Protecting entire ISAM WebSEAL site with multi-factor authentication using stepup login

Today I’m going a bit old-school with information on a basic ISAM scenario that has been available for years. This has come up in field questions several times recently, I think mostly with people who are relatively new to ISAM but understand the need for multi-factor security as a standard part of the authentication workflow. […]

Continue reading

Cross-origin session detection

Consider a federated single sign-on environment where an Identity Provider (IDP) for applications may in turn be acting as a gateway – and be configured as a Service Provider (SP) to many different other IDPs. The role of this IDP is to provide a common federated SSO service to applications. It may also need to […]

Continue reading

Account Recovery is just another Authentication Method

This article is an opinion piece geared toward (re)evaluating your thinking about end-user workflows for account recovery in traditional web authentication systems. Leaving aside superior PKI-based authentication schemes such as FIDO for a moment, let’s take a look at how account recovery scenarios on a traditional website might be made less attractive to attackers attempting […]

Continue reading

Cloud Identity FIDO2 – Consuming FIDO2 as-a-service from IBM Cloud Identity

This article introduces a free, open-source sample application which demonstrates how an external FIDO2 relying party can consume IBM Cloud Identity APIs as-a-service. The application has been written in Node.js and leverages a range of API calls from IBM Cloud Identity (CI) including: User Management FIDO2 APIs OAuth and OpenID Connect Integration The application has […]

Continue reading

FIDO2 for IoT – A hobby project

In our work at IBM building FIDO2 services for both on-premise (IBM Security Access Manager) and cloud (IBM Cloud Identity) offerings, we have been looking at scenarios for using FIDO2 authentication technology beyond the mainstream use case of browser-based authentication with WebAuthn. One scenario we decided to experiment with is FIDO2 for IoT devices – […]

Continue reading

The fido2viewer – a free FIDO2 debugging utility

Those of you who have been reading my recent series of blog posts will realize that I’ve been spending a great deal of time working on FIDO2 and WebAuthn related technologies. As part of this effort which has been in progress on and off for more than 12 months now, I put together a debugging […]

Continue reading

ISAM FIDO2 – Using the FIDO2 server endpoints

This article is the fourth in a technical series on configuring and using FIDO2 capabilities in ISAM 9.0.7. If you haven’t already done so, please work through these previous articles as the information and system that is prepared as part of them will be assumed knowledge when reading this one… Part 1 – FIDO2 in […]

Continue reading

ISAM FIDO2 – Metadata and registration policy enforcement

This article is the third in a technical series on configuring and using FIDO2 capabilities in ISAM 9.0.7. If you haven’t already done so, please read and complete the exercises in my first and second FIDO2 technical articles as here I’ll be picking up where the second article left off. What authenticator is that? Let’s take […]

Continue reading

ISAM FIDO2 – Usernameless login and Mediators

This article is the second in a technical series on configuring and using FIDO2 capabilities in ISAM 9.0.7. If you haven’t already done so, please read and complete the exercises in my first FIDO2 technical article as here I’ll be picking up where that one left off. Configuring a credential viewer Anyone working with ISAM […]

Continue reading