Multi-factor authentication was sold as the cure for phishing, and for a while it was. Then real-time proxy phishing, push-bombing, and SIM swaps caught up. The 2022 breaches at Twilio and Uber — and the Cloudflare attack that failed — were the field test. A threat-model walk through why only origin-bound MFA survives, and how to deploy it.
Authentication
-
Phishing-Resistant MFA: Why Everything Short of FIDO2 Is Living on Borrowed Time -
Passkeys and FIDO2 Explained Passkeys are the closest thing to a real password replacement the industry has ever shipped, and they finally hit broad consumer rollout in 2024-2026. We walk what a passkey actually is under the hood, the WebAuthn and CTAP protocol stack, the sync model that initially scared security professionals, platform versus roaming authenticators, and the honest case for moving off passwords.
-
Kerberos and Windows Authentication How sign-on actually works in an Active Directory world: NTLM and why it persists, Kerberos tickets (the TGT, service tickets, and the KDC), SPNs and delegation (unconstrained, constrained, and resource-based), and the attacks every defender should recognize — Kerberoasting, pass-the-hash, pass-the-ticket, and golden and silver tickets. A clear walk through the protocol and its real-world abuse, plus what Windows Server 2025 changes.
-
Passkeys and WebAuthn in Practice: A Developer's Complete Guide A ground-up technical walkthrough of WebAuthn and passkeys — how the cryptography actually works, the registration and authentication ceremonies in detail, a working SimpleWebAuthn implementation, attestation demystified, fallback strategy, and the UX traps that derail production deployments.
-
PAM Configuration Deep Dive How Linux PAM really decides whether you get a shell — the module stack, control flags, and the auth, account, session, and password phases — so you can read /etc/pam.d, add MFA or SSSD, and debug a silent login rejection.
-
OWASP API Security Top 10: A Practical Guide to Securing Your APIs A deep-dive into the OWASP API Security Top 10—covering broken object-level authorization, excessive data exposure, mass assignment, and every other critical API vulnerability with real attack examples and defensive code patterns.
-
Password Security Done Right How to properly store, hash, and manage passwords in your applications.