(3/3) if other methods such as FB login are provided. Occam's razor: remove Apple, FB and other 3rd party IdPs as sign-up/in methods. Who wins this war is TBD...but an interesting retreat from not too long ago when "outsource your auth (+JIT reg) to B2C IdPs" was the rebel yell.

How Twitter could have prevented the hack: internal tool should have used a multi-party authorization (MPA) scheme when changing user's email (and/or other access-related attributes). A common impl. of MPA at scale: require a Helpdesk ticket approved by ops mgmt.

(1/2) Another GPT-3 MVP: attacking cryptographically hashed user-entered text such as passwords. Extract 1-3 chars via a conventional method, then feed to GPT, have it suggest next token(s), use that to reduce search space. If the training set is usernames+compromised passwords

(2/2) Another GPT-3 MVP: ...then contextual inference will be a further advantage if certain user segments (e.g. all Gmail users) skew in how they choose passwords. A higher cost of this pipelined, tailored implementation might work for for high-value targets.

Salesforce #Winter21 release top 5: 1 out of 5: Composite Graph resource @ /composite/graph increases the subrequest limit from 25 to 500 per payload + automatically deals with all or none CRUD semantics.

Salesforce #Winter21 release top 5: 2 out of 5: require email confirmations for email address changes for all Community users. That means all of your external users with out of the box Community setup. It's opt-in by default...which can be a Good Thing™ (Twitter breach says hi)

Salesforce #Winter21 release top 5: 3 out of 5: CORS requests are allowed on oAuth /token, /revoke, /introspect and /userinfo endpoints if you go through My Domain or a Community URL. JS clients of the world, unite!

Salesforce #Winter21 release top 5: 4 out of 5: Real-time threat detection for API calls via ApiAnomalyEvent. This is a continued build-out of threat detection service that uses machine learning to detect deviations. It already covers session jacking/cred stuffing..and now APIs

Salesforce #Winter21 release top 5: 5 out of 5: Privacy Center is an app that centralizes privacy/consent mgmt in one place. Manage how your org retains, deletes, anonymizes and transfers customer data. Data retention policies for PII + Data Subject Rights feature. GDPR, CCPA.

Salesforce #Winter21 release top 5 honorable mention because it's a closed pilot and it depends on a service that requires additional license: External Services can now import an OpenAPI service spec. Limited number of 3rd party APIs such as Atlassian's JIRA are pre-built.

Some items that are becoming spec in upcoming OAuth 2.1 are backported as best practices to OAuth 2.0 universe. PKCE as a must for public clients, refresh token sender-constraining and mTLS + more attacks/countermeasures.

If Martin Fowler has trouble with oAuth, what about all other devs? This Patreon -> Slack integration is a good litmus test for evaluating no-code/low-code platforms with effort to implement as a comparison metric. (Google says Apps Script is low-code, a debatable assertion).

Google Project Zero vs AWS IAM and GCP IAM with predictable results. "A strong developer might be able to reason about all security pitfalls of their own software, but it becomes very difficult once a complex external service comes into play". Most IAM services are external, yay!

OpenID Connect: fun with the spec wording of "audience must be an array of strings" without specifying the type of array and its interpretation by OPs/RPs. In this case the players are Microsoft Entra ID (Azure AD) and Salesforce salesforce.stackexchange.com/questions/3253…

Flexport is organizing an airlift of humanitarian relief supplies to refugee centers in Eastern Europe. You can help by donating to pay for more flights at flexport.org/donate. 🧵👇

"Fun", real-world example of how challenging it is to walk the UX/security line when humans are involved. So what if Trusted Relationship is a known attack vector, mitigation beyond basic is costly due to asymmetric impact. Arguably, detect+term via the Law is a cheap alt route

Data (CDP, Tableau, Mulesoft) growing faster than other segments. On the earnings call, mgmt chanted the mantra of AI + Data as both vision and R&D spend. Three "zones" of AI: Einstein, Gen AI, Autonomous (agents). AI applied in in Slack, Data (segmentation), Service Cloud.

$OKTA Q2 earnings: Workforce vs CIAM (Auth0 + "legacy" Okta) ACV split is 60/40 but growth vs '22 is about even. Taken together it's a somewhat...interesting result.

SAML is far from dead: testimony by David Brossard at Identiverse '23 regarding customer/implementation challenges at @Salesforce : lnkd.in/gMr9rZMZ

SEC sued SolarWinds (SW) for poor InfoSec practices. The thrust of the lawsuit is SW misleading investors regarding SW risk controls, incl. a password policy (!). Even if they do not prevail in court, bringing action is a shot across the company boards' bow. Nice one, Gary.