I love the article, I think it is a good read and dev should know these principles.
However, I think when possible you should use things like an OIDC provider when applicable, especially if you want MFA.
If not and you need to hash password yourself, find a well-vetted library that does this for you including salts, peppers and fried unions ;). Crypto is hard and nobody should implement it themselves unless you are a crypto genius and many devs (incl myself) are probably not.
You do have to keep the libraries up to date of course.
Anyway, great write! Love the way you explained things. Thanks!
30+ years of tech, retired from an identity intelligence company, now part-time with an insurance broker.
Dev community mod - mostly light gardening & weeding out spam :)
Regarding the use of federated authentication via protocols such as OpenID Connect (OIDC), I would say it depends on the application context: in a large number of commercial / enterprise situations, then it's very helpful to plug into a companies existing SSO solution where your app becomes part of their suite of tools and doesn't add to their user management pain - a big selling point IMO; in high security scenarios (eg: SIEM access, board meeting record system, privileged access management) or otherwise isolated environments (eg: air-gapped NOC/SOC tools), then it may not be possible to connect to an SSO solution, and it's good to know how to create a trustworthy local authenticator.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I love the article, I think it is a good read and dev should know these principles.
However, I think when possible you should use things like an OIDC provider when applicable, especially if you want MFA.
If not and you need to hash password yourself, find a well-vetted library that does this for you including salts, peppers and fried unions ;). Crypto is hard and nobody should implement it themselves unless you are a crypto genius and many devs (incl myself) are probably not.
You do have to keep the libraries up to date of course.
Anyway, great write! Love the way you explained things. Thanks!
I agree - great article :)
Regarding the use of federated authentication via protocols such as OpenID Connect (OIDC), I would say it depends on the application context: in a large number of commercial / enterprise situations, then it's very helpful to plug into a companies existing SSO solution where your app becomes part of their suite of tools and doesn't add to their user management pain - a big selling point IMO; in high security scenarios (eg: SIEM access, board meeting record system, privileged access management) or otherwise isolated environments (eg: air-gapped NOC/SOC tools), then it may not be possible to connect to an SSO solution, and it's good to know how to create a trustworthy local authenticator.