Ō̴̡̨͍͕̠̹̘͖͓̭̝̰̖͉̬̫͍̝̰̟͖͖̞͇̟̻̫͇̠̯̋̋̂ͅͅA̷̡̧͎̫̬͖̠͍̼̗̠͊̉̏̓̈́̂̀̈́͆͘͜uth @oktadev oauth.wtf oauth.net 🎥 livestreaming youtube.com/aaronpk aaronpk.tv 💛 #indieweb 🐘🦋
Portland, Oregon
Joined April 2008
- Tweets 11,388
- Following 1,223
- Followers 6,415
- Likes 9,609
My problem with this whole thread is that yes, of course we need something better than passwords, but also, yes, there is a lot of improvement being made right now. It's not like someone can make something that "solves passwords" and suddenly everyone will be using it.
1
2
There's a scifi book from 10 years ago about literally this, it's a trip 😂 amzn.to/37oaMKb
1
Depends on what's powering the other end of the fiber line. I guess mine is on a different grid, but I'm also in a weird spot between two different power companies.
1
I would if it were me! Just stay on high alert mode of course... don't download anything, don't connect any OAuth apps to anything, and click links only using an isolated computer. I'm always curious about these things!
1
1
yeah I suspect you're right. I'm curious what the next play is. Maybe they send you a download link to the special "Spotify VIP" app?
1
1
Clearly I need to beef it up a bit, but right now I have a UPS on the network gear and also at my desk. It can keep things powered for about 30-40 minutes, and my internet is fiber so it stays online too
1
1
The power went out literally a minute after I finished hosting a workshop. Good timing I guess. Time to invest in some more batteries?
8
No not really, that's why the redirect URL is so important to get right. It's not a great situation, but it would require cooperation from the OS in order to have a more secure flow. That said, it's also a relatively unlikely attack vector so people mostly don't worry about it.
1
Yes, you're right, but that doesn't mean PKCE is not secure. This is just an inherent limitation of public clients that can't use a client secret. PKCE does solve several attacks, but it doesn't provide authentication of the app itself.
1
2
Yep although the WordPress plugin requires some active effort by the user. At least it’s just installing a plugin and not dealing with markup though.
1
Nah, don’t forget that every micro.blog account is an IndieAuth account too. Users don’t need to have any knowledge of anything under the hood for that to work. We need more service providers to implement it more than anything.
1
1
4
I would actually be very curious to learn more about this, cause we've got some fun stuff coming down the pipe too
1
2
sometimes you have to sell faster horses until people realize what they actually want is a car 😄
1
1
Not to kick the can down the road, but we wouldn't even provide the option of a security question if people didn't ask for it 😦
2
2
I managed to keep one of the sales callers on the phone long enough to ask where they got my info. Turns out they use @zoominfo which thankfully has an "opt out" process. zoominfo.com/update/profile Hopefully this stops the unrelenting sales calls from suspicious looking numbers!
2
1
2