RC RANDOM CHAOS

authentication

7 posts

Bypassed controls are absent controls
Article

Bypassed controls are absent controls

Leanstral 1.5 bypassed CAPTCHA and rate limiting. Those controls score requests, not identity, the only boundary that refuses credential replay.

A valid JWT authenticates nothing
Article

A valid JWT authenticates nothing

A JWT is a signed data structure, not authentication. The security lives in the verifier, not the token. Where validation is optional, the boundary is gone.

Your API breach was working as designed
Article

Your API breach was working as designed

API authentication failing at the request level is a trust boundary failure. Inadequate identity validation makes lateral movement a design outcome.

Microsoft flags password reset exploitation
Article

Microsoft flags password reset exploitation

Microsoft confirms password reset exploitation. The reset endpoint is an authentication surface and must be controlled as one.

SMS 2FA was never authentication
Article

SMS 2FA was never authentication

Microsoft is replacing SMS one-time codes with passkeys. M. Hale defines what failed, why it failed, and where the boundary still leaks.

Microsoft sent you a code you didn't request
Article

Microsoft sent you a code you didn't request

An unrequested Microsoft single-use code email is evidence of external interaction with your identity surface. What it proves and what it does not.

Attackers weaponized AI to bypass 2FA at scale
Article

Attackers weaponized AI to bypass 2FA at scale

A reported AI-developed zero-day 2FA bypass in mass use removes the assumption that 2FA terminates the account takeover chain.