awesome-awesomeness/html/iam.md2.html

<!--lint disable awesome-heading-->
<p align="center">
<a href="https://github.com/kdeldycke/awesome-iam#readme">
<img src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/awesome-iam-header.jpg" alt="Awesome IAM">
</a>
</p>
<p align="center">
<a href="https://github.com/kdeldycke/awesome-iam#readme" hreflang="en"><img src="https://img.shields.io/badge/lang-English-blue?style=flat-square" lang="en" alt="English"></a>
<a href="https://github.com/kdeldycke/awesome-iam/blob/main/readme.zh.md" hreflang="zh"><img src="https://img.shields.io/badge/lang-中文-blue?style=flat-square" lang="zh" alt="中文"></a>
</p>
<p align="center">
<sup>This list is
<a href="#sponsor-def">sponsored<sup id="sponsor-ref">[0]</sup></a>
by:</sup><br>
</p>
<p align="center">
<a href="https://www.descope.com/?utm_source=awesome-iam&utm_medium=referral&utm_campaign=awesome-iam-oss-sponsorship">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-dark-background.svg">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-light-background.svg">
<img width="300" src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/descope-logo-light-background.svg">
</picture> <br/> <strong>Drag and drop your auth.</strong><br/> Add
authentication, user management, and authorization to your app with a
few lines of code. </a> <br/><br/>
</p>
<p align="center">
<a href="https://www.cerbos.dev/?utm_campaign=brand_cerbos&utm_source=awesome_iam&utm_medium=github&utm_content=&utm_term=">
<img width="600" src="https://raw.githubusercontent.com/kdeldycke/awesome-iam/main/assets/cerbos-banner.svg">
<br/> Build scalable, fine-grained authorization for your apps.
<strong>Try Cerbos</strong>, an authorization management system for
authoring, testing, and deploying access policies. </a> <br/><br/>
</p>
<!-- Comment this sponsorship call-to-action if there is a sponsor logo to increase its impact. -->
<!--
<p align="center">
  <a href="https://github.com/sponsors/kdeldycke">
    <strong>Yᴏᴜʀ Iᴅᴇɴᴛɪᴛʏ & Aᴜᴛʜᴇɴᴛɪᴄᴀᴛɪᴏɴ Pʀᴏᴅᴜᴄᴛ ʜᴇʀᴇ!</strong>
    <br/>
    <sup>Add a link to your company or project here: back me up via a GitHub sponsorship.</sup>
  </a>
  <br/><br/>
</p>
-->
<hr />
<p align="center">
<i>Trusting is hard. Knowing who to trust, even harder.</i><br> — Maria
V.
Snyder<sup id="intro-quote-ref"><a href="#intro-quote-def">[1]</a></sup>
</p>
<!--lint disable double-link-->
<p><a href="https://en.wikipedia.org/wiki/Identity_management">IAM</a>
stands for Identity and Access Management. It is a complex domain which
covers <strong>user accounts, authentication, authorization, roles,
permissions and privacy</strong>. It is an essential pillar of the cloud
stack, where users, products and security meets. The <a
href="https://github.com/kdeldycke/awesome-billing/">other pillar being
billing &amp; payments 💰</a>.</p>
<p>This curated <a href="https://github.com/sindresorhus/awesome"><img
src="https://awesome.re/badge-flat.svg" alt="Awesome" /></a> list expose
all the technologies, protocols and jargon of the domain in a
comprehensive and actionable manner.</p>
<!--lint enable double-link-->
<h2 id="contents">Contents</h2>
<!-- mdformat-toc start --slug=github --no-anchors --maxlevel=6 --minlevel=2 -->
<ul>
<li><a href="#overview">Overview</a></li>
<li><a href="#security">Security</a></li>
<li><a href="#account-management">Account Management</a></li>
<li><a href="#cryptography">Cryptography</a>
<ul>
<li><a href="#identifiers">Identifiers</a></li>
</ul></li>
<li><a href="#zero-trust-network">Zero-trust Network</a></li>
<li><a href="#authentication">Authentication</a></li>
<li><a href="#password-based-auth">Password-based auth</a></li>
<li><a href="#multi-factor-auth">Multi-factor auth</a>
<ul>
<li><a href="#sms-based">SMS-based</a></li>
</ul></li>
<li><a href="#password-less-auth">Password-less auth</a>
<ul>
<li><a href="#webauthn">WebAuthn</a></li>
<li><a href="#security-key">Security key</a></li>
<li><a href="#public-key-infrastructure-pki">Public-Key Infrastructure
(PKI)</a></li>
<li><a href="#jwt">JWT</a></li>
</ul></li>
<li><a href="#authorization">Authorization</a>
<ul>
<li><a href="#policy-models">Policy models</a></li>
<li><a href="#rbac-frameworks">RBAC frameworks</a></li>
<li><a href="#abac-frameworks">ABAC frameworks</a></li>
<li><a href="#rebac-frameworks">ReBAC frameworks</a></li>
<li><a href="#aws-policy-tools">AWS policy tools</a></li>
<li><a href="#macaroons">Macaroons</a></li>
<li><a href="#other-tools">Other tools</a></li>
</ul></li>
<li><a href="#oauth2--openid">OAuth2 &amp; OpenID</a></li>
<li><a href="#saml">SAML</a></li>
<li><a href="#secret-management">Secret Management</a>
<ul>
<li><a href="#hardware-security-module-hsm">Hardware Security Module
(HSM)</a></li>
</ul></li>
<li><a href="#trust--safety">Trust &amp; Safety</a>
<ul>
<li><a href="#user-identity">User Identity</a></li>
<li><a href="#fraud">Fraud</a></li>
<li><a href="#moderation">Moderation</a></li>
<li><a href="#threat-intelligence">Threat Intelligence</a></li>
<li><a href="#captcha">Captcha</a></li>
</ul></li>
<li><a href="#blocklists">Blocklists</a>
<ul>
<li><a href="#hostnames-and-subdomains">Hostnames and
Subdomains</a></li>
<li><a href="#emails">Emails</a></li>
<li><a href="#reserved-ids">Reserved IDs</a></li>
<li><a href="#profanity">Profanity</a></li>
</ul></li>
<li><a href="#privacy">Privacy</a>
<ul>
<li><a href="#anonymization">Anonymization</a></li>
<li><a href="#gdpr">GDPR</a></li>
</ul></li>
<li><a href="#uxui">UX/UI</a></li>
<li><a href="#competitive-analysis">Competitive Analysis</a></li>
<li><a href="#history">History</a></li>
</ul>
<!-- mdformat-toc end -->
<h2 id="overview">Overview</h2>
<p><img align="right" width="50%" src="./assets/cloud-software-stack-iam.jpg"/></p>
<p>In a Stanford class providing an <a
href="https://web.stanford.edu/class/cs349d/docs/L01_overview.pdf">overview
of cloud computing</a>, the software architecture of the platform is
described as in the right diagram →</p>
<p>Here we set out the big picture: definition and strategic importance
of the domain, its place in the larger ecosystem, plus some critical
features.</p>
<ul>
<li><p><a href="https://www.enterpriseready.io">The EnterpriseReady SaaS
Feature Guides</a> - The majority of the features making B2B users happy
will be implemented by the IAM perimeter.</p></li>
<li><p><a
href="https://web.archive.org/web/20200809095434/https://twitter.com/kmcquade3/status/1291801858676228098">IAM
is hard. It’s really hard.</a> - “Overly permissive AWS IAM policies
that allowed <code>s3:GetObject</code> to <code>*</code> (all)
resources”, led to $80 million fine for Capital One. The only reason why
you can’t overlook IAM as a business owner.</p></li>
<li><p><a
href="https://forrestbrazeal.com/2019/02/18/cloud-irregular-iam-is-the-real-cloud-lock-in/">IAM
Is The Real Cloud Lock-In</a> - A little <em>click-baity</em>, but
author admit that “It depends on how much you trust them to 1. Stay in
business; 2. Not jack up your prices; 3. Not deprecate services out from
under you; 4. Provide more value to you in business acceleration than
they take away in flexibility.”</p></li>
</ul>
<h2 id="security">Security</h2>
<p>Security is one of the most central pillar of IAM foundations. Here
are some broad concepts.</p>
<ul>
<li><p><a href="https://infosec.mozilla.org">Enterprise Information
Security</a> - Mozilla’s security and access guidelines.</p></li>
<li><p><a
href="https://web.archive.org/web/20250529050934/https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF">Mitigating
Cloud Vulnerabilities</a> - “This document divides cloud vulnerabilities
into four classes (misconfiguration, poor access control, shared tenancy
vulnerabilities, and supply chain vulnerabilities)”.</p></li>
<li><p><a href="https://github.com/lyft/cartography">Cartography</a> - A
Neo4J-based tool to map out dependencies and relationships between
services and resources. Supports AWS, GCP, GSuite, Okta and
GitHub.</p></li>
<li><p><a
href="https://github.com/open-guides/og-aws#security-and-iam">Open guide
to AWS Security and IAM</a></p></li>
</ul>
<h2 id="account-management">Account Management</h2>
<p>The foundation of IAM: the definition and life-cycle of users,
groups, roles and permissions.</p>
<ul>
<li><p><a
href="https://mobile.twitter.com/oktopushup/status/1030457418206068736">As
a user, I want…</a> - A meta-critic of account management, in which
features expected by the business clash with real user needs, in the
form of user stories written by a fictional project manager.</p></li>
<li><p><a
href="https://instadeq.com/blog/posts/things-end-users-care-about-but-programmers-dont/">Things
end users care about but programmers don’t</a> - In the same spirit as
above, but broader: all the little things we overlook as developers but
users really care about. In the top of that list lies account-centric
features, diverse integration and import/export tools. I.e. all the
enterprise customers needs to cover.</p></li>
<li><p><a href="https://news.ycombinator.com/item?id=21151830">Separate
the account, user and login/auth details</a> - Sound advice to lay down
the foundation of a future-proof IAM API.</p></li>
<li><p><a href="https://lord.io/blog/2020/usernames/">Identity Beyond
Usernames</a> - On the concept of usernames as identifiers, and the
complexities introduced when unicode characters meets uniqueness
requirements.</p></li>
<li><p><a href="https://github.com/ory/kratos">Kratos</a> - User login,
user registration, 2FA and profile management.</p></li>
<li><p><a href="https://github.com/cyberark/conjur">Conjur</a> -
Automatically secures secrets used by privileged users and machine
identities.</p></li>
<li><p><a
href="https://github.com/supertokens/supertokens-core">SuperTokens</a> -
Open-source project for login and session management which supports
passwordless, social login, email and phone logins.</p></li>
<li><p><a
href="https://github.com/userfrosting/UserFrosting">UserFrosting</a> -
Modern PHP user login and management framework.</p></li>
</ul>
<h2 id="cryptography">Cryptography</h2>
<p>The whole authentication stack is based on cryptography primitives.
This can’t be overlooked.</p>
<ul>
<li><p><a
href="https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html">Cryptographic
Right Answers</a> - An up to date set of recommendations for developers
who are not cryptography engineers. There’s even a <a
href="https://news.ycombinator.com/item?id=16749140">shorter summary</a>
available.</p></li>
<li><p><a href="https://rwc.iacr.org">Real World Crypto Symposium</a> -
Aims to bring together cryptography researchers with developers,
focusing on uses in real-world environments such as the Internet, the
cloud, and embedded devices.</p></li>
<li><p><a href="https://www.garykessler.net/library/crypto.html">An
Overview of Cryptography</a> - “This paper has two major purposes. The
first is to define some of the terms and concepts behind basic
cryptographic methods, and to offer a way to compare the myriad
cryptographic schemes in use today. The second is to provide some real
examples of cryptography in use today.”</p></li>
<li><p><a
href="https://github.com/papers-we-love/papers-we-love/blob/master/cryptography/README.md">Papers
we love: Cryptography</a> - Foundational papers of
cryptography.</p></li>
<li><p><a href="http://valerieaurora.org/hash.html">Lifetimes of
cryptographic hash functions</a> - “If you are using compare-by-hash to
generate addresses for data that can be supplied by malicious users, you
should have a plan to migrate to a new hash every few years”.</p></li>
</ul>
<h3 id="identifiers">Identifiers</h3>
<p>Tokens, primary keys, UUIDs, … Whatever the end use, you’ll have to
generate these numbers with some randomness and uniqueness
properties.</p>
<ul>
<li><p><a
href="https://www.av8n.com/computer/htm/secure-random.htm">Security
Recommendations for Any Device that Depends on Randomly-Generated
Numbers</a> - “The phrase ‘random number generator’ should be parsed as
follows: It is a random generator of numbers. It is not a generator of
random numbers.”</p></li>
<li><p><a href="https://www.rfc-editor.org/rfc/rfc4122#section-6">RFC
#4122: UUID - Security Considerations</a> - “Do not assume that UUIDs
are hard to guess; they should not be used as security capabilities
(identifiers whose mere possession grants access)”. UUIDs are designed
to be unique, not to be random or unpredictable: do not use UUIDs as a
secret.</p></li>
<li><p><a href="https://adileo.github.io/awesome-identifiers/">Awesome
Identifiers</a> - A benchmark of all identifier formats.</p></li>
<li><p><a href="https://github.com/secretGeek/AwesomeGUID">Awesome
GUID</a> - Funny take on the global aspect of unique
identifiers.</p></li>
</ul>
<h2 id="zero-trust-network">Zero-trust Network</h2>
<p>Zero trust network security operates under the principle “never
trust, always verify”.</p>
<ul>
<li><p><a
href="https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf">BeyondCorp:
A New Approach to Enterprise Security</a> - Quick overview of Google’s
Zero-trust Network initiative.</p></li>
<li><p><a
href="https://medium.com/google-cloud/what-is-beyondcorp-what-is-identity-aware-proxy-de525d9b3f90">What
is BeyondCorp? What is Identity-Aware Proxy?</a> - More companies add
extra layers of VPNs, firewalls, restrictions and constraints, resulting
in a terrible experience and a slight security gain. There’s a better
way.</p></li>
<li><p><a href="https://github.com/ory/oathkeeper">oathkeeper</a> -
Identity &amp; Access Proxy and Access Control Decision API that
authenticates, authorizes, and mutates incoming HTTP requests. Inspired
by the BeyondCorp / Zero Trust white paper.</p></li>
<li><p><a href="https://github.com/cogolabs/transcend">transcend</a> -
BeyondCorp-inspired Access Proxy server.</p></li>
<li><p><a href="https://github.com/pomerium/pomerium">Pomerium</a> - An
identity-aware proxy that enables secure access to internal
applications.</p></li>
<li><p><a href="https://github.com/dadrus/heimdall">heimdall</a> - A
cloud-native, identity-aware proxy and policy enforcement point that
orchestrates authentication and authorization systems via versatile
rules, supporting protocol-agnostic identity propagation.</p></li>
</ul>
<h2 id="authentication">Authentication</h2>
<p>Protocols and technologies to verify that you are who you pretend to
be.</p>
<ul>
<li><p><a href="https://fly.io/blog/api-tokens-a-tedious-survey/">API
Tokens: A Tedious Survey</a> - An overview and comparison of all
token-based authentication schemes for end-user APIs.</p></li>
<li><p><a
href="https://web.archive.org/web/20200507173734/https://latacora.micro.blog/a-childs-garden/">A
Child’s Garden of Inter-Service Authentication Schemes</a> - In the same
spirit as above, but this time at the service level.</p></li>
<li><p><a href="https://www.youtube.com/watch?v=kY-Bkv3qxMc">Scaling
backend authentication at Facebook</a> - How-to in a nutshell: 1. Small
root of trust; 2. TLS isn’t enough; 3. Certificate-based tokens; 4.
Crypto Auth Tokens (CATs). See the <a
href="https://rwc.iacr.org/2018/Slides/Lewi.pdf">slides</a> for more
details.</p></li>
</ul>
<h2 id="password-based-auth">Password-based auth</h2>
<p>The oldest scheme for auth.</p>
<ul>
<li><p><a
href="https://pciguru.wordpress.com/2019/03/11/the-new-nist-password-guidance/">The
new NIST password guidance</a> - A summary of <a
href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST Special
Publication 800-63B</a> covering new password complexity
guidelines.</p></li>
<li><p><a
href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password
Storage Cheat Sheet</a> - The only way to slow down offline attacks is
by carefully choosing hash algorithms that are as resource intensive as
possible.</p></li>
<li><p><a
href="https://techcrunch.com/2019/06/02/password-expiration-is-dead-long-live-your-passwords/">Password
expiration is dead</a> - Recent scientific research calls into question
the value of many long-standing password-security practices such as
password expiration policies, and points instead to better alternatives
such as enforcing banned-password lists and MFA.</p></li>
<li><p><a
href="http://www.andrew.cmu.edu/user/nicolasc/publications/Tan-CCS20.pdf">Practical
Recommendations for Stronger, More Usable Passwords</a> - This study
recommend the association of: blocklist checks against commonly leaked
passwords, password policies without character-class requirements,
minimum-strength policies.</p></li>
<li><p><a
href="https://www.troyhunt.com/banks-arbitrary-password-restrictions-and-why-they-dont-matter/">Banks,
Arbitrary Password Restrictions and Why They Don’t Matter</a> -
“Arbitrary low limits on length and character composition are bad. They
look bad, they lead to negative speculation about security posture and
they break tools like password managers.”</p></li>
<li><p><a
href="https://github.com/dumb-password-rules/dumb-password-rules">Dumb
Password Rules</a> - Shaming sites with dumb password rules.</p></li>
<li><p><a href="https://plaintextoffenders.com/about/">Plain Text
Offenders</a> - Public shaming of websites storing passwords in plain
text.</p></li>
<li><p><a
href="https://github.com/apple/password-manager-resources">Password
Manager Resources</a> - A collection of password rules, change URLs and
quirks by sites.</p></li>
<li><p><a href="https://github.com/WICG/change-password-url">A
Well-Known URL for Changing Passwords</a> - Specification defining site
resource for password updates.</p></li>
<li><p><a href="https://news.ycombinator.com/item?id=20109360">How to
change the hashing scheme of already hashed user’s passwords</a> - Good
news: you’re not stuck with a legacy password saving scheme. Here is a
trick to transparently upgrade to stronger hashing algorithm.</p></li>
</ul>
<h2 id="multi-factor-auth">Multi-factor auth</h2>
<p>Building upon password-only auth, users are requested in these
schemes to present two or more pieces of evidence (or factors).</p>
<ul>
<li><p><a href="https://www.youtube.com/watch?v=B_mhJO2qHlQ">Breaking
Password Dependencies: Challenges in the Final Mile at Microsoft</a> -
The primary source of account hacks is password spraying (on legacy auth
like SMTP, IMAP, POP, etc.), second is replay attack. Takeaway: password
are insecure, use and enforce MFA.</p></li>
<li><p><a
href="https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/">Beyond
Passwords: 2FA, U2F and Google Advanced Protection</a> - An excellent
walk-trough over all these technologies.</p></li>
<li><p><a
href="https://maximiliangolla.com/files/2019/papers/usec2019-30-wip-fallback-long-term-study-finalv5.pdf">A
Comparative Long-Term Study of Fallback Authentication</a> - Key
take-away: “schemes based on email and SMS are more usable. Mechanisms
based on designated trustees and personal knowledge questions, on the
other hand, fall short, both in terms of convenience and
efficiency.”</p></li>
<li><p><a
href="https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/43783.pdf">Secrets,
Lies, and Account Recovery: Lessons from the Use of Personal Knowledge
Questions at Google</a> - “Our analysis confirms that secret questions
generally offer a security level that is far lower than user-chosen
passwords. (…) Surprisingly, we found that a significant cause of this
insecurity is that users often don’t answer truthfully. (…) On the
usability side, we show that secret answers have surprisingly poor
memorability”.</p></li>
<li><p><a
href="https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html">How
effective is basic account hygiene at preventing hijacking</a> - Google
security team’s data shows 2FA blocks 100% of automated bot
hacks.</p></li>
<li><p><a
href="https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984">Your
Pa$$word doesn’t matter</a> - Same conclusion as above from Microsoft:
“Based on our studies, your account is more than 99.9% less likely to be
compromised if you use MFA.”</p></li>
<li><p><a
href="https://unix-ninja.com/p/attacking_google_authenticator">Attacking
Google Authenticator</a> - Probably on the verge of paranoia, but might
be a reason to rate limit 2FA validation attempts.</p></li>
<li><p><a
href="https://www.martinvigo.com/voicemailcracker/">Compromising online
accounts by cracking voicemail systems</a> - Or why you should not rely
on automated phone calls as a method to reach the user and reset
passwords, 2FA or for any kind of verification. Not unlike SMS-based
2FA, it is currently insecure and can be compromised by the way of its
weakest link: voicemail systems.</p></li>
<li><p><a
href="https://blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/">Getting
2FA Right in 2019</a> - On the UX aspects of 2FA.</p></li>
<li><p><a
href="https://syslog.ravelin.com/2fa-is-missing-a-key-feature-c781c3861db">2FA
is missing a key feature</a> - “When my 2FA code is entered incorrectly
I’d like to know about it”.</p></li>
<li><p><a href="https://brr.fyi/posts/sms-mfa">SMS Multifactor
Authentication in Antarctica</a> - Doesn’t work because there are no
cellphone towers at stations in Antarctica.</p></li>
<li><p><a href="https://github.com/authelia/authelia">Authelia</a> -
Open-source authentication and authorization server providing two-factor
authentication and single sign-on (SSO) for your applications via a web
portal.</p></li>
<li><p><a href="https://github.com/kanidm/kanidm">Kanidm</a> - Simple,
secure and fast identity management platform.</p></li>
</ul>
<h3 id="sms-based">SMS-based</h3>
<p>TL;DR: don’t. For details, see articles below.</p>
<ul>
<li><p><a
href="https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/">SMS
2FA auth is deprecated by NIST</a> - NIST has said that 2FA via SMS is
bad and awful since 2016.</p></li>
<li><p><a
href="https://www.allthingsauth.com/2018/02/27/sms-the-most-popular-and-least-secure-2fa-method/">SMS:
The most popular and least secure 2FA method</a></p></li>
<li><p><a href="https://www.issms2fasecure.com">Is SMS 2FA Secure?
No.</a> - Definitive research project demonstrating successful attempts
at SIM swapping.</p></li>
<li><p><a href="https://archive.ph/AhNAI">Hackers Hit Twitter C.E.O.
Jack Dorsey in a ‘SIM Swap.’ You’re at Risk, Too.</a></p></li>
<li><p><a
href="https://www.theregister.co.uk/2017/07/10/att_falls_for_hacker_tricks/">AT&amp;T
rep handed control of his cellphone account to a hacker</a></p></li>
<li><p><a
href="https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124">The
Most Expensive Lesson Of My Life: Details of SIM port hack</a></p></li>
<li><p><a
href="https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/">SIM
swap horror story</a></p></li>
<li><p><a href="https://aws.amazon.com/iam/details/mfa/">AWS is on its
way to deprecate SMS-based 2FA</a> - “We encourage you to use MFA
through a U2F security key, hardware device, or virtual (software-based)
MFA device. You can continue using this feature until January 31,
2019.”</p></li>
</ul>
<h2 id="password-less-auth">Password-less auth</h2>
<ul>
<li><p><a
href="https://web.archive.org/web/20190515230752/https://biarity.gitlab.io/2018/02/23/passwordless/">An
argument for passwordless</a> - Passwords are not the be-all and end-all
of user authentication. This article tries to tell you why.</p></li>
<li><p><a href="https://zitadel.com/blog/magic-links">Magic Links – Are
they Actually Outdated?</a> - What are magic links, their origin, pros
and cons.</p></li>
</ul>
<h3 id="webauthn">WebAuthn</h3>
<p>Part of the <a
href="https://en.wikipedia.org/wiki/FIDO_Alliance#FIDO2">FIDO2
project</a>, and also known under the user-friendly name of
<em>passkeys</em>.</p>
<ul>
<li><p><a href="https://webauthn.guide">WebAuthn guide</a> - Introduce
WebAuthn as a standard supported by all major browsers, and allowing
“servers to register and authenticate users using public key
cryptography instead of a password”.</p></li>
<li><p><a
href="https://www.stavros.io/posts/clearing-up-some-passkeys-misconceptions/">Clearing
up some misconceptions about Passkeys</a> - Or why passkeys are not
worse than passwords.</p></li>
</ul>
<h3 id="security-key">Security key</h3>
<ul>
<li><p><a
href="https://www.imperialviolet.org/2018/03/27/webauthn.html">Webauthn
and security keys</a> - Describe how authentication works with security
keys, details the protocols, and how they articulates with WebAuthn. Key
takeaway: “There is no way to create a U2F key with webauthn however.
(…) So complete the transition to webauthn of your login process first,
then transition registration.”</p></li>
<li><p><a
href="https://paulstamatiou.com/getting-started-with-security-keys/">Getting
started with security keys</a> - A practical guide to stay safe online
and prevent phishing with FIDO2, WebAuthn and security keys.</p></li>
<li><p><a href="https://github.com/solokeys/solo">Solo</a> - Open
security key supporting FIDO2 &amp; U2F over USB + NFC.</p></li>
<li><p><a href="https://github.com/google/OpenSK">OpenSK</a> -
Open-source implementation for security keys written in Rust that
supports both FIDO U2F and FIDO2 standards.</p></li>
<li><p><a href="https://github.com/drduh/YubiKey-Guide">YubiKey
Guide</a> - Guide to using YubiKey as a SmartCard for storing GPG
encryption, signing and authentication keys, which can also be used for
SSH. Many of the principles in this document are applicable to other
smart card devices.</p></li>
<li><p><a href="https://github.com/DataDog/yubikey">YubiKey at
Datadog</a> - Guide to setup Yubikey, U2F, GPG, git, SSH, Keybase,
VMware Fusion and Docker Content Trust.</p></li>
</ul>
<h3 id="public-key-infrastructure-pki">Public-Key Infrastructure
(PKI)</h3>
<p>Certificate-based authentication.</p>
<ul>
<li><p><a
href="https://gist.github.com/hoffa/5a939fd0f3bcd2a6a0e4754cb2cf3f1b">PKI
for busy people</a> - Quick overview of the important stuff.</p></li>
<li><p><a
href="https://smallstep.com/blog/everything-pki.html">Everything you
should know about certificates and PKI but are too afraid to ask</a> -
PKI lets you define a system cryptographically. It’s universal and
vendor neutral.</p></li>
<li><p><a href="https://github.com/Netflix/lemur"><code>lemur</code></a>
- Acts as a broker between CAs and environments, providing a central
portal for developers to issue TLS certificates with ‘sane’
defaults.</p></li>
<li><p><a href="https://github.com/cloudflare/cfssl">CFSSL</a> - A swiss
army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API
server for signing, verifying, and bundling TLS certificates.</p></li>
<li><p><a href="https://github.com/salesforce/ja3">JA3</a> - Method for
creating SSL/TLS client fingerprints that should be easy to produce on
any platform and can be easily shared for threat intelligence.</p></li>
</ul>
<h3 id="jwt">JWT</h3>
<p><a href="https://en.wikipedia.org/wiki/JSON_Web_Token">JSON Web
Token</a> is a bearer’s token.</p>
<ul>
<li><p><a href="https://jwt.io/introduction/">Introduction to JSON Web
Tokens</a> - Get up to speed on JWT with this article.</p></li>
<li><p><a href="https://github.com/dwyl/learn-json-web-tokens">Learn how
to use JWT for Authentication</a> - Learn how to use JWT to secure your
web app.</p></li>
<li><p><a
href="https://auth0.com/blog/using-json-web-tokens-as-api-keys/">Using
JSON Web Tokens as API Keys</a> - Compared to API keys, JWTs offers
granular security, homogeneous auth architecture, decentralized
issuance, OAuth2 compliance, debuggability, expiration control, device
management.</p></li>
<li><p><a
href="https://r2c.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/">Hardcoded
secrets, unverified tokens, and other common JWT mistakes</a> - A good
recap of all JWT pitfalls.</p></li>
<li><p><a
href="https://auth0.com/blog/denylist-json-web-token-api-keys/">Adding
JSON Web Token API Keys to a DenyList</a> - On token
invalidation.</p></li>
<li><p><a
href="http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/">Stop
using JWT for sessions</a> - And <a
href="http://cryto.net/%7Ejoepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/">why
your “solution” doesn’t work</a>, because <a
href="https://news.ycombinator.com/item?id=18354141">stateless JWT
tokens cannot be invalidated or updated</a>. They will introduce either
size issues or security issues depending on where you store them.
Stateful JWT tokens are functionally the same as session cookies, but
without the battle-tested and well-reviewed implementations or client
support.</p></li>
<li><p><a
href="https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3">JWT,
JWS and JWE for Not So Dummies!</a> - A signed JWT is known as a JWS
(JSON Web Signature). In fact a JWT does not exist itself — either it
has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract
class — the JWS and JWE are the concrete implementations.</p></li>
<li><p><a
href="https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid">JOSE
is a Bad Standard That Everyone Should Avoid</a> - The standards are
either completely broken or complex minefields hard to
navigate.</p></li>
<li><p><a href="https://jwt.io">JWT.io</a> - Allows you to decode,
verify and generate JWT.</p></li>
<li><p><a
href="https://github.com/tarent/loginsrv"><code>loginsrv</code></a> -
Standalone minimalistic login server providing a JWT login for multiple
login backends (htpasswd, OSIAM, user/password, HTTP basic
authentication, OAuth2: GitHub, Google, Bitbucket, Facebook,
GitLab).</p></li>
<li><p><a
href="https://github.com/DontPanicO/jwtXploiter">jwtXploiter</a> - A
tool to test security of json web token.</p></li>
</ul>
<h2 id="authorization">Authorization</h2>
<p>Now we know you are you. But are you allowed to do what you want to
do?</p>
<p>Policy specification is the science, enforcement is the art.</p>
<h3 id="policy-models">Policy models</h3>
<p>As a concept, access control policies can be designed to follow very
different archetypes, from classic <a
href="https://en.wikipedia.org/wiki/Access-control_list">Access Control
Lists</a> to Role Based Access Control. In this section we explore lots
of different patterns and architectures.</p>
<ul>
<li><p><a
href="https://www.osohq.com/post/why-authorization-is-hard">Why
Authorization is Hard</a> - Because it needs multiple tradeoffs on
Enforcement which is required in so many places, on Decision
architecture to split business logic from authorization logic, and on
Modeling to balance power and complexity.</p></li>
<li><p><a
href="https://alexolivier.me/posts/the-never-ending-product-requirements-of-user-authorization">The
never-ending product requirements of user authorization</a> - How a
simple authorization model based on roles is not enough and gets
complicated fast due to product packaging, data locality, enterprise
organizations and compliance.</p></li>
<li><p><a
href="https://tailscale.com/blog/rbac-like-it-was-meant-to-be/">RBAC
like it was meant to be</a> - How we got from DAC (unix permissions,
secret URL), to MAC (DRM, MFA, 2FA, SELinux), to RBAC. Details how the
latter allows for better modeling of policies, ACLs, users and
groups.</p></li>
<li><p><a
href="https://cerbos.dev/blog/the-case-for-granular-permissions">The
Case for Granular Permissions</a> - Discuss the limitations of RBAC and
how ABAC (Attribute-Based Access Control) addresses them.</p></li>
<li><p><a
href="https://web.archive.org/web/20240421203937/https://goteleport.com/blog/access-controls/">In
Search For a Perfect Access Control System</a> - The historical origins
of authorization schemes. Hints at the future of sharing, trust and
delegation between different teams and organizations.</p></li>
<li><p><a href="https://ucarion.com/iam-operation-syntax">GCP’s IAM
syntax is better than AWS’s</a> - The minutiae of permission design in
GCP improves the developer’s experience.</p></li>
<li><p><a
href="https://d1.awsstatic.com/Security/pdfs/Semantic_Based_Automated_Reasoning_for_AWS_Access_Policies_Using_SMT.pdf">Semantic-based
Automated Reasoning for AWS Access Policies using SMT</a> - Zelkova is
how AWS does it. This system perform symbolic analysis of IAM policies,
and solve the reachability of resources according user’s rights and
access constraints. Also see the higher-level <a
href="https://youtu.be/x6wsTFnU3eY?t=2111">introduction given at
re:inforce 2019</a>.</p></li>
<li><p><a href="https://www.osohq.com/academy">Authorization Academy</a>
- An in-depth, vendor-agnostic treatment of authorization that
emphasizes mental models. This guide shows the reader how to think about
their authorization needs in order to make good decisions about their
authorization architecture and model.</p></li>
<li><p><a
href="https://www.cerbos.dev/blog/service-to-service-authorization">Service-to-service
authorization: A guide to non-user principals</a> - Discover how
assigning identities to services (non-user principals) can simplify
authentication, enhance security, and streamline authorization in
complex distributed systems. A useful guide for IAM teams managing
microservices and APIs.</p></li>
</ul>
<h3 id="rbac-frameworks">RBAC frameworks</h3>
<p><a
href="https://en.wikipedia.org/wiki/Role-based_access_control">Role-Based
Access Control</a> is the classical model to map users to permissions by
the way of roles.</p>
<ul>
<li><p><a href="https://github.com/yahoo/athenz">Athenz</a> - Set of
services and libraries supporting service authentication and role-based
authorization for provisioning and configuration.</p></li>
<li><p><a
href="https://www.clever-cloud.com/blog/engineering/2021/04/12/introduction-to-biscuit/">Biscuit</a>
- Biscuit merge concepts from cookies, JWTs, macaroons and Open Policy
Agent. “It provide a logic language based on Datalog to write
authorization policies. It can store data, like JWT, or small conditions
like Macaroons, but it is also able to represent more complex rules like
role-based access control, delegation, hierarchies.”</p></li>
<li><p><a href="https://github.com/osohq/oso">Oso</a> - A
batteries-included library for building authorization in your
application.</p></li>
<li><p><a href="https://github.com/cerbos/cerbos">Cerbos</a> - An
authorization endpoint to write context-aware access control
policies.</p></li>
</ul>
<h3 id="abac-frameworks">ABAC frameworks</h3>
<p><a
href="https://en.wikipedia.org/wiki/Attribute-based_access_control">Attribute-Based
Access Control</a> is an evolution of RBAC, in which roles are replaced
by attributes, allowing the implementation of more complex policy-based
access control.</p>
<ul>
<li><p><a href="https://github.com/ory/keto">Keto</a> - Policy decision
point. It uses a set of access control policies, similar to AWS
policies, in order to determine whether a subject is authorized to
perform a certain action on a resource.</p></li>
<li><p><a href="https://github.com/ory/ladon">Ladon</a> - Access control
library, inspired by AWS.</p></li>
<li><p><a href="https://github.com/casbin/casbin">Casbin</a> -
Open-source access control library for Golang projects.</p></li>
<li><p><a href="https://github.com/open-policy-agent/opa">Open Policy
Agent</a> - An open-source general-purpose decision engine to create and
enforce ABAC policies.</p></li>
</ul>
<h3 id="rebac-frameworks">ReBAC frameworks</h3>
<p>The <a
href="https://en.wikipedia.org/wiki/Relationship-based_access_control">Relationship-Based
Access Control</a> model is a more flexible and powerful version of RBAC
and is the preferred one for cloud systems.</p>
<ul>
<li><p><a href="https://ai.google/research/pubs/pub48190">Zanzibar:
Google’s Consistent, Global Authorization System</a> - Scales to
trillions of access control lists and millions of authorization requests
per second to support services used by billions of people. It has
maintained 95th-percentile latency of less than 10 milliseconds and
availability of greater than 99.999% over 3 years of production use. <a
href="https://twitter.com/LeaKissner/status/1136626971566149633">Other
bits not in the paper</a>. <a href="https://zanzibar.academy/">Zanzibar
Academy</a> is a site dedicated to explaining how Zanzibar
works.</p></li>
<li><p><a href="https://github.com/authzed/spicedb">SpiceDB</a> - An
open source database system for managing security-critical application
permissions inspired by Zanzibar.</p></li>
<li><p><a href="https://github.com/Permify/permify">Permify</a> -
Another open-source authorization as a service inspired by Google
Zanzibar, and see <a
href="https://permify.notion.site/Differentiation-Between-Zanzibar-Products-ad4732da62e64655bc82d3abe25f48b6">how
it compares to other Zanzibar-inspired tools</a>.</p></li>
<li><p><a href="https://github.com/aserto-dev/topaz">Topaz</a> - An
open-source project which combines the policy-as-code and decision
logging of OPA with a Zanzibar-modeled directory.</p></li>
<li><p><a href="https://github.com/permitio/opal">Open Policy
Administration Layer</a> - Open Source administration layer for OPA,
detecting changes to both policy and policy data in realtime and pushing
live updates to OPA agents. OPAL brings open-policy up to the speed
needed by live applications.</p></li>
<li><p><a href="https://github.com/warrant-dev/warrant">Warrant</a> - A
relationship based access control (ReBAC) engine (inspired by Google
Zanzibar) also capable of enforcing any authorization paradigm,
including RBAC and ABAC.</p></li>
</ul>
<h3 id="aws-policy-tools">AWS policy tools</h3>
<p>Tools and resources exclusively targeting the <a
href="http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">AWS
IAM policies</a> ecosystem.</p>
<ul>
<li><p><a href="https://ramimac.me/aws-iam-tools-2024">An AWS IAM
Security Tooling Reference</a> - A comprehensive list of (maintained)
tools for AWS IAM.</p></li>
<li><p><a href="https://www.youtube.com/watch?v=y7-fAT3z8Lo">Become an
AWS IAM Policy Ninja</a> - “In my nearly 5 years at Amazon, I carve out
a little time each day, each week to look through the forums, customer
tickets to try to find out where people are having trouble.”</p></li>
<li><p><a href="https://infosec.rodeo/posts/thoughts-on-aws-iam/">AWS
IAM Roles, a tale of unnecessary complexity</a> - The history of
fast-growing AWS explains how the current scheme came to be, and how it
compares to GCP’s resource hierarchy.</p></li>
<li><p><a href="https://github.com/salesforce/policy_sentry">Policy
Sentry</a> - Writing security-conscious IAM Policies by hand can be very
tedious and inefficient. Policy Sentry helps users to create
least-privilege policies in a matter of seconds.</p></li>
<li><p><a
href="https://github.com/Netflix-Skunkworks/policyuniverse">PolicyUniverse</a>
- Parse and process AWS policies, statements, ARNs, and
wildcards.</p></li>
<li><p><a href="https://github.com/udondan/iam-floyd">IAM Floyd</a> -
AWS IAM policy statement generator with fluent interface. Helps with
creating type safe IAM policies and writing more restrictive/secure
statements by offering conditions and ARN generation via IntelliSense.
Available for Node.js, Python, .Net and Java.</p></li>
<li><p><a href="https://github.com/Netflix/consoleme">ConsoleMe</a> - A
self-service tool for AWS that provides end-users and administrators
credentials and console access to the onboarded accounts based on their
authorization level of managing permissions across multiple accounts,
while encouraging least-privilege permissions.</p></li>
<li><p><a href="https://github.com/noqdev/iambic">IAMbic</a> - GitOps
for IAM. The Terraform of Cloud IAM. IAMbic is a multi-cloud identity
and access management (IAM) control plane that centralizes and
simplifies cloud access and permissions. It maintains an eventually
consistent, human-readable, bi-directional representation of IAM in
version control.</p></li>
</ul>
<h3 id="macaroons">Macaroons</h3>
<p>A clever curiosity to distribute and delegate authorization.</p>
<ul>
<li><p><a
href="https://blog.bren2010.io/blog/googles-macaroons">Google’s
Macaroons in Five Minutes or Less</a> - If I’m given a Macaroon that
authorizes me to perform some action(s) under certain restrictions, I
can non-interactively build a second Macaroon with stricter restrictions
that I can then give to you.</p></li>
<li><p><a href="https://ai.google/research/pubs/pub41892">Macaroons:
Cookies with Contextual Caveats for Decentralized Authorization in the
Cloud</a> - Google’s original paper.</p></li>
<li><p><a href="https://news.ycombinator.com/item?id=14294463">Google
paper’s author compares Macaroons and JWTs</a> - As a consumer/verifier
of macaroons, they allow you (through third-party caveats) to defer some
authorization decisions to someone else. JWTs don’t.</p></li>
</ul>
<h3 id="other-tools">Other tools</h3>
<ul>
<li><a href="https://github.com/gubernator-io/gubernator">Gubernator</a>
- High performance rate-limiting micro-service and library.</li>
</ul>
<h2 id="oauth2-openid">OAuth2 &amp; OpenID</h2>
<p><a href="https://en.wikipedia.org/wiki/OAuth#OAuth_2.0">OAuth 2.0</a>
is a <em>delegated authorization</em> framework. <a
href="https://en.wikipedia.org/wiki/OpenID_Connect">OpenID Connect
(OIDC)</a> is an <em>authentication</em> layer on top of it.</p>
<p>The old <em>OpenID</em> is dead; the new <em>OpenID Connect</em> is
very much not-dead.</p>
<ul>
<li><p><a
href="https://github.com/cerberauth/awesome-openid-connect">Awesome
OpenID Connect</a> - A curated list of providers, services, libraries,
and resources for OpenID Connect.</p></li>
<li><p><a
href="https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc">An
Illustrated Guide to OAuth and OpenID Connect</a> - Explain how these
standards work using simplified illustrations.</p></li>
<li><p><a href="https://aaronparecki.com/oauth-2-simplified/">OAuth 2
Simplified</a> - A reference article describing the protocol in
simplified format to help developers and service providers implement
it.</p></li>
<li><p><a href="https://www.youtube.com/watch?v=996OiexHze0">OAuth 2.0
and OpenID Connect (in plain English)</a> - Starts with an historical
context on how these standards came to be, clears up the innacuracies in
the vocabulary, then details the protocols and its pitfalls to make it
less intimidating.</p></li>
<li><p><a
href="https://mobile.twitter.com/kamranahmedse/status/1276994010423361540">OAuth
in one picture</a> - A nice summary card.</p></li>
<li><p><a
href="https://shopify.engineering/implement-secure-central-authentication-service-six-steps">How
to Implement a Secure Central Authentication Service in Six Steps</a> -
Got multiple legacy systems to merge with their own login methods and
accounts? Here is how to merge all that mess by the way of
OIDC.</p></li>
<li><p><a
href="https://increment.com/security/open-sourcing-buzzfeeds-single-sign-on-process/">Open-Sourcing
BuzzFeed’s SSO Experience</a> - OAuth2-friendly adaptation of the
Central Authentication Service (CAS) protocol. You’ll find there good
OAuth user flow diagrams.</p></li>
<li><p><a href="https://datatracker.ietf.org/doc/html/rfc9700">OAuth 2.0
Security Best Current Practice</a> - “Updates and extends the OAuth 2.0
Security Threat Model to incorporate practical experiences gathered
since OAuth 2.0 was published and covers new threats relevant due to the
broader application”.</p></li>
<li><p><a href="https://portswigger.net/web-security/oauth">Hidden OAuth
attack vectors</a> - How to identify and exploit some of the key
vulnerabilities found in OAuth 2.0 authentication mechanisms.</p></li>
<li><p><a href="https://www.loginradius.com/blog/engineering/pkce/">PKCE
Explained</a> - “PKCE is used to provide one more security layer to the
authorization code flow in OAuth and OpenID Connect.”</p></li>
<li><p><a href="https://www.ory.sh/hydra">Hydra</a> - Open-source OIDC
&amp; OAuth2 Server Provider.</p></li>
<li><p><a href="https://www.keycloak.org">Keycloak</a> - Open-source
Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP
and AD directories, password policies.</p></li>
<li><p><a href="https://github.com/casbin/casdoor">Casdoor</a> - A
UI-first centralized authentication / Single-Sign-On (SSO) platform
based. Supports OIDC and OAuth 2, social logins, user management, 2FA
based on Email and SMS.</p></li>
<li><p><a href="https://goauthentik.io/">authentik</a> - Open-source
Identity Provider similar to Keycloak.</p></li>
<li><p><a href="https://github.com/zitadel/zitadel">ZITADEL</a> - An
Open-Source solution built with Go and Angular to manage all your
systems, users and service accounts together with their roles and
external identities. ZITADEL provides you with OIDC, OAuth 2.0, login
&amp; register flows, passwordless and MFA authentication. All this is
built on top of eventsourcing in combination with CQRS to provide a
great audit trail.</p></li>
<li><p><a
href="https://github.com/curveball/a12n-server">a12n-server</a> - A
simple authentication system which only implements the relevant parts of
the OAuth2 standards.</p></li>
<li><p><a href="https://github.com/logto-io/logto">Logto</a> - An IAM
infrastructure for modern apps and SaaS products, supporting OIDC, OAuth
2.0 and SAML for authentication and authorization.</p></li>
<li><p><a
href="https://github.com/authgear/authgear-server">Authgear</a> -
Open-source authentication-as-a-service solution. It includes the code
for the server, AuthUI, the Portal, and Admin API.</p></li>
<li><p><a
href="https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id">Azure
Entra ID</a> - Microsoft’s cloud-based identity and access management
service for employees and external partners that supports OIDC, OAuth
2.0, and SAML.</p></li>
<li><p><a href="https://www.pingidentity.com">Ping Identity</a> -
Enterprise Identity and Access Management platform supporting OpenID
Connect protocol.</p></li>
<li><p><a href="https://fusionauth.io/">FusionAuth</a> - Customer
Identity and Access Management solution supporting OIDC.</p></li>
</ul>
<h2 id="saml">SAML</h2>
<p>Security Assertion Markup Language (SAML) 2.0 is a means to exchange
authorization and authentication between services, like OAuth/OpenID
protocols above.</p>
<p>Typical SAML identity provider is an institution or a big
corporation’s internal SSO, while the typical OIDC/OAuth provider is a
tech company that runs a data silo.</p>
<ul>
<li><p><a
href="https://web.archive.org/web/20230327071347/https://www.cloudflare.com/learning/access-management/what-is-oauth/">SAML
vs. OAuth</a> - “OAuth is a protocol for authorization: it ensures Bob
goes to the right parking lot. In contrast, SAML is a protocol for
authentication, or allowing Bob to get past the guardhouse.”</p></li>
<li><p><a
href="https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/">The
Difference Between SAML 2.0 and OAuth 2.0</a> - “Even though SAML was
actually designed to be widely applicable, its contemporary usage is
typically shifted towards enterprise SSO scenarios. On the other hand,
OAuth was designed for use with applications on the Internet, especially
for delegated authorisation.”</p></li>
<li><p><a
href="https://www.okta.com/identity-101/whats-the-difference-between-oauth-openid-connect-and-saml/">What’s
the Difference Between OAuth, OpenID Connect, and SAML?</a> - Identity
is hard. Another take on the different protocol is always welcome to
help makes sense of it all.</p></li>
<li><p><a
href="https://web.archive.org/web/20240421215604/https://goteleport.com/blog/how-saml-authentication-works/">How
SAML 2.0 Authentication Works</a> - Overview of the how and why of SSO
and SAML.</p></li>
<li><p><a
href="https://blog.theodo.com/2019/06/web-single-sign-on-the-saml-2-0-perspective/">Web
Single Sign-On, the SAML 2.0 perspective</a> - Another naive explanation
of SAML workflow in the context of corporate SSO
implementation.</p></li>
<li><p><a
href="https://duo.com/blog/the-beer-drinkers-guide-to-saml">The Beer
Drinker’s Guide to SAML</a> - SAML is arcane at times. A another analogy
might helps get more sense out of it.</p></li>
<li><p><a
href="https://joonas.fi/2021/08/saml-is-insecure-by-design/">SAML is
insecure by design</a> - Not only weird, SAML is also insecure by
design, as it relies on signatures based on XML canonicalization, not
XML byte stream. Which means you can exploit XML parser/encoder
differences.</p></li>
<li><p><a
href="https://wiki.shibboleth.net/confluence/display/CONCEPT/SLOIssues">The
Difficulties of SAML Single Logout</a> - On the technical and UX issues
of single logout implementations.</p></li>
<li><p><a href="https://sso.tax">The SSO Wall of Shame</a> - A
documented rant on the excessive pricing practiced by SaaS providers to
activate SSO on their product. The author’s point is, as a core security
feature, SSO should be reasonably priced and not part of an exclusive
tier.</p></li>
</ul>
<h2 id="secret-management">Secret Management</h2>
<p>Architectures, software and hardware allowing the storage and usage
of secrets to allow for authentication and authorization, while
maintaining the chain of trust.</p>
<ul>
<li><p><a href="https://www.youtube.com/watch?v=K0EOPddWpsE">Secret at
Scale at Netflix</a> - Solution based on blind signatures. See the <a
href="https://rwc.iacr.org/2018/Slides/Mehta.pdf">slides</a>.</p></li>
<li><p><a href="https://www.youtube.com/watch?v=5T_c-lqgjso">High
Availability in Google’s Internal KMS</a> - Not GCP’s KMS, but the one
at the core of their infrastructure. See the <a
href="https://rwc.iacr.org/2018/Slides/Kanagala.pdf">slides</a>.</p></li>
<li><p><a href="https://www.vaultproject.io">HashiCorp Vault</a> -
Secure, store and tightly control access to tokens, passwords,
certificates, encryption keys.</p></li>
<li><p><a href="https://github.com/Infisical/infisical">Infisical</a> -
An alternative to HashiCorp Vault.</p></li>
<li><p><a href="https://github.com/mozilla/sops"><code>sops</code></a> -
Editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and
PGP.</p></li>
<li><p><a
href="https://github.com/zricethezav/gitleaks"><code>gitleaks</code></a>
- Audit git repos for secrets.</p></li>
<li><p><a
href="https://github.com/dxa4481/truffleHog"><code>truffleHog</code></a>
- Searches through git repositories for high entropy strings and
secrets, digging deep into commit history.</p></li>
<li><p><a href="https://square.github.io/keywhiz/">Keywhiz</a> - A
system for managing and distributing secrets, which can fit well with a
service oriented architecture (SOA).</p></li>
<li><p><a
href="https://github.com/crocs-muni/roca"><code>roca</code></a> - Python
module to check for weak RSA moduli in various key formats.</p></li>
</ul>
<h3 id="hardware-security-module-hsm">Hardware Security Module
(HSM)</h3>
<p>HSMs are physical devices guaranteeing security of secret management
at the hardware level.</p>
<ul>
<li><p><a
href="https://rwc.iacr.org/2015/Slides/RWC-2015-Hampton.pdf">HSM: What
they are and why it’s likely that you’ve (indirectly) used one today</a>
- Really basic overview of HSM usages.</p></li>
<li><p><a href="https://news.ycombinator.com/item?id=16759383">Tidbits
on AWS Cloud HSM hardware</a> - AWS CloudHSM Classic is backed by
SafeNet’s Luna HSM, current CloudHSM rely on Cavium’s Nitrox, which
allows for partitionable “virtual HSMs”.</p></li>
<li><p><a href="https://cryptech.is">CrypTech</a> - An open hardware
HSM.</p></li>
<li><p><a href="https://keystone-enclave.org">Keystone</a> - Open-source
project for building trusted execution environments (TEE) with secure
hardware enclaves, based on the RISC-V architecture.</p></li>
<li><p><a href="https://github.com/project-oak/oak">Project Oak</a> - A
specification and a reference implementation for the secure transfer,
storage and processing of data.</p></li>
<li><p><a href="https://www.sstic.org/2019/presentation/hsm/">Everybody
be cool, this is a robbery!</a> - A case study of vulnerability and
exploitability of a HSM (in French, sorry).</p></li>
</ul>
<h2 id="trust-safety">Trust &amp; Safety</h2>
<p>Once you’ve got a significant user base, it is called a community.
You’ll then be responsible to protect it: the customer, people, the
company, the business, and facilitate all interactions and transactions
happening therein.</p>
<p>A critical intermediation complex driven by a policy and constraint
by local laws, the Trust &amp; Safety department is likely embodied by a
cross-functional team of 24/7 operators and systems of highly advanced
moderation and administration tools. You can see it as an extension of
customer support services, specialized in edge-cases like manual
identity checks, moderation of harmful content, stopping harassment,
handling of warrants and copyright claims, data sequestration and other
credit card disputes.</p>
<ul>
<li><p><a
href="https://www.csoonline.com/article/3206127/trust-and-safety-101.html">Trust
and safety 101</a> - A great introduction on the domain and its
responsibilities.</p></li>
<li><p><a
href="https://www.linkedin.com/pulse/what-heck-trust-safety-kenny-shi">What
the Heck is Trust and Safety?</a> - A couple of real use-case to
demonstrate the role of a TnS team.</p></li>
</ul>
<!--lint disable double-link-->
<ul>
<li><a href="https://github.com/kdeldycke/awesome-billing#fraud">Awesome
List of Billing and Payments: Fraud links</a> - Section dedicated to
fraud management for billing and payment, from our sister
repository.</li>
</ul>
<!--lint enable double-link-->
<h3 id="user-identity">User Identity</h3>
<p>Most businesses do not collect customer’s identity to create user
profiles to sell to third party, no. But you still have to: local laws
require to keep track of contract relationships under the large <a
href="https://en.wikipedia.org/wiki/Know_your_customer">Know You
Customer (KYC)</a> banner.</p>
<ul>
<li><p><a
href="https://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf">The
Laws of Identity</a> - Is this paper aims at identity metasystem, its
laws still provides great insights at smaller scale, especially the
first law: to always allow user control and ask for consent to earn
trust.</p></li>
<li><p><a href="https://archive.ph/hvjKl">How Uber Got Lost</a> - “To
limit”friction” Uber allowed riders to sign up without requiring them to
provide identity beyond an email — easily faked — or a phone number. (…)
Vehicles were stolen and burned; drivers were assaulted, robbed and
occasionally murdered. The company stuck with the low-friction sign-up
system, even as violence increased.”</p></li>
<li><p><a
href="http://users.cecs.anu.edu.au/~Peter.Christen/publications/tr-cs-06-02.pdf">A
Comparison of Personal Name Matching: Techniques and Practical
Issues</a> - Customer name matching has lots of application, from
account deduplication to fraud monitoring.</p></li>
<li><p><a
href="https://github.com/insidetrust/statistically-likely-usernames">Statistically
Likely Usernames</a> - Wordlists for creating statistically likely
usernames for use in username-enumeration, simulated password-attacks
and other security testing tasks.</p></li>
<li><p><a
href="https://theintercept.com/document/facebook-dangerous-individuals-and-organizations-list-reproduced-snapshot/">Facebook
Dangerous Individuals and Organizations List</a> - Some groups and
content are illegal in some juridictions. This is an example of a
blocklist.</p></li>
<li><p><a href="https://github.com/ballerine-io/ballerine">Ballerine</a>
- An open-source infrastructure for user identity and risk
management.</p></li>
<li><p><a
href="https://github.com/sherlock-project/sherlock">Sherlock</a> - Hunt
down social media accounts by username across social networks.</p></li>
</ul>
<h3 id="fraud">Fraud</h3>
<p>As an online service provider, you’re exposed to fraud, crime and
abuses. You’ll be surprised by how much people gets clever when it comes
to money. Expect any bug or discrepancies in your workflow to be
exploited for financial gain.</p>
<ul>
<li><p><a
href="https://web.archive.org/web/20230526073109/https://www.bloomberg.com/news/articles/2019-07-11/mercedes-thieves-showed-just-how-vulnerable-car-sharing-can-be">After
Car2Go eased its background checks, 75 of its vehicles were stolen in
one day.</a> - Why background check are sometimes necessary.</p></li>
<li><p><a
href="https://openstreetmap.lu/MWGGlobalLogicReport20181226.pdf">Investigation
into the Unusual Signups</a> - A really detailed analysis of suspicious
contributor signups on OpenStreetMap. This beautiful and high-level
report demonstrating an orchestrated and directed campaign might serve
as a template for fraud reports.</p></li>
<li><p><a href="https://github.com/bhatiasiddharth/MIDAS">MIDAS:
Detecting Microcluster Anomalies in Edge Streams</a> - A proposed method
to “detects microcluster anomalies, or suddenly arriving groups of
suspiciously similar edges, in edge streams, using constant time and
memory.”</p></li>
<li><p><a href="https://github.com/gephi/gephi">Gephi</a> - Open-source
platform for visualizing and manipulating large graphs.</p></li>
</ul>
<h3 id="moderation">Moderation</h3>
<p>Any online communities, not only those related to gaming and social
networks, requires their operator to invest a lot of resource and energy
to moderate it.</p>
<ul>
<li><p><a href="https://youtu.be/kgw8RLHv1j4?t=534">Still Logged In:
What AR and VR Can Learn from MMOs</a> - “If you host an online
community, where people can harm another person: you are on the hook.
And if you can’t afford to be on the hook, don’t host an online
community”.</p></li>
<li><p><a
href="https://mux.com/blog/you-either-die-an-mvp-or-live-long-enough-to-build-content-moderation/">You
either die an MVP or live long enough to build content moderation</a> -
“You can think about the solution space for this problem by considering
three dimensions: cost, accuracy and speed. And two approaches: human
review and machine review. Humans are great in one of these dimensions:
accuracy. The downside is that humans are expensive and slow. Machines,
or robots, are great at the other two dimensions: cost and speed -
they’re much cheaper and faster. But the goal is to find a robot
solution that is also sufficiently accurate for your needs.”</p></li>
<li><p><a
href="https://restofworld.org/2020/facebook-international-content-moderators/">The
despair and darkness of people will get to you</a> - Moderation of huge
social networks is performed by an army of outsourced subcontractors.
These people are exposed to the worst and generally ends up with
PTSD.</p></li>
<li><p><a href="https://thoughtmaybe.com/the-cleaners/">The Cleaners</a>
- A documentary on these teams of underpaid people removing posts and
deleting accounts.</p></li>
</ul>
<h3 id="threat-intelligence">Threat Intelligence</h3>
<p>How to detect, unmask and classify offensive online activities. Most
of the time these are monitored by security, networking and/or
infrastructure engineering teams. Still, these are good resources for
T&amp;S and IAM people, who might be called upon for additional
expertise for analysis and handling of threats.</p>
<ul>
<li><p><a
href="https://github.com/hslatman/awesome-threat-intelligence">Awesome
Threat Intelligence</a> - “A concise definition of Threat Intelligence:
evidence-based knowledge, including context, mechanisms, indicators,
implications and actionable advice, about an existing or emerging menace
or hazard to assets that can be used to inform decisions regarding the
subject’s response to that menace or hazard.”</p></li>
<li><p><a href="https://github.com/smicallef/spiderfoot">SpiderFoot</a>
- An open source intelligence (OSINT) automation tool. It integrates
with just about every data source available and uses a range of methods
for data analysis, making that data easy to navigate.</p></li>
<li><p><a href="https://www.threat-intelligence.eu/standards/">Standards
related to Threat Intelligence</a> - Open standards, tools and
methodologies to support threat intelligence analysis.</p></li>
<li><p><a href="https://www.misp-project.org/taxonomies.html">MISP
taxonomies and classification</a> - Tags to organize information on
“threat intelligence including cyber security indicators, financial
fraud or counter-terrorism information.”</p></li>
<li><p><a href="https://arxiv.org/pdf/1905.01051.pdf">Browser
Fingerprinting: A survey</a> - Fingerprints can be used as a source of
signals to identify bots and fraudsters.</p></li>
<li><p><a
href="https://speakerdeck.com/ange/the-challenges-of-file-formats">The
challenges of file formats</a> - At one point you will let users upload
files in your system. Here is a <a
href="https://github.com/corkami/pocs">corpus of suspicious media
files</a> that can be leveraged by scammers =to bypass security or fool
users.</p></li>
<li><p><a href="https://github.com/danielmiessler/SecLists">SecLists</a>
- Collection of multiple types of lists used during security
assessments, collected in one place. List types include usernames,
passwords, URLs, sensitive data patterns, fuzzing payloads, web shells,
and many more.</p></li>
<li><p><a
href="https://github.com/neonprimetime/PhishingKitTracker">PhishingKitTracker</a>
- CSV database of email addresses used by threat actor in phishing
kits.</p></li>
<li><p><a
href="https://github.com/sundowndev/PhoneInfoga">PhoneInfoga</a> - Tools
to scan phone numbers using only free resources. The goal is to first
gather standard information such as country, area, carrier and line type
on any international phone numbers with a very good accuracy. Then
search for footprints on search engines to try to find the VoIP provider
or identify the owner.</p></li>
<li><p><a href="https://github.com/vhf/confusable_homoglyphs">Confusable
Homoglyphs</a> - Homoglyphs is a common phishing trick.</p></li>
</ul>
<h3 id="captcha">Captcha</h3>
<p>Another line of defense against spammers.</p>
<ul>
<li><p><a href="https://github.com/ZYSzys/awesome-captcha">Awesome
Captcha</a> - Reference all open-source captcha libraries, integration,
alternatives and cracking tools.</p></li>
<li><p><a href="https://www.google.com/recaptcha">reCaptcha</a> -
reCaptcha is still an effective, economical and quick solution when your
company can’t afford to have a dedicated team to fight bots and spammers
at internet scale.</p></li>
<li><p><a
href="https://web.archive.org/web/20190611190134/https://kevv.net/you-probably-dont-need-recaptcha/">You
(probably) don’t need ReCAPTCHA</a> - Starts with a rant on how the
service is a privacy nightmare and is tedious UI-wise, then list
alternatives.</p></li>
<li><p><a href="https://anti-captcha.com">Anti-captcha</a> - Captchas
solving service.</p></li>
</ul>
<h2 id="blocklists">Blocklists</h2>
<p>The first mechanical line of defense against abuses consist in plain
and simple deny-listing. This is the low-hanging fruit of fraud
fighting, but you’ll be surprised how they’re still effective.</p>
<ul>
<li><p><a href="https://en.wikipedia.org/wiki/Bloom_filter">Bloom
Filter</a> - Perfect for this use-case, as bloom filters are designed to
quickly check if an element is not in a (large) set. Variations of bloom
filters exist for specific data types.</p></li>
<li><p><a href="https://blog.sqreen.com/demystifying-radix-trees/">How
Radix trees made blocking IPs 5000 times faster</a> - Radix trees might
come handy to speed-up IP blocklists.</p></li>
</ul>
<h3 id="hostnames-and-subdomains">Hostnames and Subdomains</h3>
<p>Useful to identified clients, catch and block swarms of bots, and
limit effects of dDOS.</p>
<ul>
<li><p><a
href="https://github.com/StevenBlack/hosts"><code>hosts</code></a> -
Consolidates reputable hosts files, and merges them into a unified hosts
file with duplicates removed.</p></li>
<li><p><a
href="https://github.com/nextdns/metadata"><code>nextdns/metadata</code></a>
- Extensive collection of list for security, privacy and parental
control.</p></li>
<li><p><a href="https://publicsuffix.org">The Public Suffix List</a> -
Mozilla’s registry of public suffixes, under which Internet users can
(or historically could) directly register names.</p></li>
<li><p><a
href="https://github.com/herrbischoff/country-ip-blocks">Country IP
Blocks</a> - CIDR country-level IP data, straight from the Regional
Internet Registries, updated hourly.</p></li>
<li><p><a
href="https://github.com/internetwache/CT_subdomains">Certificate
Transparency Subdomains</a> - An hourly updated list of subdomains
gathered from certificate transparency logs.</p></li>
<li><p>Subdomain denylists: <a
href="https://gist.github.com/artgon/5366868">#1</a>, <a
href="https://github.com/sandeepshetty/subdomain-blacklist/blob/master/subdomain-blacklist.txt">#2</a>,
<a
href="https://github.com/nccgroup/typofinder/blob/master/TypoMagic/datasources/subdomains.txt">#3</a>,
<a
href="https://www.quora.com/How-do-sites-prevent-vanity-URLs-from-colliding-with-future-features">#4</a>.</p></li>
<li><p><a
href="https://gist.github.com/erikig/826f49442929e9ecfab6d7c481870700"><code>common-domain-prefix-suffix-list.tsv</code></a>
- Top-5000 most common domain prefix/suffix list.</p></li>
<li><p><a
href="https://github.com/notracking/hosts-blocklists"><code>hosts-blocklists</code></a>
- No more ads, tracking and other virtual garbage.</p></li>
<li><p><a
href="https://gist.github.com/sehrgut/324626fa370f044dbca7"><code>xkeyscorerules100.txt</code></a>
- NSA’s <a href="https://en.wikipedia.org/wiki/XKeyscore">XKeyscore</a>
matching rules for TOR and other anonymity preserving tools.</p></li>
<li><p><a
href="https://github.com/ActivisionGameScience/pyisp"><code>pyisp</code></a>
- IP to ISP lookup library (includes ASN).</p></li>
<li><p><a
href="https://www.amf-france.org/Epargne-Info-Service/Proteger-son-epargne/Listes-noires">AMF
site blocklist</a> - Official French denylist of money-related fraud
sites.</p></li>
</ul>
<h3 id="emails">Emails</h3>
<ul>
<li><p><a href="https://github.com/wesbos/burner-email-providers">Burner
email providers</a> - A list of temporary email providers. And its <a
href="https://github.com/martenson/disposable-email-domains">derivative
Python module</a>.</p></li>
<li><p><a
href="https://github.com/FGRibreau/mailchecker">MailChecker</a> -
Cross-language temporary (disposable/throwaway) email detection
library.</p></li>
<li><p><a href="https://gist.github.com/adamloving/4401361">Temporary
Email Address Domains</a> - A list of domains for disposable and
temporary email addresses. Useful for filtering your email list to
increase open rates (sending email to these domains likely will not be
opened).</p></li>
<li><p><a href="https://github.com/benbalter/gman"><code>gman</code></a>
- “A ruby gem to check if the owner of a given email address or website
is working for THE MAN (a.k.a verifies government domains).” Good
resource to hunt for potential government customers in your user
base.</p></li>
<li><p><a href="https://github.com/leereilly/swot"><code>Swot</code></a>
- In the same spirit as above, but this time to flag academic
users.</p></li>
</ul>
<h3 id="reserved-ids">Reserved IDs</h3>
<ul>
<li><p><a href="https://gist.github.com/stuartpb/5710271">General List
of Reserved Words</a> - This is a general list of words you may want to
consider reserving, in a system where users can pick any name.</p></li>
<li><p><a href="https://ldpreload.com/blog/names-to-reserve">Hostnames
and usernames to reserve</a> - List of all the names that should be
restricted from registration in automated systems.</p></li>
</ul>
<h3 id="profanity">Profanity</h3>
<ul>
<li><p><a
href="https://github.com/LDNOOBW/List-of-Dirty-Naughty-Obscene-and-Otherwise-Bad-Words">List
of Dirty, Naughty, Obscene, and Otherwise Bad Words</a> - Profanity
blocklist from Shutterstock.</p></li>
<li><p><a
href="https://github.com/vzhou842/profanity-check"><code>profanity-check</code></a>
- Uses a linear SVM model trained on 200k human-labeled samples of clean
and profane text strings.</p></li>
</ul>
<h2 id="privacy">Privacy</h2>
<p>As the guardian of user’s data, the IAM stack is deeply bounded by
the respect of privacy.</p>
<ul>
<li><p><a
href="https://www.private-ai.com/wp-content/uploads/2021/10/PETs-Decision-Tree.pdf">Privacy
Enhancing Technologies Decision Tree</a> - A flowchart to select the
right tool depending on data type and context.</p></li>
<li><p><a
href="https://github.com/papers-we-love/papers-we-love/tree/master/privacy">Paper
we love: Privacy</a> - A collection of scientific studies of schemes
providing privacy by design.</p></li>
<li><p><a href="https://haveibeenpwned.com">Have I been Pwned?</a> -
Data breach index.</p></li>
<li><p><a
href="https://fahrplan.events.ccc.de/camp/2019/Fahrplan/system/event_attachments/attachments/000/003/798/original/security_cccamp.pdf">Automated
security testing for Software Developers</a> - Most privacy breaches
were allowed by known vulnerabilities in third-party dependencies. Here
is how to detect them by the way of CI/CD.</p></li>
<li><p><a
href="https://github.com/threeheartsdigital/email-marketing-regulations">Email
marketing regulations around the world</a> - As the world becomes
increasingly connected, the email marketing regulation landscape becomes
more and more complex.</p></li>
<li><p><a
href="https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/">World’s
Biggest Data Breaches &amp; Hacks</a> - Don’t be the next company
leaking your customer’s data.</p></li>
</ul>
<h3 id="anonymization">Anonymization</h3>
<p>As a central repository of user data, the IAM stack stakeholders have
to prevent any leakage of business and customer data. To allow for
internal analytics, anonymization is required.</p>
<ul>
<li><p><a
href="https://web.archive.org/web/20220927004103/https://goteleport.com/blog/hashing-for-anonymization/">The
False Allure of Hashing for Anonymization</a> - Hashing is not
sufficient for anonymization no. But still it is good enough for
pseudonymization (which is allowed by the GDPR).</p></li>
<li><p><a
href="https://freedom-to-tinker.com/2018/04/09/four-cents-to-deanonymize-companies-reverse-hashed-email-addresses/">Four
cents to deanonymize: Companies reverse hashed email addresses</a> -
“Hashed email addresses can be easily reversed and linked to an
individual”.</p></li>
<li><p><a
href="https://desfontain.es/privacy/differential-privacy-awesomeness.html">Why
differential privacy is awesome</a> - Explain the intuition behind <a
href="https://en.wikipedia.org/wiki/Differential_privacy">differential
privacy</a>, a theoretical framework which allow sharing of aggregated
data without compromising confidentiality. See follow-up articles with
<a
href="https://desfontain.es/privacy/differential-privacy-in-more-detail.html">more
details</a> and <a
href="https://desfontain.es/privacy/differential-privacy-in-practice.html">practical
aspects</a>.</p></li>
<li><p><a
href="https://www.privitar.com/listing/k-anonymity-an-introduction">k-anonymity:
an introduction</a> - An alternative anonymity privacy model.</p></li>
<li><p><a href="https://github.com/microsoft/presidio">Presidio</a> -
Context aware, pluggable and customizable data protection and PII data
anonymization service for text and images.</p></li>
<li><p><a
href="https://aircloak.com/wp-content/uploads/apf17-aspen.pdf">Diffix:
High-Utility Database Anonymization</a> - Diffix try to provide
anonymization, avoid pseudonymization and preserve data quality. <a
href="https://elixirforum.com/t/aircloak-anonymized-analitycs/10930">Written
in Elixir at Aircloak</a>, it acts as an SQL proxy between the analyst
and an unmodified live database.</p></li>
</ul>
<h3 id="gdpr">GDPR</h3>
<p>The well-known European privacy framework</p>
<ul>
<li><p><a href="https://gdpr.eu">GDPR Tracker</a> - Europe’s reference
site.</p></li>
<li><p><a href="https://github.com/LINCnil/GDPR-Developer-Guide">GDPR
Developer Guide</a> - Best practices for developers.</p></li>
<li><p><a
href="https://techblog.bozho.net/gdpr-practical-guide-developers/">GDPR
– A Practical guide for Developers</a> - A one-page summary of the
above.</p></li>
<li><p><a href="https://github.com/good-lly/gdpr-documents">GDPR
documents</a> - Templates for personal use to have companies comply with
“Data Access” requests.</p></li>
<li><p><a href="https://arxiv.org/pdf/2001.02479.pdf">Dark Patterns
after the GDPR</a> - This paper demonstrates that, because of the lack
of GDPR law enforcements, dark patterns and implied consent are
ubiquitous.</p></li>
<li><p><a href="http://enforcementtracker.com">GDPR Enforcement
Tracker</a> - List of GDPR fines and penalties.</p></li>
</ul>
<h2 id="uxui">UX/UI</h2>
<p>As stakeholder of the IAM stack, you’re going to implement in the
backend the majority of the primitives required to build-up the sign-up
tunnel and user onboarding. This is the first impression customers will
get from your product, and can’t be overlooked: you’ll have to carefully
design it with front-end experts. Here is a couple of guides to help you
polish that experience.</p>
<ul>
<li><p><a href="https://userpilot.com/saas-product-onboarding/">The 2020
State of SaaS Product Onboarding</a> - Covers all the important facets
of user onboarding.</p></li>
<li><p><a
href="https://www.useronboard.com/user-onboarding-teardowns/">User
Onboarding Teardowns</a> - A huge list of deconstructed first-time user
signups.</p></li>
<li><p><a href="https://goodui.org/leaks/">Discover UI Design Decisions
Of Leading Companies</a> - From Leaked Screenshots &amp; A/B
Tests.</p></li>
<li><p><a
href="https://www.nickkolenda.com/conversion-optimization-psychology/#cro-tactic11">Conversion
Optimization</a> - A collection of tactics to increase the chance of
users finishing the account creation funnel.</p></li>
<li><p><a
href="https://growth.design/case-studies/trello-user-onboarding/">Trello
User Onboarding</a> - A detailed case study, nicely presented, on how to
improve user onboarding.</p></li>
<li><p><a
href="https://learnui.design/blog/tips-signup-login-ux.html">11 Tips for
Better Signup / Login UX</a> - Some basic tips on the login
form.</p></li>
<li><p><a
href="http://bradfrost.com/blog/post/dont-get-clever-with-login-forms/">Don’t
get clever with login forms</a> - Create login forms that are simple,
linkable, predictable, and play nicely with password managers.</p></li>
<li><p><a
href="https://www.twilio.com/blog/why-username-and-password-on-two-different-pages">Why
are the username and password on two different pages?</a> - To support
both SSO and password-based login. Now if breaking the login funnel in 2
steps is too infuriating to users, solve this as Dropbox does: <a
href="https://news.ycombinator.com/item?id=19174355">an AJAX request
when you enter your username</a>.</p></li>
<li><p><a
href="https://www.twilio.com/blog/html-attributes-two-factor-authentication-autocomplete">HTML
attributes to improve your users’ two factor authentication
experience</a> - “In this post we will look at the humble
<code>&lt;input&gt;</code> element and the HTML attributes that will
help speed up our users’ two factor authentication experience”.</p></li>
<li><p><a href="http://passwordmasking.com">Remove password masking</a>
- Summarizes the results from an academic study investigating the impact
removing password masking has on consumer trust.</p></li>
<li><p><a
href="https://twitter.com/ProductHunt/status/979912670970249221">For
anybody who thinks “I could build that in a weekend,” this is how Slack
decides to send a notification</a> - Notifications are hard. Really
hard.</p></li>
</ul>
<h2 id="competitive-analysis">Competitive Analysis</h2>
<p>Keep track on the activity of open-source projects and companies
operating in the domain.</p>
<ul>
<li><p><a
href="https://github.com/jruizaranguren/best-of-digital-identity">Best-of
Digital Identity</a> - Ranking, popularity and activity status of
open-source digital identity projects.</p></li>
<li><p><a
href="https://aws.amazon.com/about-aws/whats-new/security_identity_and_compliance/">AWS
Security, Identity &amp; Compliance announcements</a> - The source of
all new features added to the IAM perimeter.</p></li>
<li><p><a href="https://cloud.google.com/iam/docs/release-notes">GCP IAM
release notes</a> - Also of note: <a
href="https://cloud.google.com/identity/docs/release-notes">Identity</a>,
<a
href="https://cloud.google.com/identity-platform/docs/release-notes">Identity
Platform</a>, <a
href="https://cloud.google.com/resource-manager/docs/release-notes">Resource
Manager</a>, <a
href="https://cloud.google.com/kms/docs/release-notes">Key Management
Service/HSM</a>, <a
href="https://cloud.google.com/access-context-manager/docs/release-notes">Access
Context Manager</a>, <a
href="https://cloud.google.com/iap/docs/release-notes">Identity-Aware
Proxy</a>, <a
href="https://cloud.google.com/dlp/docs/release-notes">Data Loss
Prevention</a> and <a
href="https://cloud.google.com/security-scanner/docs/release-notes">Security
Scanner</a>.</p></li>
<li><p><a href="https://www.gcpweekly.com">Unofficial Weekly Google
Cloud Platform newsletter</a> - Relevant keywords: <a
href="https://www.gcpweekly.com/gcp-resources/tag/iam/"><code>IAM</code></a>
and <a
href="https://www.gcpweekly.com/gcp-resources/tag/security/"><code>Security</code></a>.</p></li>
<li><p><a
href="http://docs.digitalocean.com/release-notes/accounts/">DigitalOcean
Accounts changelog</a> - All the latest accounts updates on DO.</p></li>
<li><p><a
href="https://adayinthelifeof.nl/2020/05/20/aws.html#discovering-aws">163
AWS services explained in one line each</a> - Help makes sense of their
huge service catalog. In the same spirit: <a
href="https://netrixllc.com/blog/aws-services-in-simple-terms/">AWS in
simple terms</a> &amp; <a
href="https://expeditedsecurity.com/aws-in-plain-english/">AWS In Plain
English</a>.</p></li>
<li><p><a
href="https://github.com/gregsramblings/google-cloud-4-words#the-google-cloud-developers-cheat-sheet">Google
Cloud Developer’s Cheat Sheet</a> - Describe all GCP products in 4 words
or less.</p></li>
</ul>
<h2 id="history">History</h2>
<ul>
<li><a href="https://cryptoanarchy.wiki">cryptoanarchy.wiki</a> -
Cypherpunks overlaps with security. This wiki compiles information about
the movement, its history and the people/events of note.</li>
</ul>
<h2 id="contributing">Contributing</h2>
<p>Your contributions are always welcome! Please take a look at the <a
href=".github/contributing.md">contribution guidelines</a> first.</p>
<h2 id="footnotes">Footnotes</h2>
<p>The <a
href="https://github.com/kdeldycke/awesome-iam/blob/main/assets/awesome-iam-header.jpg">header
image</a> is based on a modified <a
href="https://unsplash.com/photos/2LowviVHZ-E">photo</a> by <a
href="https://unsplash.com/@benjaminsweet">Ben Sweet</a>.</p>
<!--lint disable no-undefined-references-->
<p><a name="sponsor-def">[0]</a>: You can
<a href="https://github.com/sponsors/kdeldycke">add your Identity &amp;
Authentication product in the list of sponsors via a GitHub
sponsorship</a>. <a href="#sponsor-ref">[↑]</a></p>
<p><a name="intro-quote-def">[1]</a>: <a
href="https://www.amazon.com/dp/0778324338?&amp;linkCode=ll1&amp;tag=kevideld-20&amp;linkId=0b92c3d92371bd53daca5457bdad327e&amp;language=en_US&amp;ref_=as_li_ss_tl"><em>Poison
Study</em></a> (Mira, 2007). <a href="#intro-quote-ref">[↑]</a></p>
<p><a href="https://github.com/kdeldycke/awesome-iam">iam.md
Github</a></p>