Mar 22 · 6 min read · In early March 2026, two events put MFA bypass back in the spotlight. Europol dismantled Tycoon 2FA — the world's largest phishing-as-a-service platform — while a new suite called Starkiller demonstrated that AitM phishing has evolved from a sophisti...
Join discussionFeb 19 · 6 min read · Cryptography is precise. Browsers are not. If you’ve implemented WebAuthn in a real PWA, you already know this:The spec is clean. The user experience is not. The uncomfortable truth is this: Most authentication systems fail because of UX, not becaus...
Join discussion
Feb 19 · 5 min read · When designing a passwordless-first PWA architecture, the diagram looks elegant. In production, elegance collides with: Browser inconsistencies Institutional identity constraints Support tickets Device lifecycle chaos Monitoring blind spots Le...
Join discussion
Feb 19 · 5 min read · When teams adopt WebAuthn or FIDO2, the excitement is understandable: No passwords. No phishing. No credential stuffing. Biometric UX. Public-key cryptography. It feels like the final answer. But WebAuthn answers exactly one question: Can thi...
Join discussion
Feb 18 · 6 min read · WebAuthn gave us phishing-resistant, device-bound authentication.But devices get lost. Browsers reset. Users switch laptops. Institutions manage identities centrally. That’s where OIDC (Feide) enters — not as a competitor to passwordless, but as stru...
Join discussion
Feb 17 · 7 min read · WebAuthn looks deceptively simple at a high level: Generate challenge Call browser API Verify signature Done In practice, it is not that simple. WebAuthn is cryptographically elegant but operationally unforgiving.Small mistakes create subtle se...
Join discussion
Feb 16 · 6 min read · Modern authentication diagrams are clean. Real systems are not. My architecture intentionally combines: WebAuthn (FIDO2) for phishing-resistant authentication Feide (OIDC) for federated identity, recovery, and bootstrap SQL Server for credential p...
Join discussion
Feb 10 · 6 min read · If you read the WebAuthn specification end to end, you’ll come away with two thoughts: This is extremely well designed. No human should be expected to learn it this way. WebAuthn didn’t appear to make logins prettier. It exists because the web ne...
Join discussion
Feb 8 · 6 min read · “Passwordless” has become one of those terms that everyone uses and few people define. Depending on who you ask, it can mean: logging in with Face ID, receiving a magic link by email, approving a push notification, using a security key, or never...
Join discussion
Feb 7 · 6 min read · Modern web applications are full of login screens — but surprisingly few of them have a well-designed authentication system. This distinction matters more than it sounds.If you treat authentication as a UI feature instead of a security system, every ...
Join discussion
