Humans are great in one of these dimensions: accuracy. The downside is that humans are expensive and slow. Machines, or robots, are great at the other two dimensions: cost and speed - they're much cheaper and faster. But the goal is to find a robot solution that is also sufficiently accurate for your needs.”

Some basic tips on the login form.

A collection of tactics to increase the chance of users finishing the account creation funnel.

From Leaked Screenshots & A/B Tests.

Create login forms that are simple, linkable, predictable, and play nicely with password managers.

Notifications are hard. Really hard.

“In this post we will look at the humble `` element and the HTML attributes that will help speed up our users' two factor authentication experience”.

Summarizes the results from an academic study investigating the impact removing password masking has on consumer trust.

Covers all the important facets of user onboarding.

A detailed case study, nicely presented, on how to improve user onboarding.

A huge list of deconstructed first-time user signups.

To support both SSO and password-based login. Now if breaking the login funnel in 2 steps is too infuriating to users, solve this as Dropbox does: an AJAX request when you enter your username.

Quick overview of Google's Zero-trust Network initiative.

A cloud-native, identity-aware proxy and policy enforcement point that orchestrates authentication and authorization systems via versatile rules, supporting protocol-agnostic identity propagation.

Identity & Access Proxy and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white paper.

An identity-aware proxy that enables secure access to internal applications.

BeyondCorp-inspired Access Proxy server.

More companies add extra layers of VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight security gain. There's a better way.