diff --git a/content/access-control-for-modern-web-applications/authn-vs-authz.png b/content/access-control-for-modern-web-applications/authn-vs-authz.png
new file mode 100644
index 00000000..22ad7f97
Binary files /dev/null and b/content/access-control-for-modern-web-applications/authn-vs-authz.png differ
diff --git a/content/access-control-for-modern-web-applications/index.md b/content/access-control-for-modern-web-applications/index.md
new file mode 100644
index 00000000..f9550a78
--- /dev/null
+++ b/content/access-control-for-modern-web-applications/index.md
@@ -0,0 +1,129 @@
+---
+title: "Access Control for modern web applications"
+date: "2023-12-11"
+description: "Access control plays a key role in protecting our data as we progressively move into an online society. In this blog we will explore the different types of access control and how they safeguard against attackers."
+cover: "access-control-for-modern-web-applications.png"
+category: "programming"
+author: "Sara Mashfej"
+---
+
+
+
+## An overview of Access Control for modern web applications
+Today, modern applications have become deeply ingrained in our daily routines. Web, mobile, and business applications serve as the gatekeepers of extensive information, granting users varying degrees of access and power depending on their roles.
+
+Last year's T-Mobile data breach resulted in [a financial impact of $350 million for the company in 2022](https://tech.co/news/data-breaches-updated-list), which went towards compensating affected customers. This, along with similar incidents during that same year, stemmed from organizations' failure to establish adequate access control measures and enforce a culture of security awareness.
+
+This article delves into the core principles of access control, exploring key mechanisms like Role-Based Access Control (RBAC), Access Control Lists (ACL), and Attribute-Based Access Control (ABAC).
+
+## What is Access Control and why is it important?
+Access control is a security mechanism designed to dictate who has permission to access specific data, applications and resources and under what conditions. Similar to physical spaces protected by keys or guest lists, access control policies serve as digital gatekeepers. Their purpose is clear: **allow the right individuals entry while denying access to unauthorized ones**. Just like Gandalf in the epic Lord Of The Rings scene!
+
+
+
+Authentication and authorization techniques underpin access control policies, their goal is to confirm users' identities and ensure they receive the appropriate access levels. For increased protection they can often also factor in variables like device, location, role, and more.
+
+Access control policies safeguard confidential information, including customer data and intellectual property. Any organization prioritizing application security should adhere to the [Zero Trust security model](https://en.wikipedia.org/wiki/Zero_trust_security_model), which operates on the principle of never trusting and always verifying. This model assumes that threats exist both inside and outside the network and focuses on continuous verification of users, devices, and applications attempting to access resources.
+
+In security-conscious organizations users are authenticated and authorized based on their specific attributes and roles, then access is dynamically adjusted based on the continuously monitored security posture.
+
+## Difference between Authentication and Authorization
+In the layered landscape of application security, we can conceptualize the process in two key steps, each playing a pivotal role:
+
+### Authentication
+[Authentication](https://supertokens.com/blog/authentication-vs-authorization#the-foundation---what-is-authentication) marks the initial checkpoint where users validate their identity by presenting the correct credentials. The primary goal of authentication is to establish trust and control access to resources or systems. The authentication process typically involves the following steps:
+
+1. **User Initiation**: a user initiates a request to access a protected resource or system. This could be logging into a website using a login form.
+2. **Providing Credentials**: The user provides identification credentials, which can take various forms, depending on the authentication method. Common types of credentials include:
+ 1. Something you know: Passwords, PINs, passphrases.
+ 2. Something you have: Smart cards, security tokens, mobile devices.
+ 3. Something you are: Biometric data (fingerprint, retina scan, facial recognition).
+3. **Credential Submission**: The user enters their credentials into the login form, which is linked to an authentication system.
+4. **Credential Verification**: The authentication system verifies the submitted credentials against stored records or a database. This process differs based on the authentication method:
+ 1. [Password-Based Authentication](https://supertokens.com/docs/emailpassword/introduction): Compares the entered password with the stored password hash.
+ 2. Token-based Authentication: involves a secondary service confirming a server request. Once the verification process is successfully completed, the server generates a token and provides a response to the request.
+5. **Granting access and session management**: If the credentials are valid, the authentication system grants access to the requested resource or system. The user is now considered authenticated. The server then generates a JSON Web Token ([JWT](https://supertokens.com/blog/what-is-jwt)) containing information about the user and sends it to the client.
+In many systems, a session is also established for the authenticated user to maintain their state and avoid repeated authentication for subsequent requests during a certain timeframe. Check out how to enable session management using SuperTokens [here](https://supertokens.com/docs/session/introduction).
+
+The overall goal of the Authentication step ensures that the system recognizes and acknowledges the user as legitimate and is mainly used to answer the question “Who are you”?.
+
+Check out ways you can implement secure and password-less authentication systems using SuperTokens [here](https://supertokens.com/blog/passwordless-for-product-managers).
+
+### Authorization
+Following successful authentication, the subsequent step is [Authorization](https://supertokens.com/blog/authentication-vs-authorization#understanding-authorization), an equally critical phase that determines the extent of control a user has over the system and the specific actions they are permitted to perform. Authorization is used to answer the question “What are you allowed to do?”
+
+Authorization occurs after authentication, once the system has confirmed the user's identity. It involves checking whether the authenticated entity has the necessary permissions to perform a requested action or access a specific resource.
+
+This happens with the user sending the acquired JWT after authentication to the server they are attempting to access, the server will read and decode the contents of the JWT. The server then checks the claims in the payload, such as user roles or permissions, to determine if the user is authorized to access the requested resource.
+
+For example, after logging into an email account, determining whether the user has permission to read, edit or delete certain files or folders in a file system.
+Authentication and Authorization work hand-in-hand to seamlessly ensure that only legitimate users gain access to specific resources and that their actions within the system are in accordance with predefined permissions. [Click here](https://supertokens.com/blog/authentication-vs-authorization) to learn more.
+
+
+
+
+## Types of Access control methods
+Access control methods undergo continuous evolution to combat emerging threats and align with the evolving technological landscape. These methods, broadly categorized into three types, present different trade-offs, many teams may choose to implement one or multiple layers of those methods for enhanced security:
+
+### Access Control Lists (ACL)
+ACLs are a set of rules or permissions attached to an object and can regulate who has access and what operations they can perform on it.
+
+1. When is RBAC used?
+ - ACLs are commonly used in computer systems, networks, and databases to manage access rights and secure resources.
+2. What is an example use case?
+ - A filesystem ACL serves as a guide for an operating system that details a user's access rights to a system object, whether it's a singular file or an entire directory. Each object is associated with a table containing various security permissions—such as read, write, update, and delete— each table entry corresponds to the user or group that is granted access and will outline their respective privileges within the system.
+ - ACLs are particularly effective for defining access rights at a granular user level, offering precise control over resource permissions.
+3. What are the drawbacks ?
+ - ACLs can grow in complexity as the number of users, resources, and permissions grows. Managing and maintaining large and intricate ACLs can become cumbersome.
+ - ACLs might not provide the granularity needed for highly specific access control requirements, leading to either too much access or too little.
+ - ACLs might not cover scenarios where dynamic or context-based access control is necessary.
+
+ACL is often more straightforward and may be sufficient for smaller systems, while Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC) provide more scalability and flexibility for larger and more complex systems.
+
+Access to file systems, network devices, databases, and applications can be governed using ACLs. For instance, in a file system, an ACL could specify which users or groups have read, write, or execute permissions on specific files or directories.
+
+
+### Role-Based Access Control (RBAC)
+RBAC is an access control method that assigns permissions to users based on their roles within an organization, rather than specifying permissions to individual users. In RBAC, roles are defined based on job responsibilities, and users are assigned to these roles.
+
+1. When is RBAC used?
+ - RBAC is mostly used when roles and responsibilities within an organization align with the access needs of the system.
+2. What is an example use case?
+ - Rather than directly granting Sam, a salesperson explicit privileges to view and edit the company's monthly sales reports, RBAC allows us to define permissions for the “salesperson” role. By assigning Sam to this role, we then grant the role itself access to the report, streamlining management and ensuring Sam's access aligns with the defined role's permissions.
+3. What are the drawbacks ?
+ - RBAC requires careful planning and design, defining roles and permissions for different job functions can become quite complex, in the case where the number of roles expands we can reach a situation where RBAC can be very difficult to manage effectively. Additionally, cases where access requirements are constantly changing require a more dynamic method for setting up access control that can accommodate real-time changes.
+
+### Attribute-Based Access Control (ABAC)
+ABAC makes access decisions based on attributes associated with users, resources, and the environment.
+
+With ABAC access is determined not just by who the user is or what role they have, but by additional factors like time of access, location, device used, and other dynamic parameters. ABAC can adapt well to complex and dynamic environments where access requirements may change frequently, allowing for more responsive and adaptive access control.
+
+1. When is ABAC used?
+ - ABAC provides more granularity than RBAC, but that can also come with a set of management challenges. Therefore, it should be used when there is an essential need for flexible and expressive access policies.
+2. What is an example use case?
+ - In a healthcare system, ABAC might be used to control access to patient records. Access decisions could consider attributes like the user's role (doctor, nurse), the patient's sensitivity level, and the time of access.
+
+Check out [this article](https://supertokens.com/blog/what-is-roles-based-access-control-vs-abac) for more information on the differences between RBAC and ABAC.
+
+## Getting started with Access Control using SuperTokens RBAC
+[SuperTokens](https://www.youtube.com/watch?v=EjLxXMRN73I&t=88s) is an open-source authentication solution that can help you set up user authentication in your application in minutes. In addition to the authentication methods like email-password, passwordless and social login, SuperTokens also provides authorization with RBAC through [user roles](https://supertokens.com/blog/introducing-user-roles-authorization-with-supertokens#part-1---introducing-user-roles-and-understanding-why-authorization-matters)
+
+### What are SuperTokens User Roles?
+Through SuperTokens user roles, we focus on the equally crucial phase of authorizing users post-authentication. This involves assigning roles, each with a defined set of permissions for application users, mirroring the implementation of RBAC seamlessly in three simple steps:
+1. [Create the user roles](https://supertokens.com/docs/userroles/creating-role), by adding a number of permissions to each role.
+2. [Assigning user roles](https://supertokens.com/docs/userroles/managing-roles-and-users) to users.
+3. [Retrieving user roles and permission](https://supertokens.com/docs/userroles/protecting-routes) in the client application and verifying that users have sufficient permission to perform their tasks.
+
+### Monitor and Evolve
+Regardless of the access control strategy you adopt to protect your resources, it is essential to incorporate efficient mechanisms for updating users' permissions to accommodate changes in their roles and access requirements.
+
+Once the access control strategy is put together, developer teams should regularly review their list of roles and permissions and make sure those are updated against any organizational changes (an employee joining or leaving a company or giving someone elevated permissions for a new project).
+
+A best practice according to the Zero trust policy, is to establish the default access rights for data resources to deny access at every level, then proceed through an organization’s users, groups, and services, and selectively grant explicit access only to the resources they specifically need.
+
+With SuperTokens user roles, you can easily list, add or remove new roles as needed, [here](https://supertokens.com/docs/userroles/managing-roles-and-users) are some examples on how that can be done.
+
+## Conclusion
+Access Control Lists (ACLs), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC) stand as vital components in access management. ACLs define precise permissions at the object level, RBAC streamlines access via role allocation, and ABAC adds sophistication by considering multiple attributes for decision-making. Their integration empowers organizations to forge a resilient and adaptable access control framework.
+
+Check out the SuperTokens [blog](https://supertokens.com/blog) for a deeper dive on open-source and easy Access control solutions that can safeguard your applications against the threat of potential cyber attacks.
diff --git a/content/access-control-for-modern-web-applications/you_shall_not_pass.png b/content/access-control-for-modern-web-applications/you_shall_not_pass.png
new file mode 100644
index 00000000..0e866b88
Binary files /dev/null and b/content/access-control-for-modern-web-applications/you_shall_not_pass.png differ
diff --git a/content/benefits-of-multi-factor-authentication/index.md b/content/benefits-of-multi-factor-authentication/index.md
new file mode 100644
index 00000000..c81b796f
--- /dev/null
+++ b/content/benefits-of-multi-factor-authentication/index.md
@@ -0,0 +1,121 @@
+---
+title: The Multifaceted Benefits of Multi-Factor Authentication
+date: "2024-01-10"
+description: "Traditional login mechanisms are plagued by security vulnerabilities and are susceptible to attacks. Multi-factor authentication bolsters security and mitigates a number of these vulnerabilities and has now become an industry standard."
+cover: "benefits-of-multi-factor-authentication.png"
+category: "programming"
+author: "Michiel Mulders"
+---
+
+
+In 2022, over [80% of data breaches](https://www.verizon.com/business/en-gb/resources/2022-data-breach-investigations-report-dbir.pdf) were attributed to compromised passwords.
+
+Although email-password based authentication has become the de facto method for authentication, it is very vulnerable to attacks. Through phishing, keylogging or simple brute-force attacks, traditional authentication mechanisms can be exploited to gain access to a users account. This is why modern platforms like Google, Amazon and Netflix have moved towards MFA or multi-factor authentication.
+
+With Multi-factor authentication, the user would have to prove their identity through multiple forms of identification. The basic idea is that adding challenges to the authentication flow exponentially increases the difficulty of the account being compromised.
+
+These additional forms of authentication can be based of the following types:
+
+1. What you know. Example: An email and password combination
+2. What you possess: A credit / debit card, a hardware key (Yubikey)
+3. What you are: Biometrics such as fingerprints or retinal scans
+
+The implementation of additional factors is a tradeoff between security and user experience. While not always true, higher security leads to a more cumbersome user experience. We’ll evaluate the security and UX tradeoffs associated with different authentication factors
+
+## Problems With Traditional Security Mechanisms and How MFA Solves Them
+
+According to the Verizon data breach investigation report of 2022, “There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years.”
+
+Further, exploiting vulnerability attributes for almost 20% of methods to access an organization. And finally, brute force attacks still contributed to more than 10% of all attacks.
+
+Once a hacker obtains a user’s login credentials, they can access sensitive information which they can abuse to get more information about the user, often leading to financial losses and reputational damage.
+
+For instance, thousands of high-profile YouTube accounts got hacked in 2019-2020 through session hijacking and using privilege escalation to change account owners. That is why protecting sensitive actions like "changing account ownership" behind secondary factors is important. This common strategy used by many applications can reduce the fallout of a compromised account.
+
+Let’s explore the different types of second factors in multi-factor authentication.
+
+## Types of Second Factors in Multi-Factor Authentication
+
+
+- SMS and Email Passcodes
+- Time - Based One - Time Passcodes (TOTP):
+- Biometric authentication
+- FIDO (Fast Identity Online) Authentication
+
+
+
+### 1. SMS and Email passcodes
+
+SMS and email passcodes are familiar and easy choices for users. However, they do have their drawbacks.
+
+**Pros**: Mobile phones are everywhere, and SMS is a widely recognized communication method. Additionally, email clients can be used on various devices, making both of these methods highly accessible.
+
+**Cons:** SMS passcodes have a high risk of being intercepted. SIM card hacking software is cheap. You can buy such software for [30-50 dollars](https://hackcontrol.org/blog/sms-two-factor-authentication-dangerous/). A hacker can use this software if they are in close proximity to your mobile phone. The software will create a false cellular station to intercept SMS messages to restore access to your account.
+
+Besides, users are vulnerable to SIM swap attacks in which social engineering convinces the mobile operator to carry over the phone number to a new SIM card. In August 2023, Bart Stephens, cofounder of crypto fund Blockchain Capital, lost $6.3 million of Bitcoin due to a SIM swap attack. An anonymous hacker seized control over Stephens’s cellular network account and then ported Stephens’s number to a new SIM to gain access to his crypto account.
+
+Additionally, emails are also subject to latency and email deliverability can also have issues.
+
+### 2. Time-Based One-Time Passwords (TOTP):
+
+With TOTP, an authenticator application uses a shared secret key generated by the authentication server to create a one-time password that changes at a very short interval.
+
+**Pros:** Codes are being generated dynamically every 30 seconds. This limited time window makes it harder for hackers to steal your codes. When a new code is created, the previous code is invalidated.
+
+**Cons:** Although TOTP solves the downsides associated with email/SMS passcodes, if the authentication server’s database is breached and the secret key is compromised, the attacker could generate codes and gain access to the user’s account. Additionally, an attacker can intercept the code you send to the server and use it to gain unsolicited access to your account.
+
+### 3. Biometric authentication
+
+Using unique biometric markers like fingerprint, voice, or face to authenticate the user.
+
+**Pros:** Biometrical authentication provides the most organic experience since the user does not need to remember credentials or enter an OTP.
+
+**Cons:** Hardware for biometrical authentication is expensive.
+
+### FIDO (Fast Identity Online) Authentication
+
+FIDO, which stands for Fast Identity Online, is not a specific authentication method but rather an open authentication standard. Its primary objective is to unify secure login factors such as biometrics and passkeys under a common standard. When employing FIDO, you require a physical device like a Yubikey. A Yubikey generates cryptographic secrets to complete the authorization process.
+
+**Pros:** It is hard to compromise because an attacker needs access to your physical device to retrieve the token. Furthermore, FIDO devices often incorporate local authentication methods like fingerprint recognition, which is not vulnerable to phishing attacks.
+
+**Cons:** One drawback is registering your physical device with each service. Additionally, FIDO is still an emerging standard and has yet to be universally adopted. Therefore, when FIDO is not supported, you may still need to resort to different authentication methods.
+
+
+
+## Real-world Use Cases of Multi-Factor Authentication
+
+A good example of an MFA is corporate data protection. Companies use Security Assertion Markup Language (SAML) for Single Sign-On (SSO) authentication to allow employees to access multiple applications with one set of credentials.
+
+Integrating MFA with SAML adds an extra layer of security. When employees access resources, they not only enter their credentials but also authenticate via a second factor. For example, an SMS or email passcode, or biometric verification. Adding a second factor ensures that only authorized personnel can access sensitive corporate data.
+
+The same is true for [Lightweight Directory Access Protocol (LDAP)](https://supertokens.com/blog/what-is-ldap). Many organizations use LDAP to store and manage user access to different systems. Integrating MFA with LDAP means that when users try to access a system, they must provide additional authentication like an SMS or email passcode. Integrating LDAP with MFA is particularly useful in large organizations with complex access control requirements.
+
+
+## The Future of Secure Access: What to Expect for MFA?
+
+It’s almost certain that multi-factor authentication (MFA) will grow in popularity. Here’s what you can expect for MFA in the future:
+
+- **Biometric Integration**
+
+While biometric factors are already a part of MFA, they are expensive. However, market growth in biometric technology is projected to reach $55.42 billion by 2027, and including biometric sensors in mobile devices makes this technology more accessible than ever.
+
+- **Adaptive and Contextual Authentication**
+
+One downside of MFA is the friction it can add to the authentication experience. Multiple factors increase the likelihood of the user dropping off during the login process. Adaptive and Contextual MFA analyze patterns such as device use, location, and access times to dynamically increase the number of factors a user must go through to authenticate. If the system sees that the user is accessing his account from his personal computer from his usual IP address he may be presented with a single factor during authentication. If the user tries to authenticate from a different device and timezone, then additional factors may be provided to prove the user's identity.
+
+
+In short, the future of MFA is expected to be more integrated with a strong focus on context and biometrics.
+
+## Getting Started with MFA in 2023
+[SuperTokens MFA](https://supertokens.com/docs/mfa/introduction) offering allows you to add email/SMS-based OTP or magic link as a second factor with TOTP support.
+
+You can try out our [demo](https://supertokens.com/docs/mfa/introduction) that uses social login/email password as the first factor, and SMS OTP as the second factor. Here’s how:
+
+1. Clone the [GitHub demo](https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-thirdpartyemailpassword-2fa-passwordless) repository
+2. Install its dependencies
+3. Run the application using `npm run start`
+
+## Conclusion
+Traditional authentication methods have become susceptible to cyber attacks. MFA acts as a roadblock, making it exponentially harder for an attacker to compromise an account. For this reason, many companies have made MFA a requirement.
+SuperTokens is on a mission to make it easier for developers to add MFA capabilities to their applications.
+
diff --git a/content/connect-supertokens-to-database/index.md b/content/connect-supertokens-to-database/index.md
index adccc0a4..a24f9fb8 100644
--- a/content/connect-supertokens-to-database/index.md
+++ b/content/connect-supertokens-to-database/index.md
@@ -371,7 +371,7 @@ For this setup to work, we must connect SuperTokens and PostgreSQL via the host
- Run the SuperTokens docker image with the env var specifying the PostgreSQL connection URI:
```bash
- docker run \
+ docker run \
-p 3567:3567 \
--network=host \
-e POSTGRESQL_CONNECTION_URI="postgresql://supertokens_user:somePassword@192.168.1.1:5432/supertokens" \
@@ -488,7 +488,7 @@ For this setup to work, we must connect SuperTokens and PostgreSQL via the host
- Run the SuperTokens docker image with the env var specifying the PostgreSQL connection URI:
```bash
- docker run \
+ docker run \
-p 3567:3567 \
--network=host \
-e POSTGRESQL_CONNECTION_URI="postgresql://supertokens_user:somePassword@192.168.1.1:5432/supertokens" \
@@ -530,7 +530,7 @@ For this setup to work, we must connect SuperTokens and PostgreSQL via the host
- app_network
restart: unless-stopped
healthcheck:
- test: ['CMD', 'pg_isready']
+ test: ['CMD', 'pg_isready', '-U', 'supertokens_user', '-d', 'supertokens']
interval: 5s
timeout: 5s
retries: 5
diff --git a/content/demystifying-saml/index.md b/content/demystifying-saml/index.md
new file mode 100644
index 00000000..6d6e406e
--- /dev/null
+++ b/content/demystifying-saml/index.md
@@ -0,0 +1,111 @@
+---
+title: "Demystifying SAML: A Comprehensive Guide"
+date: "2024-01-16"
+description: "SAML is an authentication standard created to address the growing need of federated identity. In this blog we go over what SAML is and what makes it special."
+cover: "demystifying-saml.png"
+category: "featured"
+author: "Michiel Mulders"
+---
+
+
+
+
+SAML or the Security Assertion Markup Language was created in November 2002 to address the growing need for federated identity enabling users to access multiple applications and domains across multiple identity management systems.
+
+The standard quickly gained traction among companies looking to streamline application interoperability, increase security without sacrificing end-user usability.
+
+In this article we aim to demystify SAML by breaking down it's inner workings and benefits.
+
+## Understanding SAML: The Basics
+
+SAML, or Security Assertion Markup Language, is an open standard that enables secure, cross-domain communication for authentication and authorization. It lets users log in once and access multiple applications and services without repeatedly entering login credentials.
+
+
+### Step 1: Initiate the flow
+
+The SAML flow starts with a user attempting to access a service or application (SP). They are redirected to a centralized authentication system called the identity provider.
+
+### Step 2: Issuing an Assertion
+Once the idP has verified the credentials, it returns an assertion to the service provider. An assertion is like a digital certificate from the identity provider that contains information about the user, such as their identity and the access rights or roles they have.
+
+### Step 3: Validation
+Finally, the service provider receives the assertion and determines if the user should get access and what resources they can access based on their roles.
+
+
+In short, SAML provides users with fast and seamless access to services without prompting for an email, username, or password. They only need to log in once to access a plentitude of applications or services that are connected to the same identity provider.
+
+## How SAML works: Under the hood
+
+Let's dive one level deeper into SAML and how the XML-based standard works.
+
+Below is an example of a SAML authentication request sent from a service provider to an identity provider, requesting to authenticate a user.
+
+```xml
+
+ https://myService/metadata.php
+
+
+ urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+
+
+
+```
+
+Let's break down this request.
+- **`samlp:AuthnRequest`**: This root element of the XML request indicates the start of a SAML protocol message.
+- Attributes of `samlp:AuthnRequest`:
+ - `ID`: Unique identifier to distinguish it from other requests
+ - `Version`: Specifies which version of the SAML standard we want to use. The latest version is 2.0.
+ - `ProviderName`: Identifies the service provider sending the request, here labeled as “SP authHeroes”.
+ - `IssueInstant`: Datetime to timestamp when the request was sent.
+ - `Destination`: Lists the identity provider’s SSO service where the request is being sent.
+ - `ProtocolBinding`: Specifies the protocol to be used for the identity provider’s response. In this case, we want to use a HTTPS POST request.
+ - `AssertionConsumerServiceURL`: Specifies the URL where the service provider expects a response from the identity provider.
+- **`saml:Issuer`**: Lists a URL containing metadata to uniquely identify the service provider.
+- **`samlp:NameIDPolicy`**: The service provider and identity provider can agree upon an identifier for the user’s account. In this case, the email address represents the user who’s being authenticated. If omitted, any type of identifier can be used.
+
+This is a basic example of an authentication request a service provider can send to an identity provider. To prove authenticity, you can expand an authentication request with many more attributes like signatures or certificates.
+
+In total, the SAML 2.0 specification consists of 86 pages of technical details. If you want to look up specific elements or give it a read, you can find it under [docs.oasis-open.org](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf).
+
+
+## Understanding the SAML Workflow
+
+To better understand the SAML workflow, let’s set the stage with Alice wanting to request a Google Drive resource. Alice is an employee of company X and logs in to their employee identity provider. Now, Alice can access various applications like Expensify, Google Drive, or Asana.
+
+When Alice selects the file she wants to open via Google Drive in the dashboard, she can immediately access it. But how? Let’s explore the SAML workflow to understand better why Alice can access the resource directly from her company dashboard.
+
+**Step 1: User Access Request**
+It all starts with the Alice wanting to access a Google Drive resource.
+
+**Step 2: Redirect to Identity Provider**
+If Alice is not authenticated, the login request is forwarded to the identity provider. This request uses the SAML request format, as seen in the example in the previous section.
+
+**Step 3: Authentication at Identity Provider**
+The identity provider will check if Alice is logged in or not. If not, Alice has to log in first. Once logged in, the identity provider will return Alice’s identity and authorization level for Google Drive (service).
+
+**Step 4: Assertion Transfer to Service Provider**
+Do you remember the `AssertionConsumerServiceURL` field in our sample authentication request? The assertion is returned to Google Drive, listed at the `AssertionConsumerServiceURL`. This digital certificate contains the user’s information, authentication level, and roles.
+
+**Step 5: Service Provider Validates Assertion**
+Once Google Drive has received the assertion request, it will validate if the request came from a trusted identity provider based on the attached keys and signatures. Using this information, a service provider can check the authenticity of the assertion.
+
+**Step 6: Grant Access to the User**
+Now that Google Drive is sure that they can trust the identity provider and the request hasn’t been tampered with, Alice is granted access. Google Drive determines whether Alice can view the file based on the returned authorization level, role, or attributes.
+
+
+## SAML: The Benefits
+Let’s list the benefits of using SAML for authentication:
+
+- **Enhanced security**: By centralizing authentication, you are reducing the attack vector. Additionally, organizations don’t have to store user passwords, which decreases their liabilities.
+- **Scalability**: Service providers can decide to quickly add new services to their offering, using the same login system. There’s no need for significant changes when adding more services.
+- **Improved user experience**: Users can log in faster and can avoid password fatigue.
+- **Improved compliance and reporting**: Auditing user access requests and activities across multiple services is more straightforward.
+
+
+## SAML vs OAuth 2.0
+
+Both SAML and OAuth allow users to access multiple applications with a single sign on, but, the difference is that OAuth is easier to use and also gives an access token that can be used to call APIs on the identity provider to read/write on the user's behalf. SAML does not have this ability but tends to be the ideal choice for secure access to sensitive data in organizations such as healthcare or government due to the baked in encryption. OAuth relies on SSL/TLS protocols for security. You can learn more about [SAML vs OAuth here](https://supertokens.com/blog/saml-vs-oauth).
+
+## Conclusion
+SAML's flexibility and scalability make it an ideal choice for organizations of all sizes. Whether it's streamlining access to multiple applications or ensuring secure authentication, SAML is a versatile authentication protocol that can be employed in various use cases. In short, SAML offers a more secure, efficient, and interconnected digital future.
diff --git a/content/demystifying-saml/what-is-SAML.png b/content/demystifying-saml/what-is-SAML.png
new file mode 100644
index 00000000..1ee850f6
Binary files /dev/null and b/content/demystifying-saml/what-is-SAML.png differ
diff --git a/content/localstorage-vs-session-storage/gotcha_covered.gif b/content/localstorage-vs-session-storage/gotcha_covered.gif
new file mode 100644
index 00000000..40b06d2e
Binary files /dev/null and b/content/localstorage-vs-session-storage/gotcha_covered.gif differ
diff --git a/content/localstorage-vs-session-storage/index.md b/content/localstorage-vs-session-storage/index.md
new file mode 100644
index 00000000..535aa593
--- /dev/null
+++ b/content/localstorage-vs-session-storage/index.md
@@ -0,0 +1,97 @@
+---
+title: "Unveiling the Intricacies of Local Storage and Session Storage"
+date: "2024-01-17"
+description: "In this blog we delve into the workings of Local and Session storage breaking down the nuances that set them apart"
+cover: "localstorage-vs-session-storage.png"
+category: "programming"
+author: "Mostafa Ibrahim"
+---
+
+## Introduction
+
+In this post, we're going to delve into the workings of Local and Session Storage. We aim to unravel not just their definitions, but more importantly, the nuances that set them apart. As developers, understanding these differences is crucial, akin to a carpenter knowing when to use a hammer versus a screwdriver.
+
+For developers grappling with the choice between Local Storage and Session Storage, don’t worry, we've got you covered.
+
+
+
+## What are Local storage & session storage?
+
+Local Storage and Session Storage are two types of web storage that offer different ways of managing data in a web browser.
+
+**Local Storage** is akin to etching data onto a stone tablet. Once stored, it persists across browser restarts and computer reboots, remaining until it's explicitly removed by the user or through the clearing of the browser storage. Key uses include:
+
+- **Token Storage for Authentication:** Web applications store authentication tokens in Local Storage, allowing users to remain logged in across browser restarts.
+- **Shopping Cart Data:** E-commerce sites use Local Storage to keep shopping cart items even if the browser tab is closed.
+
+An important aspect of Local Storage is its capacity limit, which is usually about 5MB. It's also accessible only on the client side and is not secure for sensitive data. A more secure alternative for storing sensitive user data would be by using backend cookies, which prevents malicious XSS attacks notably due to their httpOnly flag. The httpOnly flag ensures that the cookie's information is not readable by the client side JS, and instead only readable by the backend server that set them. You can learn more about cookies and how they compare to localstorage in our [comparison blog](https://supertokens.com/blog/cookies-vs-localstorage-for-sessions-everything-you-need-to-know).
+
+**Session Storage** is more temporary, like a sandcastle. It holds data until that tab is kept alive. This means, that if the browser restarts, or if the tab is closed and new tab is opened, the sessionStorage for that page will be empty.. It's useful for:
+
+ - **Form Data in Progress**: Temporarily saving user inputs in forms across page refreshes or navigations (within the same browser tab).
+- **Temporary User Preferences**: Storing temporary settings or preferences during a single browser session, like filter settings on an e-commerce site.
+
+Unlike Local Storage, Session Storage data is tab-specific. If you open the same site in two different tabs, they will each have their own separate Session Storage. This makes it ideal for situations where you don’t want data to persist across multiple tabs.
+
+Both Local and Session Storage provide a simple and efficient way to store data on the client side without frequent server trips. However, due to their limitations in security and capacity, it’s crucial to use them judiciously and not for storing sensitive information.
+
+
+| Feature | Local Storage | Session Storage |
+|--- |--- |--- |
+| Persistence | Data persists across browser restarts | Data is cleared when the page session ends (typically when the browser tab is closed) |
+| Capacity | 5 MB | 5 MB |
+| Use cases | Token Storage, Shopping Carts | Form Data, Temporary User Preferences |
+| Expiration | Data does not expire; must be cleared manually or via script | Data expires automatically when the session ends. |
+
+
+## Common Mistakes
+Now, let's talk about the digital Houdinis who bypass the persistence of Local and Session Storage. Sometimes, in an effort to be clever, developers or users might inadvertently make the application insecure or behave unexpectedly.
+
+### Common Mistakes for Local Storage
+- **Not Managing Stored Data Over Time:** Unlike Session Storage, Local Storage data remains until explicitly removed. A common error is not managing or cleaning up this data over time, leading to unnecessary bloat and potential performance issues.
+
+- **Assuming Session-Like Behavior:** Some developers mistakenly assume that data in Local Storage is tied to a session and will clear when the browser or tab closes. This misunderstanding can lead to privacy issues, as sensitive data such as passwords or credit card information might be left accessible on a shared or public computer.
+
+- **Over-reliance on State Management:** Using Local Storage extensively for managing application state can lead to complex synchronization issues, especially in dynamic applications where the state changes frequently. On the bright side, specialized frameworks such as Redux can be helpful in managing state in ReactJS based applications.
+
+
+## Common Mistakes for Session Storage
+- **Expecting Cross-Tab Persistence:** A key misunderstanding about Session Storage is expecting it to share data across tabs or windows. Data stored in Session Storage is only accessible in the window or tab where it was set, which can lead to confusion or data inconsistencies in applications opened in multiple tabs.
+
+- **Using for Long-Term Storage:** Since Session Storage is designed for data that only needs to persist during a single page session, using it for long-term data storage goes against its purpose. This can lead to data being lost unexpectedly when the browser or tab is closed.
+
+## Security Considerations
+
+When diving into the world of web storage, it's crucial to swim with caution, especially when it comes to security. Local Storage and Session Storage, while handy, open up a Pandora's box of security vulnerabilities, notably cross-site scripting (XSS) risks.
+
+### Understanding XSS Dangers
+An XSS attack occurs when a web application unwittingly includes untrusted data in a webpage, allowing attackers to inject malicious scripts into a web application. This is particularly concerning for Local and Session Storage, as they can become unwitting storage lockers for such harmful scripts. The following are three prominent real-life XSS attacks that occurred in the past two decades:
+
+
+- In 2010, YouTube faced a major XSS vulnerability where attackers injected malicious JavaScript into video comments, disrupting user experience and prompting security warnings. [Source](https://www.acunetix.com/blog/articles/dangerous-xss-vulnerability-found-on-youtube-the-vulnerability-explained/)
+
+- In late 2015, eBay's unvalidated URL parameter led to an XSS attack, enabling hackers to access seller accounts and steal payment details, with continued related attacks until 2017. [Source](https://brightsec.com/blog/xss-attack/#:~:text=Here%20are%20common%20examples%3A,users%20and%20use%20their%20accounts)
+
+- In 2018, Magecart hackers exploited an XSS flaw in British Airways' website, redirecting customer data to a fake server, leading to credit card skimming in 380,000 transactions. [Source](https://brightsec.com/blog/xss-attack/#:~:text=Here%20are%20common%20examples%3A,users%20and%20use%20their%20accounts)
+
+```
+function validateInput(inputText) {
+ // Regular expression to match only letters, numbers, and basic punctuation (.,!?)
+ var pattern = /^[a-zA-Z0-9 .,!?]+$/;
+
+ // Validate the input text
+ return pattern.test(inputText);
+}
+```
+
+Think of it as a bouncer checking IDs at a club. Ensure that only the right data gets through.
+
+
+
+
+
+Next, employ [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) (CSP) which acts as a set of rules, dictating what's allowed and what's not in your webpage. The exact content that is allowed depends on the policies you define. One key feature of CSP is the ability to dictate which domains are allowed to serve JavaScript files. This control is crucial as it ensures that scripts are only loaded from trusted sources, significantly reducing the risk of malicious script injection. Similarly, CSP allows you to specify which domains can provide CSS files. By doing so, you ensure that only approved styles from trusted sources are applied to your site.
+
+## Conclusion
+
+To sum up, effective use of Local and Session Storage is key in web development. Local Storage is best for long-term data, while Session Storage suits temporary, session-specific data. When dealing with local and session storage don’t forget to avoid common mistakes like mismanaging data and overlooking security risks, especially XSS attacks when building your app. Remember to include proper data handling, including both validation and encryption, as this is crucial for secure and efficient web applications. Mastering these tools ensures a better, safer user experience.
diff --git a/content/localstorage-vs-session-storage/name_on_list.gif b/content/localstorage-vs-session-storage/name_on_list.gif
new file mode 100644
index 00000000..95f96b52
Binary files /dev/null and b/content/localstorage-vs-session-storage/name_on_list.gif differ
diff --git a/content/multi-tenancy-in-2024/advantages-of-multi-tenancy.png b/content/multi-tenancy-in-2024/advantages-of-multi-tenancy.png
new file mode 100644
index 00000000..2d5a69fe
Binary files /dev/null and b/content/multi-tenancy-in-2024/advantages-of-multi-tenancy.png differ
diff --git a/content/multi-tenancy-in-2024/index.md b/content/multi-tenancy-in-2024/index.md
new file mode 100644
index 00000000..38000a6d
--- /dev/null
+++ b/content/multi-tenancy-in-2024/index.md
@@ -0,0 +1,50 @@
+---
+title: Multi-Tenant Authentication in 2024
+date: "2023-12-01"
+description: "Multi-tenant systems allow a single instance of a software application to serve multiple different tenants. This allows for a number of benefits that will be explored in this blog"
+cover: "multi-tenancy-in-2024.png"
+category: "programming"
+author: "Mostafa Ibrahim"
+---
+
+## Introduction
+
+Multi-tenancy refers to a scenario where a single instance of a software application serves multiple tenants (customers or users from different organizations). Each tenant operates in a self-contained environment with its own set of data, configurations, and user management, unaware of other tenants sharing the same infrastructure. Multi-tenancy enables large organizations to manage the data of their numerous customers securely and efficiently. Imagine a large apartment complex where each apartment unit represents a separate company. Though housed under the same roof, each apartment has its own set of keys, its own set of rules, and its own living space.
+
+Similarly, in the digital realm, multi-tenancy allows different groups or companies to use the same software application while retaining their own data and rules. Each of these groups is referred to as a 'tenant.' The beauty of multi-tenancy lies in its ability to ensure data privacy, security, and a tailored experience for each tenant while efficiently sharing the underlying software infrastructure and resources. It's like having your own personalized space in a large, shared structure, blending the best of both worlds!
+
+## Single-tenancy Vs. Multi-tenancy
+In a single-tenancy architecture, each customer has their own independent instance of the software application and the accompanying database. Each instance is isolated from others, providing a high level of data security and customization.
+
+
+
+In contrast, a multi-tenancy architecture hosts a single instance of the software application that serves multiple customers (tenants). All tenants share the same underlying infrastructure and application instance, but their data is securely isolated from each other within the same database.
+
+
+
+The image above presents a visual comparison between single-tenancy and multi-tenancy architectures. In the single-tenancy architecture, we see that each tenant has an exclusive setup. Here, 'Tenant 1' is assigned 'Instance 1', which operates on its own dedicated database 'DB 1'. This setup is typical of single-tenancy, where each client’s data and application instance are separate, providing a high level of security and the ability for deep customization.
+
+## Why Is Multi-tenancy Useful?
+
+
+
+So the question arises, why exactly do enterprises and SaaS-based companies gain from implementing the multi-tenancy feature?
+
+### Cost Efficiency
+Shared infrastructure significantly drives down operational and maintenance expenses. SuperTokens [achieved a 50% reduction in AWS infrastructure](https://supertokens.com/blog/how-we-cut-our-aws-costs) costs by migrating to a multi-tenant SaaS architecture.
+
+### Provides Better Scalability
+Centralizing the management of resources, allows companies to easily support an expanding customer base. The architecture's design means that scaling doesn't entail a proportional increase in costs, as their infrastructure is shared across multiple tenants.
+
+For SuperTokens, [the switch to a multi-tenant sped up the provisioning of infrastructure by 94%](https://supertokens.com/blog/how-we-cut-our-aws-costs-part-2), making the creation of new users or applications remarkably faster and more efficient.
+
+### Better Operational Efficiency
+Multi-tenancy simplifies the way we manage software systems. Instead of juggling multiple separate instances for different users or groups, it brings everything under one roof.
+
+
+
+Moreover, upgrades and patches need to be made on an order of magnitude fewer instances since each instance is now shared amongst a much larger set of users. Updates are applied once to the shared instance, ensuring uniformity and reducing the number of instances that need maintenance. This not only makes things less complicated but also saves a lot of time. Imagine having one key that securely opens every door in a building, rather than a different key for each room.
+
+## Conclusion
+Multi-tenancy streamlines how companies manage and scale their applications, offering both cost efficiency and operational simplicity. With shared infrastructure, updates and maintenance become streamlined, saving time and resources. This approach not only ensures secure, personalized experiences for each tenant but also significantly boosts overall efficiency. Ultimately, multi-tenancy offers a harmonious balance between customized user experiences and streamlined management, marking it as a cornerstone of modern, efficient software architecture.
+
diff --git a/content/multi-tenancy-in-2024/isolated-alone.gif b/content/multi-tenancy-in-2024/isolated-alone.gif
new file mode 100644
index 00000000..283fc8ae
Binary files /dev/null and b/content/multi-tenancy-in-2024/isolated-alone.gif differ
diff --git a/content/multi-tenancy-in-2024/one-roof.gif b/content/multi-tenancy-in-2024/one-roof.gif
new file mode 100644
index 00000000..6c8c9575
Binary files /dev/null and b/content/multi-tenancy-in-2024/one-roof.gif differ
diff --git a/content/multi-tenancy-in-2024/single-vs-multi-tenancy.png b/content/multi-tenancy-in-2024/single-vs-multi-tenancy.png
new file mode 100644
index 00000000..617f11fd
Binary files /dev/null and b/content/multi-tenancy-in-2024/single-vs-multi-tenancy.png differ
diff --git a/content/understanding-captcha/Captcha_3.png b/content/understanding-captcha/Captcha_3.png
new file mode 100644
index 00000000..f5b68176
Binary files /dev/null and b/content/understanding-captcha/Captcha_3.png differ
diff --git a/content/understanding-captcha/captcha_1.png b/content/understanding-captcha/captcha_1.png
new file mode 100644
index 00000000..55631816
Binary files /dev/null and b/content/understanding-captcha/captcha_1.png differ
diff --git a/content/understanding-captcha/captcha_2.png b/content/understanding-captcha/captcha_2.png
new file mode 100644
index 00000000..3ea8ab65
Binary files /dev/null and b/content/understanding-captcha/captcha_2.png differ
diff --git a/content/understanding-captcha/captcha_4.png b/content/understanding-captcha/captcha_4.png
new file mode 100644
index 00000000..e2856e10
Binary files /dev/null and b/content/understanding-captcha/captcha_4.png differ
diff --git a/content/understanding-captcha/google-recaptcha.gif b/content/understanding-captcha/google-recaptcha.gif
new file mode 100644
index 00000000..e2e8a5d7
Binary files /dev/null and b/content/understanding-captcha/google-recaptcha.gif differ
diff --git a/content/understanding-captcha/hcaptcha.png b/content/understanding-captcha/hcaptcha.png
new file mode 100644
index 00000000..c0929422
Binary files /dev/null and b/content/understanding-captcha/hcaptcha.png differ
diff --git a/content/understanding-captcha/index.md b/content/understanding-captcha/index.md
new file mode 100644
index 00000000..be4a2a58
--- /dev/null
+++ b/content/understanding-captcha/index.md
@@ -0,0 +1,116 @@
+---
+title: "Navigating the Complex World of CAPTCHA Technology in Authentication"
+date: "2024-01-30"
+description: "What is Captcha? Why is it needed? In this blog we will answer these questions and more"
+cover: "understanding-captcha.png"
+category: "programming"
+author: "Mostafa Ibrahim"
+---
+
+## Introduction
+Ever wondered, 'What is CAPTCHA?' CAPTCHA (or more accurately CAPTTTCHA), standing for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a technology specifically developed to enhance web security.
+
+The core purpose of CAPTCHA is to differentiate between human users and automated bots on the internet. This distinction is crucial in preventing spam and automated data extraction, and in securing online polls, registrations, and e-commerce transactions.
+
+So how does Captcha work exactly? CAPTCHAs challenge users with tasks that are easy for humans but difficult for computers, such as recognizing distorted text or identifying objects in images.
+
+
+
+By doing so, they serve as a gatekeeper, ensuring that online interactions and services are used by real people, thereby maintaining the integrity and security of websites.
+
+## The Evolution of CAPTCHA Technology
+
+### Text-Based CAPTCHAs: The Early Days
+When CAPTCHAs first entered the scene, they were fairly straightforward text-based puzzles. These early CAPTCHAs were like the first level of a video game, where the challenge was to read distorted text.
+
+Technically, this was done using algorithms that twisted or overlaid lines onto text, sort of like putting a puzzle together but with letters and numbers. This was tricky enough to confuse basic computer programs, which weren't very good at recognizing these jumbled characters, but sadly they do work no longer.
+
+
+
+## Image-Based CAPTCHAs: A New Level of Complexity
+
+But as in any game, as the player(bot) gets better, a new level of complexity is introduced to the game. Why do we need to do that? Because computers got smarter. Forcing the introduction of something called Optical Character Recognition (OCR).
+
+The thought process then shifted to a compelling question: "If computers have mastered text recognition, can they similarly navigate the complexities of image interpretation?" And thus, image-based CAPTCHAs were born. These new challenges were like asking, "Can you find the cat in a picture of a living room?" Easy for humans, but surprisingly tough for computers.
+
+
+
+
+These image CAPTCHAs work because computers, while good at reading, weren't great at understanding complex images. Think of these as giving computers a pair of glasses and a detective hat, but the glasses are a bit foggy, and the hat doesn't quite fit. So, computers struggled to distinguish between a tree and a lamp post, for example.
+
+### AudioBased CAPTCHAs: Deciphering Sounds in Digital Security
+As for audio CAPTCHAs, imagine trying to listen to a given sentence, but with lots of background noise. The audio CAPTCHAs do something similar to that of CAPTCHAs with numbers and letters by adding noise to the audio message, making it hard for computers, which were just starting to get the hang of clean and clear audio, to decipher the jumbled sounds.
+
+
+
+In recent years, CAPTCHA puzzles have become even trickier, almost like boss levels in games. They now adapt based on how you interact with them, constantly changing the rules of the game to keep the computers guessing.
+
+For instance, if a user successfully solves a few simple image-based CAPTCHAs, the system might then present more complex puzzles, perhaps featuring images with subtle distinctions or a higher level of visual noise.
+
+Similarly, if a user struggles with a particular type of CAPTCHA, the system may offer a different style, like switching from a text-based puzzle to an image recognition task. This dynamic adjustment makes it increasingly difficult for automated programs to predict and prepare for the next challenge.
+
+One thing that we can say for sure is that with the rising complexity of CAPTCHAs, there's a growing sentiment that these challenges are becoming a bit tough for humans as well, or at least we could say that when it comes to solving such tricky CAPTCHAs, well…
+
+
+
+## Analysis of Current CAPTCHA Systems
+
+### Google’s ReCAPTCHA
+Modern CAPTCHA systems, exemplified by Google's reCAPTCHA and hCaptcha, showcase an advanced blend of technology and psychology to distinguish between human users and automated bots. These systems have evolved from simple text or image recognition tasks to more sophisticated, user-behavior-based challenges.
+
+
+
+Let's start with Google's reCAPTCHA. It's like a cyber detective, constantly observing how a user interacts with a website. The most recent version, reCAPTCHA v3, operates quietly in the background, scoring each user's interaction with a website on a scale of 0.0 to 1.0. This score reflects the likelihood of the user being human. A score closer to 1.0 suggests a human user, while a score leaning toward 0.0 raises red flags about potential bot activity.
+
+How does it determine this score? reCAPTCHA v3 employs advanced risk analysis algorithms that analyze various parameters of user behavior. These include mouse movements, typing patterns, and even how quickly a user clicks on things. For instance, a user rapidly clicking through pages or moving the mouse in unnatural, predictable patterns might score lower, triggering a CAPTCHA challenge.
+
+### hCaptcha
+
+
+
+
+In contrast, hCaptcha, another popular system, focuses more on image-based tasks while also considering user behavior. When a user encounters an hCaptcha, they might be asked to identify specific objects in images. But here's the technical kicker: the decision to present a CAPTCHA, and its complexity, is influenced by the user's previous interactions on the site and across the web.
+
+
+
+Behind the scenes, both systems are constantly processing a wealth of data. They look at things like IP addresses, session duration, and even the hardware and software being used. For example, a user with a brand-new IP address, or one known for spammy behavior, might be more likely to face a CAPTCHA challenge.
+
+### Is it possible to bypass hCaptcha and reCaptcha?
+
+Despite both ReCaptcha’s and hCaptcha's efficiency in distinguishing between humans and bots, it is not impervious to sophisticated AI technologies like Metabypass.
+
+Metabypass leverages deep learning and superior image recognition capabilities to swiftly decode hCaptcha's puzzles, offering accurate solutions in just a few seconds.
+
+This advancement allows users to bypass the Captcha process, granting quicker access to websites without the need to manually solve the challenges.
+
+## User Experience, Accessibility, and Technical Trade-offs
+
+CAPTCHAs, while crucial for website security, significantly impact both website performance and user experience.
+
+### CAPTCHAs and User Experience
+
+From a user experience perspective, CAPTCHAs can be a source of frustration. Traditional text-based CAPTCHAs, notorious for their hard-to-read text, could take users an average of 10 seconds to solve. This interruption, though seemingly brief, can disrupt the user's flow, particularly in scenarios requiring quick interactions, like during checkouts in online shopping.
+
+### CAPTCHAs and Technical TradeOffs
+
+Technically, integrating a CAPTCHA system can affect a site's load time and user interaction flow. For instance, implementing Google's reCAPTCHA might add an additional network request to Google's servers, potentially increasing page load time by several hundred milliseconds.
+
+While this may seem minor, in the realm of web performance, where fast load times are crucial for user retention, even a small delay can impact user satisfaction. Research has shown that a delay of even a second can lead to a 7% reduction in conversions.
+
+### CAPTCHAs and Accessibility
+
+The issue of accessibility in CAPTCHAs presents a complex technical challenge. Traditional text or image-based CAPTCHAs are not suitable for visually impaired users. Although audio CAPTCHAs offer an alternative, they are not always effective for users with hearing impairments or those who struggle with the language in which the CAPTCHA is presented. Designing a CAPTCHA system that is universally accessible, yet secure against automated attacks, is a significant technical hurdle.
+
+### The Future of CAPTCHA: Technical Predictions and Innovations
+
+In the near future of CAPTCHA technology, we're likely to witness a fascinating shift. The trajectory of making CAPTCHAs increasingly complex to outsmart bots has reached a critical point where it's starting to backfire - these CAPTCHAs are becoming too challenging even for humans. This predicament paves the way for the integration of machine learning (ML) to bring balance and efficiency to the CAPTCHA experience.
+
+Another area of innovation could be the integration of biometric data into CAPTCHA systems. As facial recognition and fingerprint technology become more prevalent, we could see CAPTCHAs that ask users to verify their identity through a quick biometric scan. This approach, while raising potential privacy concerns, could offer a more seamless user experience and enhanced security.
+
+## Conclusion and Final Thoughts
+So the question that arises: “Should we actually use CAPTCHAs in our websites?” The core issue with CAPTCHAs lies in their inverse relationship with user experience and accessibility. Essentially, there's a tug-of-war between making CAPTCHAs robust enough to thwart bots and making them user-friendly.
+
+For instance, simplifying CAPTCHAs to enhance user experience can inadvertently make them more vulnerable to automated attacks. On the flip side, complex CAPTCHAs that are difficult for bots to solve can also pose significant challenges for users, particularly in terms of time and effort.
+
+One thing that is clear is that a single solution does not fit all scenarios, especially in the context of CAPTCHAs. As a software developer, it's important to carefully consider both sides of this security equation. Sometimes, imposing such restrictions through CAPTCHAs may not be very beneficial and could even hinder the user experience. However, there are also instances where not using CAPTCHAs could lead to disastrous outcomes, such as increased vulnerability to automated attacks and security breaches. The decision to implement CAPTCHAs should be based on a thoughtful assessment of the specific needs and risks associated with your platform.
+
diff --git a/content/understanding-captcha/it-aint-easy.png b/content/understanding-captcha/it-aint-easy.png
new file mode 100644
index 00000000..13d0c2ec
Binary files /dev/null and b/content/understanding-captcha/it-aint-easy.png differ
diff --git a/content/understanding-captcha/will-smith-meme.png b/content/understanding-captcha/will-smith-meme.png
new file mode 100644
index 00000000..33b2499a
Binary files /dev/null and b/content/understanding-captcha/will-smith-meme.png differ
diff --git a/content/what-is-credential-stuffing/credential_stuffing_process.png b/content/what-is-credential-stuffing/credential_stuffing_process.png
new file mode 100644
index 00000000..2ef59a36
Binary files /dev/null and b/content/what-is-credential-stuffing/credential_stuffing_process.png differ
diff --git a/content/what-is-credential-stuffing/index.md b/content/what-is-credential-stuffing/index.md
new file mode 100644
index 00000000..03a2d4a7
--- /dev/null
+++ b/content/what-is-credential-stuffing/index.md
@@ -0,0 +1,49 @@
+---
+title: "What is Credential Stuffing?"
+description: "Most people are familiar with brute force attacks, where attackers attempt to guess passwords using characters at random paired with common password suggestions, but what is Credential Stuffing? In this we will go over this type of attack and how you can safeguard against it."
+date: "2024-02-13"
+cover: "what-is-credential-stuffing.png"
+category: "programming"
+author: "Joel Coutinho"
+---
+
+## Introduction
+
+The early 2000's saw a large number of brute force attacks. Attackers would employ bots to generate passwords and try to gain access to user accounts. They would also employ a dictionary of commonly used passwords to supplement the attack. Back then, users would employ simple passwords, that were easy to guess. Over the years websites began to institute password policies, forcing users to generate unique passwords between 8-12 characters, with numerals and special characters. This drastically lowered the success rate of brute force attacks. The problem that remains is that most users tend to reuse passwords across accounts. This makes users susceptible to an attack known as Credential Stuffing.
+
+Credential Stuffing is a cyberattack method where attackers try to gain unauthorized access to user accounts by using lists of stolen usernames and passwords. It is similar to a brute force attack in the way attackers leverage automated scripts and tools to systemically to enter usernames and passwords, but, builds on it by using credentials stolen from database leaks hoping these users have reused the same login credentials across different services substantially increasing the success rate.
+
+## How Does Credential Stuffing Work?
+
+
+### Step 1 Obtaining Credentials
+The last decade has seen a record number of [database breaches](https://www.upguard.com/blog/biggest-data-breaches-us), with millions of users credentials being exposed. This makes it trivial for attackers and cybercriminals to get access to usernames and passwords.
+
+### Step 2 Automated Attacks
+Leveraging scripts to automate the process of logging into various online platforms using the stolen credentials is not new and has been done for decades, but, over the last decade websites have implemented measures to prevent against these attacks like captchas, ip blacklisting etc... There are now a [number of tools](https://pentestmag.com/credential-stuffing-2022-the-latest-attack-trends-and-tools/) to streamline the process of credential stuffing.
+
+### Step 3: Mass Login Attempts
+Paired with these tools are a hosts of bots known as botnets, which allow attackers to conduct thousands or even millions of login attempts in a short period, exploiting the tendency of users to reuse passwords across multiple accounts.
+
+### Step 4: Account Takeover
+Once the stolen credentials match an existing account, the attacker gains unauthorized access, potentially leading to identity theft, financial loss, or other malicious activities.
+
+## How to Protect Against Credential Stuffing?
+
+### Use Unique Passwords:
+
+Avoid using the same password across multiple accounts. Instead, use a unique, strong password for each online service or platform. Employ password management tools to generate and store complex passwords securely. These tools can also help in detecting and replacing compromised credentials.
+
+### Enable Multi-Factor Authentication (MFA):
+Implement MFA wherever possible. This adds an extra layer of security by requiring users to provide additional verification beyond a password, such as a code sent to their phone.
+
+### Captcha and bot detection
+Implementing Captcha and IP blacklisting bot networks can act as an excellent deterrent to credential stuffing attacks
+
+### Monitor and Detect Anomalies:
+ Regularly monitor your accounts for any unusual activities, such as unrecognized login attempts or changes to account settings.
+
+## Conclusion
+Credential stuffing poses a significant threat to individuals and organizations alike, leveraging the lax security habits of users who reuse passwords across multiple accounts. By understanding how credential stuffing works and implementing robust security measures such as unique passwords, password managers, and multi-factor authentication, users can fortify their defenses against this pervasive threat.
+
+In an era where digital security is paramount, proactive steps to protect against credential stuffing are essential. By staying vigilant and adopting best practices, individuals and businesses can mitigate the risks posed by credential stuffing and safeguard their valuable online assets. Remember, securing your accounts is not just about protecting your data—it's about safeguarding your digital identity in an increasingly interconnected world.
diff --git a/src/authors-details.js b/src/authors-details.js
index 8cc76d8e..bfd0d3e8 100644
--- a/src/authors-details.js
+++ b/src/authors-details.js
@@ -15,5 +15,17 @@ module.exports = [{
},
],
bio:
- "I am a content writer at SuperTokens. I have also contributed to the SuperTokens core, all the backend SDKs, and the developer docs.",
+ "Software dev and content lead at SuperTokens. Contributed to the SuperTokens core, backend SDKs, and developer documentation.",
+},{
+ name: "Michiel Mulders",
+ jobTitle: "Web3 Developer Advocate",
+ image: "michel.jpg",
+ socials: [
+ {
+ name: "twitter",
+ url: "https://twitter.com/michiel_mulders",
+ },
+ ],
+ bio:
+ "Michiel Mulders is a Web3 developer advocate skilled in creating engaging tech tutorials. He specializes in documentation strategy and video content.",
},]
diff --git a/static/author_images/michel.jpg b/static/author_images/michel.jpg
new file mode 100644
index 00000000..b64f4607
Binary files /dev/null and b/static/author_images/michel.jpg differ
diff --git a/static/blog-meta-images/access-control-for-modern-web-applications.png b/static/blog-meta-images/access-control-for-modern-web-applications.png
new file mode 100644
index 00000000..d6694ba8
Binary files /dev/null and b/static/blog-meta-images/access-control-for-modern-web-applications.png differ
diff --git a/static/blog-meta-images/benefits-of-multi-factor-authentication.png b/static/blog-meta-images/benefits-of-multi-factor-authentication.png
new file mode 100644
index 00000000..a2a3e0c6
Binary files /dev/null and b/static/blog-meta-images/benefits-of-multi-factor-authentication.png differ
diff --git a/static/blog-meta-images/demystifying-saml.png b/static/blog-meta-images/demystifying-saml.png
new file mode 100644
index 00000000..a0911f19
Binary files /dev/null and b/static/blog-meta-images/demystifying-saml.png differ
diff --git a/static/blog-meta-images/localstorage-vs-session-storage.png b/static/blog-meta-images/localstorage-vs-session-storage.png
new file mode 100644
index 00000000..2d8c92b9
Binary files /dev/null and b/static/blog-meta-images/localstorage-vs-session-storage.png differ
diff --git a/static/blog-meta-images/multi-tenancy-in-2024.png b/static/blog-meta-images/multi-tenancy-in-2024.png
new file mode 100644
index 00000000..0e6c0f2d
Binary files /dev/null and b/static/blog-meta-images/multi-tenancy-in-2024.png differ
diff --git a/static/blog-meta-images/understanding-captcha.png b/static/blog-meta-images/understanding-captcha.png
new file mode 100644
index 00000000..59d97fec
Binary files /dev/null and b/static/blog-meta-images/understanding-captcha.png differ
diff --git a/static/blog-meta-images/what-is-credential-stuffing.png b/static/blog-meta-images/what-is-credential-stuffing.png
new file mode 100644
index 00000000..880e1794
Binary files /dev/null and b/static/blog-meta-images/what-is-credential-stuffing.png differ
diff --git a/static/blog-seo/config.json b/static/blog-seo/config.json
index 048ad64a..d69dbb3f 100644
--- a/static/blog-seo/config.json
+++ b/static/blog-seo/config.json
@@ -739,17 +739,182 @@
"",
"",
"",
- "",
+ "",
"",
"",
"",
"",
- "",
+ "",
"",
" ",
""
],
"title": "What is TOTP and why do you need it?",
"schema": ""
+ },
+ {
+ "path": "/blog/access-control-for-modern-web-applications",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "Access Control for modern web applications",
+ "schema": ""
+ },
+ {
+ "path": "/blog/multi-tenancy-in-2024",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "Multi-Tenant Authentication in 2024",
+ "schema": ""
+ },
+ {
+ "path": "/blog/benefits-of-multi-factor-authentication",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "The Multifaceted Benefits of Multi-Factor Authentication",
+ "schema": ""
+ },
+ {
+ "path": "/blog/demystifying-saml",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "Demystifying SAML: A Comprehensive Guide",
+ "schema": ""
+ },{
+ "path": "/blog/localstorage-vs-session-storage",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "Unveiling the Intricacies of Local Storage and Session Storage",
+ "schema": ""
+ },{
+ "path": "/blog/what-is-credential-stuffing",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "What is Credential Stuffing?",
+ "schema": ""
+ },{
+ "path": "/blog/understanding-captcha",
+ "metaTags": [
+ " ",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ " ",
+ ""
+ ],
+ "title": "Unveiling the Intricacies of Local Storage and Session Storage",
+ "schema": ""
}
]
\ No newline at end of file
diff --git a/static/blog-seo/sitemapconfig.json b/static/blog-seo/sitemapconfig.json
index 2d6ba49f..c09c50a6 100644
--- a/static/blog-seo/sitemapconfig.json
+++ b/static/blog-seo/sitemapconfig.json
@@ -76,5 +76,29 @@
},
{
"location": "https://supertokens.com/blog/adding-login-to-your-nextjs-app-using-the-app-directory-and-supertokens"
+ },
+ {
+ "location": "https://supertokens.com/blog/access-control-for-modern-web-applications"
+ },
+ {
+ "location": "https://supertokens.com/blog/totp-why-you-need-it-and-how-it-works"
+ },
+ {
+ "location": "https://supertokens.com/blog/multi-tenancy-in-2024"
+ },
+ {
+ "location": "https://supertokens.com/blog/benefits-of-multi-factor-authentication"
+ },
+ {
+ "location": "https://supertokens.com/blog/demystifying-saml"
+ },
+ {
+ "location": "https://supertokens.com/blog/localstorage-vs-sessionstorage"
+ },
+ {
+ "location": "https://supertokens.com/blog/what-is-credential-stuffing"
+ },
+ {
+ "location": "https://supertokens.com/blog/understanding-captcha"
}
]
\ No newline at end of file
diff --git a/static/card_covers/access-control-for-modern-web-applications.png b/static/card_covers/access-control-for-modern-web-applications.png
new file mode 100644
index 00000000..0a5b8926
Binary files /dev/null and b/static/card_covers/access-control-for-modern-web-applications.png differ
diff --git a/static/card_covers/benefits-of-multi-factor-authentication.png b/static/card_covers/benefits-of-multi-factor-authentication.png
new file mode 100644
index 00000000..eff1c4ad
Binary files /dev/null and b/static/card_covers/benefits-of-multi-factor-authentication.png differ
diff --git a/static/card_covers/demystifying-saml.png b/static/card_covers/demystifying-saml.png
new file mode 100644
index 00000000..d7733861
Binary files /dev/null and b/static/card_covers/demystifying-saml.png differ
diff --git a/static/card_covers/localstorage-vs-session-storage.png b/static/card_covers/localstorage-vs-session-storage.png
new file mode 100644
index 00000000..5a560b6f
Binary files /dev/null and b/static/card_covers/localstorage-vs-session-storage.png differ
diff --git a/static/card_covers/multi-tenancy-in-2024.png b/static/card_covers/multi-tenancy-in-2024.png
new file mode 100644
index 00000000..df06436f
Binary files /dev/null and b/static/card_covers/multi-tenancy-in-2024.png differ
diff --git a/static/card_covers/understanding-captcha.png b/static/card_covers/understanding-captcha.png
new file mode 100644
index 00000000..39455fb5
Binary files /dev/null and b/static/card_covers/understanding-captcha.png differ
diff --git a/static/card_covers/what-is-credential-stuffing.png b/static/card_covers/what-is-credential-stuffing.png
new file mode 100644
index 00000000..57486768
Binary files /dev/null and b/static/card_covers/what-is-credential-stuffing.png differ
diff --git a/static/covers/access-control-for-modern-web-applications.png b/static/covers/access-control-for-modern-web-applications.png
new file mode 100644
index 00000000..d6694ba8
Binary files /dev/null and b/static/covers/access-control-for-modern-web-applications.png differ
diff --git a/static/covers/benefits-of-multi-factor-authentication.png b/static/covers/benefits-of-multi-factor-authentication.png
new file mode 100644
index 00000000..a2a3e0c6
Binary files /dev/null and b/static/covers/benefits-of-multi-factor-authentication.png differ
diff --git a/static/covers/demystifying-saml.png b/static/covers/demystifying-saml.png
new file mode 100644
index 00000000..a0911f19
Binary files /dev/null and b/static/covers/demystifying-saml.png differ
diff --git a/static/covers/localstorage-vs-session-storage.png b/static/covers/localstorage-vs-session-storage.png
new file mode 100644
index 00000000..2d8c92b9
Binary files /dev/null and b/static/covers/localstorage-vs-session-storage.png differ
diff --git a/static/covers/multi-tenancy-in-2024.png b/static/covers/multi-tenancy-in-2024.png
new file mode 100644
index 00000000..0e6c0f2d
Binary files /dev/null and b/static/covers/multi-tenancy-in-2024.png differ
diff --git a/static/covers/understanding-captcha.png b/static/covers/understanding-captcha.png
new file mode 100644
index 00000000..59d97fec
Binary files /dev/null and b/static/covers/understanding-captcha.png differ
diff --git a/static/covers/what-is-credential-stuffing.png b/static/covers/what-is-credential-stuffing.png
new file mode 100644
index 00000000..880e1794
Binary files /dev/null and b/static/covers/what-is-credential-stuffing.png differ