Identity Security: The problem(s) with federation

Federating trust with an identity provider (IdP) is common practice to centralize identity governance.

Non-Human Identities Security: Breaking down the problem

Compromised non-human identities are increasingly being leveraged by attackers to gain initial access and as a vector for lateral movement.

Detecting Man-in-the-Middle Attacks with SlashID

Detect when attackers access your website through malicious proxies with SlashID.

A deep dive in the AWS credential leaks reported by Palo Alto Networks

Thousands of credentials were exfiltrated from exposed .env files in the latest large-scale attack uncovered by Palo Alto.

SlashID RBAC: Globally-available role-based access control

SlashID RBAC is a globally replicated role-based access control system that allows you to restrict access to resources based on permissions assigned to specific persons.

Protecting against Snowflake breaches

In the last few weeks several very high-profile breaches have been in the news, from Santander to Ticketmaster and AT&T.

Introducing the SlashID Local Deployment

The SlashID local deployment is our answer for developers looking to build, run and test apps locally.

ODPR: A Framework for Securing Non-Human Identities

Identity-based attacks have become the primary way attackers move laterally in a network. They are also responsible for half of the initial intrusions.

Credential Tokenization: Protecting third-party API credentials

Stolen secrets and credentials are one of the most common ways for attackers to move laterally and maintain persistence in cloud environments.

Secure API and M2M Access with OAuth2 Client Credentials and SlashID's sidecar

The recent Hugging Face breach is yet another reminder that securing machine-to-machine communication and API access is essential today.

Introducing Organization Attributes

With organization attributes, you can now easily store and manage tenant-level data directly on our platform.

Introducing Anonymous Users: Balancing First-Party Data Collection and User Experience

With the deprecation of third-party cookies, first-party data has become crucial for websites to personalize user experiences.

SlashID SDK for PHP and Laravel authentication

While very popular, PHP lacks modern identity and access management (IAM) capabilities. SlashID changes that with the release of our SDK for PHP and Laravel.

Adding custom claims to identity tokens

Adding custom claims to JWTs allows you to share identity information without repeated queries to external data sources.

SlashID: Building a globally distributed Identity Platform

We built the SlashID infrastructure so that your user data is globally distributed.

Passkeys Adoption Trends: Survey from Large Deployments

In this comprehensive blog post, we delve into the publicly available data on large-scale passkeys rollouts, examining results, conversion rates, and implementation challenges as documented in engineering blogs by companies like Kayak and Yahoo Japan.

Single Sign-On implementation: Safely retrieving the email claim

A number of security issues have been discovered recently caused by the reliance on the email claim when using OpenID Connect (OIDC) for SSO.

Single Sign-On implementation: Security Issues and Best Practices

Social logins and OpenID Connect (OIDC) are an extremely effective way to register new users with low friction.

Introducing the SlashID Remix SDK: Authentication made easy

We’re excited to announce first-party Remix support in SlashID with @slashid/remix. We've borrowed the power of our React SDK and aligned it with Remix's unique design patterns.

Firebase Authentication and Google Identity Platform User Enumeration Vulnerability

Firebase Authentication and Google Identity Platform are the two Google products that offer identity management.

GDPR Compliance: Consent Management

Effortless GDPR compliance out of the box. Notify users about your intent to use cookies and request their consent.

OAuth 2.0 Fine-Grained API Authorization with Gate and OpenAPI

Protect your API against unauthorized access without changing your application.

Rate Limiting for Large-scale, Distributed Applications and APIs Using GCRA

Rate limiting is a key defense against bots and threats for APIs and backends. Traditional IP-based rate limiting techniques are insufficient today because they can be easily bypassed.

Context-aware authentication: fight identity fraud and qualify your users

Knowing your users is becoming increasingly important. Whether you're a B2B PLG business trying to convert leads or a fintech business fending off attacks, it's essential to have more context about who is accessing your platform and to customize your behavior accordingly.

Backend Authentication and Authorization Patterns: Benefits and Pitfalls of Each

Identity in distributed applications is hard. In large and complex environments with multiple services, a number of patterns have emerged to authenticate and authorize traffic.

JWT Implementation Pitfalls, Security Threats, and Our Approach to Mitigate Them

JSON Web Tokens (JWTs) are one of the most common ways to transfer identity claims and prove the identity of a user or an entity. JWTs have become very popular in recent years because they are easy to use, read, and debug.

No-code anti-phishing protection of internal apps with Passkeys

Phishing is one of the most common causes of data breaches. According to Verizon's DBIR report, over 50% of incidents start with phishing or stolen credentials. WebAuthn/Passkeys are an effective way to stop phishing and credential stealing attempts on their tracks.

Firewalling OpenAI APIs: Data loss prevention and identity access control

Large Language Models (LLMs) have taken the world by storm, and they are now used for many tasks by consumers and enterprises alike. However, the risk of accidentally disclosing sensitive data to the models is very high as the recent Samsung case shown.

Ditch your organizations table

Suborgs make it effortless and secure to implement complex identity structures such as multi-tenancy B2B apps and multi sided marketplaces.

Protecting Exposed APIs: Avoid Data Leaks with SlashID Gate and OPA

Adequately protecting APIs is key to avoid data leaks and breaches.

Docusaurus - Authentication and authorization with SlashID

The latest docusaurus-slashid-login theme adds finer grained access control to your Docusaurus website.

Authenticate your Shopify customers with SlashID

The new SlashID Login app for Shopify lets your customers authenticate seamlessly using quick and safe methods like passkeys, social login and magic links.

Synchronous Webhooks

We are excited to release synchronous webhooks, the latest addition to our webhooks features.

Building a React Login Page Template

Discover how to create a secure login page for your React app with authentication and styling using SlashID.

SlashID Analytics Webhooks

We are excited to release SlashID analytics and webhooks, providing greater visibility and actionable insights into your authentication flows.

Passkeys - Threat modeling and implementation considerations

In this blog post, we review the current state of the technology from a security standpoint and we’ll discuss some critical aspects of passkey implementation.

Authentication flows with SlashID

Implement MFA and Step-Up Authentication in React applications with SlashID.

Using Google Tink to sign JWTs with ECDSA

In this blog post, we will show how the Tink cryptography library can be used to create, sign, and verify JSON Web Tokens (JWTs), as well as to manage the cryptographic keys for doing so.

React SDK support for <Groups>

With the latest React SDK release we are introducing a new control component, <Groups>. You can use <Groups> to conditionally render parts of the UI depending on whether the authenticated user belongs to specific Groups.

Sign-in and Sign-up React component release

Today we’re happy to announce the next step in that journey to deliver a streamlined, low friction onboarding experience to our customers with the release of our sign-up/sign-in form component.

Fetching Google Groups with SlashID SSO

Use SlashID to fetch Google Groups as part of a user authentication flow.

In-browser HSM-backed Encryption with Tink and Wasm

This post explores how to use Wasm to lift Tink to JavaScript and how you can leverage it to perform client-side encryption directly from the browser, backed with a master key stored in a HSM.

Official React SDK release

Today we’re excited to announce the public release of the official SlashID React SDK

Adding Identity to Docusaurus

Today we are releasing the docusaurus-slashid-login theme as well as a fork of docusaurus-openapi-docs.

Introducing Data Vault - Secure HSM-backed PII storage directly from the frontend

Today we are releasing Data Vault, which allows the safe and compliant storage of sensitive user data directly from the frontend.

Social logins in 5 minutes or less

Today we are releasing our OpenID Connect (OIDC) SSO module which you can use to add Social logins and OIDC-compatible SSO to your app in less than 5 minutes.

App-layer cryptographic primitives for secure storage of user data

In this blogpost we explore the cryptographic primitives and design decisions we made building our Data Vault module.

The good, the bad and the ugly of Apple Passkeys

The widely anticipated Apple passkeys launch happened just a few weeks ago with the iOS 16 release.

The Security and Regulatory Compliance Benefits of WebAuthn

The WebAuthn standard helps you stop phishing and account takeover (ATO) attacks while maintaining HIPAA and SCA compliance.

Phishing Attacks – WebAuthn to the rescue

Authentication token theft is on the rise, with the latest Uber breach demonstrating yet again the threat that it poses.