this post was submitted on 01 Jul 2023
90 points (97.9% liked)
Web Development
3441 readers
2 users here now
Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development
What is web development?
Web development is the process of creating websites or web applications
Rules/Guidelines
- Follow the programming.dev site rules
- Keep content related to web development
- If what you're posting relates to one of the related communities, crosspost it into there to help them grow
- If youre posting an article older than two years put the year it was made in brackets after the title
Related Communities
- !html@programming.dev
- !css@programming.dev
- !uiux@programming.dev
- !a11y@programming.dev
- !react@programming.dev
- !vuejs@programming.dev
- !webassembly@programming.dev
- !javascript@programming.dev
- !typescript@programming.dev
- !nodejs@programming.dev
- !astro@programming.dev
- !angular@programming.dev
- !tauri@programming.dev
- !sveltejs@programming.dev
- !pwa@programming.dev
Wormhole
Some webdev blogs
Not sure what to post in here? Want some web development related things to read?
Heres a couple blogs that have web development related content
- https://frontendfoc.us/ - [RSS]
- https://wesbos.com/blog
- https://davidwalsh.name/ - [RSS]
- https://www.nngroup.com/articles/
- https://sia.codes/posts/ - [RSS]
- https://www.smashingmagazine.com/ - [RSS]
- https://www.bennadel.com/ - [RSS]
- https://web.dev/ - [RSS]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Paginated login
Microsoft enabled it in ADFS on WS 2019. I know there are plenty other places it's used, but It's the example I'm most familiar with.
There can be a security element to it depending on how the server handles paginated auth as it separates the password field away from the user ID. You can also interject the second factor first before the password to protect brute forcing.
But the larger reason I've read is that it's easier for end users to use. Here's MS talking about it with ADFS.
"Instead of a long form to fill out, a new flow takes you through the sign-in experience step-by-step. Our research shows that with this approach, our customers have more successful sign-ins."
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-paginated-sign-in
Whether this is true or not is debatable. I'd love to see passwords die out. I doubt I'll see that in my lifetime though.
Me too, public key based authentication would be so much better, and safer too. But that would require intelligent end users, which is impossible.
How would you replace it instead? Biometric?
Biometric or certificate on a physical device (e.g. Yubikey) auth via Webauthn/FIDO2 is becoming more popular.
Interesting finding from Microsoft that it leads to fewer user errors, thanks for sharing!
You’d love to see passwords die out? How would you protect personal data?
There's a million ways to authenticate a user. Passwords are just the simplest to code (poorly, haha) and deal with. You don't even have to store the password (just a hash of it) which means you don't need to encrypt your database to keep them secure which also means you don't have to deal with decryption keys, key rotation, etc.
With passwords you also don't need to deal with 3rd party hardware or systems. You can handle it all right there in your code using methods that are so common and popular you can copy and paste them right out of StackOverflow (haha).
Now as to, "how would you protect personal data?" That has nothing at all to do with passwords! Protecting personal data is an orthogonal concept to authentication.
Protecting data--any data--is a very holistic thing: You have to do a threat assessment and figure out where your boundaries are and take measures to protect literally everything in order to prevent attackers from being able to get to it. Example: Attackers could get access to "personal data" by waltzing out of a data center with the correct server/hard drives in their arms. Passwords be damned!
Biometric (fingerprint, etc) or private keys via physical devices like Yubikeys.