4d ago · 6 min read · Last month I got a bug report that made me close my laptop and go for a walk. A paying user couldn't log in. Their device was rooted? Not according to them. Custom ROM? Yes. A modern, security-hardened Android build with verified boot and hardware-ba...
Join discussion
Mar 19 · 19 min read · JWT auth feels clean until a stolen token still looks valid to your server. That's the real problem: a bearer token proves possession of a token, but it doesn't prove possession of a trusted device. I
Join discussion
Feb 19 · 6 min read · Cryptography is precise. Browsers are not. If you’ve implemented WebAuthn in a real PWA, you already know this:The spec is clean. The user experience is not. The uncomfortable truth is this: Most authentication systems fail because of UX, not becaus...
Join discussion
Feb 19 · 5 min read · When designing a passwordless-first PWA architecture, the diagram looks elegant. In production, elegance collides with: Browser inconsistencies Institutional identity constraints Support tickets Device lifecycle chaos Monitoring blind spots Le...
Join discussion
Feb 19 · 5 min read · When teams adopt WebAuthn or FIDO2, the excitement is understandable: No passwords. No phishing. No credential stuffing. Biometric UX. Public-key cryptography. It feels like the final answer. But WebAuthn answers exactly one question: Can thi...
Join discussion
Feb 18 · 6 min read · WebAuthn gave us phishing-resistant, device-bound authentication.But devices get lost. Browsers reset. Users switch laptops. Institutions manage identities centrally. That’s where OIDC (Feide) enters — not as a competitor to passwordless, but as stru...
Join discussion
Feb 17 · 7 min read · WebAuthn looks deceptively simple at a high level: Generate challenge Call browser API Verify signature Done In practice, it is not that simple. WebAuthn is cryptographically elegant but operationally unforgiving.Small mistakes create subtle se...
Join discussion
Feb 16 · 6 min read · Modern authentication diagrams are clean. Real systems are not. My architecture intentionally combines: WebAuthn (FIDO2) for phishing-resistant authentication Feide (OIDC) for federated identity, recovery, and bootstrap SQL Server for credential p...
Join discussion
Feb 15 · 6 min read · Security engineers love cryptography because it is clean. Humans are not. The strongest authentication protocol in the world can be undone by: a confusing error message, an unclear retry flow, a missing recovery path, or a user who simply wants t...
Join discussion
