This is the second blog of the series discussing the internet and cyber attacks. You can find the first blog here.
The purpose of phishing attacks is to obtain resources and information such as usernames, passwords, credit card details by disguising as a trustworthy entity. This is commonly done through emails and instant messages. It often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site
The following are some types of phishing attacks.
A whaling attack is a method used by cyber attackers to disguise as an important…
This is the first blog of the series discussing the internet and cyber attacks. According to Wikipedia, an attack is any attempt to expose, alter, disable, destroy, steal, or gain unauthorized access to or make unauthorized use of an asset. A cyber attack is an attack launched from one or more computers against another computer, multiple computers, or networks.
This is the first time I participated in the Internet Identity Workshop and It was an amazing workshop. The event was held in the Computer History Museum, Mountain View, Califonia. This is a 3 days workshop and IIW has been finding, probing and solving identity issues twice every year since 2005.
This is a well planned, but participant-driven Unconference meeting. The name Unconference may not be familiar. It starts every day without a pre-defined agenda. After having breakfast, the first task of the day is to create the agenda. The event has a unique format, everyone sitting in a circle…
The purpose of this blog is to explain the high-level architecture of the WSO2 Identity Server. WSO2 Identity Server supports almost all the standard authentication and provisioning protocols such as OpenId Connect, SAML, SCIM by default.
This blog post explains the component architecture and the flow/sequence of authentication and provisioning happens.
Main components of the WSO2 Identity Server can be categorized as bellow.
Following sections describe more details and capabilities about each of the above sections.
When an application sends an authentication request to the Identity Server, the inbound authentication…
The purpose of this blog is to explain what user account suspension, the use cases of this feature and how it is implemented in WSO2 Identity Server.
Some organizations support self user registration capability for the end users. In such cases, there is a possibility that some users may register to the system, but they don’t use the system.
In scenarios like that, there is no need to have such kind of inactive user account in the organization’s POV. If the users are no longer using the system, these users should be either treated as invective or should be deleted.
In order to support better security, password policies are enforced by organizations. Following are such kind of policies
The purpose of this blog is to explain what password expiry validation is, the use cases of it and the implementation.
Due to human nature, people tend to use the same password as long as they can. Changing the password regularly is a good practice in terms of security. An attacker might obtain the password and use it. Changing the password regularly can minimize the risk of password leakage.
The purpose of the password…
The purpose of this blog is to explain what the admin initiated password reset feature is, use cases of this feature and how it is implemented in WSO2 identity server.
There are some cases where privileged users want to force to change the passwords of end users.
So, the ‘Admin initiated Password reset’ is a feature which supports in WSO2 Identity Server to force users to change their passwords.
Refer to here for more details about this feature.
The purpose of this blog post is to explain what ask password feature is, when this feature should be used, use cases and its implementation.
There are different ways of creating users into the systems. Users themselves can self-register to the systems, Administrative users can create users to the system.
Ask password flow comes to the category of ‘Administrative users can create users to the system.’
Why the ask password special?
Although the user is created by the administrative user, the actual password of the system is set by the end user.
That means a privileged user creates an account…
The purpose of this blog post is to explain the ways of self-registering users to the Identity Server, security aspects and how it is implemented.
Some applications allow users to register to the system by themselves. Examples for such applications are social websites such as Facebook, Twitter, LinkedIn, Google and so on.
There are different ways of registering users to the system. As you know, nowadays, users can register to the applications by authenticating with a trusted Identity Provider. Then the Identity provider sends an authenticated assertion with user attributes back to the application and application can provision users automatically…
Most of the applications use a password to authenticate to the system. In order to prevent unauthorized logins and secure user accounts from attackers, it is required to have a proper password which is hard to guess or identify. For example, the following are some bad examples for passwords which can easily guess.
~ birthday of the user
~ User username or other attributes such as first name last name as the password.
Users tend to use the passwords which they can remember easily. In order to have better security…
Senior Technical Lead — WSO2