|
|
|
|
|
|
by zer00eyz
838 days ago
|
|
|
Authentication: Identify yourself Authorization: Can you use this service. Access Control/Tokenization: How long can this service be used for. I swipe my badge on the card reader. The lock unlocks. Should we leave a handy door stopper or 2x4 there, so you can just leave it propped open? Or should we have tokens that expire in a reasonable time frame.. say a block of ice (in our door metaphor) so it disappears at some point in future? Nonce tokens have been a well understood pattern for a long time... Its not that these things are unavoidable its that security isnt first principal, or easy to embed due to issues of design. |
|
|
And that are single-use.
(Your password reset "magic link" should expire quickly, but needs a long enough window to allow for slow mail transport. But once it's used the first time, it should be revoked so it cannot be used again even inside that timeout window.)