A comprehensive developer guide to implementing secure authentication in modern applications. Covers OAuth 2.0, OIDC, passwordless authentication, passkeys, and enterprise SSO with production-ready ...

Two-factor authentication adds a barrier between whoever's logging in and the account by requiring authentication in two ways, such as a computer and phone. This ...

Security experts advise against using SMS messages for two-factor authentication codes due to their vulnerability to interception or compromise. Recently, a security researcher discovered an unsecured ...

One-time SMS codes are widely used as the second checkpoint in two-factor authentication (2FA) to sign into everything from banking apps to email accounts. As I've written before, though, SMS is one ...

Organizations must build on existing security practices and embrace phishing-resistant authentication to deliver robust ...

Learn how to implement Single Sign-On with External Security Token Services (STS). A deep dive into SAML, OIDC, and token exchange for CTOs and VP Engineering.

In “Two-Factor Authentication, Two-Step Verification, and 1Password” (10 July 2023), I explained that for true two-factor authentication, you needed to acquire your time-based one-time password (TOTP) ...

I have long encouraged the use of two-factor authentication (2FA) or two-step verification (2SV) with online accounts whenever possible (for more about the difference, see “Two-Factor Authentication, ...

Update, Mar. 1, 2025: This story, originally published Feb. 28, now includes details of a new PayPal “no code checkout” scam. Hot on the heels of Google confirming that it is replacing the use of SMS ...

BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code ...