The _mobile app authentication best practices_ question is the single hardest one to answer well in mobile application security, because the answers that work for web applications fail in subtle ways on mobile devices. The browser does most of the heavy lifting in a web application's authentication flow — cookie handling, redirect orchestration, session storage with reasonable defaults. The…
A single shared API key is fine right up until a second person uses it.
intent-brain — the system, repo qmd-team-intent-kb, renamed to the intent-brain plugin v0.4.0 this day — is a team knowledge base. A Fastify HTTP API sits over a governed memory corpus. In front of that API is an MCP server named teamkb, so a teammate doesn't open a dashboard or learn an endpoint. They ask in Claude…
If you've shipped a Next.js app on NextAuth (now Auth.js), you know it works. The reason people move to Better Auth usually isn't that NextAuth is bad — it's that Better Auth gives you typed, first-class access to sessions, organizations, and database-backed concepts without bolting adapters and callbacks together by hand. The session calls are typed end to end, the schema is generated for you,…
Malachite gains OAuth-based CLI authentication for ATProto and did:web DID resolution, alongside a restructured web frontend.
Photo by Michael Martine: The Bean in Millennium Park, Chicago, IL, June 2019 Published 25 May 2026 e555 with Andy, Michael and Michael - Ploopy’s The Bean and Lenovo’s TrackPoint, The Guild, The Movie, AI in commencement speeches, AI in podcasts, Virtual Worlds and Virtual OS museums and a whole lot more! Andy, Michael and...
The Atmosphere needs a distinct brand identify, better tools for builders, a new UX for users, and a small empowered group willing to build it all.
OpenAI is tightening ChatGPT security with passkeys and hardware keys, ditching passwords entirely. It is powerful protection, but there is a catch that could lock you out.
Counterfeits are getting faster, closer to demand and more embedded across categories, Entrupy’s annual State of the Fake report revealed.
Responding to user requests, the upgrade provides an enhanced security suite and more to the cross-vendor control interface
The post Bitfocus releases latest upgrade to its Buttons platform appeared first on TVBEurope.
The arrival of generative AI in the software development lifecycle (SDLC) is arguably the biggest shift in coding in decades. For development teams, tools like GitHub, Copilot, and other AI assistants act as a massive force multiplier, automating boilerplate, suggesting complex logic, and significantly accelerating time-to-commit. But as organizations rush to equip their teams, a […]
Let’s face it; remembering a bunch of passwords is the pits, and it’s just getting worse as time goes on. These days, you really ought to have a securely-generated key-smash …read more
Authentication is an area that generally has really difficult UX constraints and the language really matters.
Dan Abramov launched https://internethandle.org/ in late November and has been promoting the use of "Internet Handle" as a standard term for authentication in the ATProtocol ecosystem.
I'm open to the idea, but I don't think "handle" will catch on quickly since users might need time to…
Preview of authorization changes landing in the 2025-11-25 MCP spec release, marking the protocol's first anniversary with notable auth-flow updates.
Bereket Engida walks through building better-auth, the extensible authentication library taking the JavaScript community by storm.
Walkthrough of the new OAuth 2.0 and RFC 9728 PRM support shipped in the official MCP C# SDK, with sample code for protected MCP server authorization in .NET.
Parent WAM authentication dialogs to MCP clients like VS Code and Claude Desktop by traversing the process hierarchy to find a usable window handle.
C# walkthrough using MSAL with Windows Web Account Manager (WAM) so a local MCP server can sign users into Entra ID without standing up an OAuth listener.
MCP brings back classic security problems around local execution and remote authentication, and the industry seems determined to ignore lessons already learned.
"Passkeys and the WebAuthn specification were intended to make public key cryptography accessible to average users, rather than just the domain of the tech-savvy. If done right, they could seriously improve security on the Web." @drbruced@aus.social summarises why passkeys are such a good idea in theory and explains where current implementations of the technology fall...
App Store and Play Store ads routinely surface look-alike authenticator apps above the legitimate ones. Here is how to spot and avoid them.
Use the Windows Web Account Manager (WAM) broker with MSAL to delegate OAuth token acquisition to the OS and skip redirect URL plumbing in client apps.
"If you watched the SEC Twitter account hack that moved markets yesterday and wondered how to prevent account takeover for your personal, business, or high profile social media account, here's an Account Takeover Prevention Guide for you and/or your organization." @racheltobac@infosec.exchange neatly summarises the steps you should take to prevent the hijacking of your online accounts.
Wiring MSAL.NET 4.58.0 OpenTelemetry support to the Azure Monitor exporter so authentication metrics from production apps land in Application Insights.
How the MSAL team approaches developer-facing documentation - making engineers core contributors, not delegating writing to a separate content org.
Tracing the network calls behind Twitter's relaunched verification eligibility check, revealing the internal API the new self-service flow relies on.
Why SMS-based two-factor auth is exposed to SIM swap and SS7 attacks, and what to use instead: TOTP authenticator apps and hardware security keys.
Implementing Last.fm mobile session auth from a Windows Phone 7.5 app, including the MD5-signed parameter signature required by auth.getMobileSession.
Google App Engine for Python ships with the capability to manage user accounts without the need of any additional library. This functionality is, however, insufficiently documented. This post is a step-by-step tutorial addressing user registration, login, password reset and a few other details.