authentication
7 posts
Bypassed controls are absent controls
Leanstral 1.5 bypassed CAPTCHA and rate limiting. Those controls score requests, not identity, the only boundary that refuses credential replay.
A valid JWT authenticates nothing
A JWT is a signed data structure, not authentication. The security lives in the verifier, not the token. Where validation is optional, the boundary is gone.
Your API breach was working as designed
API authentication failing at the request level is a trust boundary failure. Inadequate identity validation makes lateral movement a design outcome.
Microsoft flags password reset exploitation
Microsoft confirms password reset exploitation. The reset endpoint is an authentication surface and must be controlled as one.
SMS 2FA was never authentication
Microsoft is replacing SMS one-time codes with passkeys. M. Hale defines what failed, why it failed, and where the boundary still leaks.
Microsoft sent you a code you didn't request
An unrequested Microsoft single-use code email is evidence of external interaction with your identity surface. What it proves and what it does not.
Attackers weaponized AI to bypass 2FA at scale
A reported AI-developed zero-day 2FA bypass in mass use removes the assumption that 2FA terminates the account takeover chain.