From 5d17a9d2822a7499a48ef729d278b99d12c2ded3 Mon Sep 17 00:00:00 2001 From: Joel Coutinho Date: Mon, 1 Apr 2024 12:58:02 +0530 Subject: [PATCH] updates MFA blog --- .../index.md | 24 +++++++++++++++---- .../index.md | 14 ++++++++--- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/content/benefits-of-multi-factor-authentication/index.md b/content/benefits-of-multi-factor-authentication/index.md index c81b796f..65679448 100644 --- a/content/benefits-of-multi-factor-authentication/index.md +++ b/content/benefits-of-multi-factor-authentication/index.md @@ -107,13 +107,27 @@ One downside of MFA is the friction it can add to the authentication experience. In short, the future of MFA is expected to be more integrated with a strong focus on context and biometrics. ## Getting Started with MFA in 2023 -[SuperTokens MFA](https://supertokens.com/docs/mfa/introduction) offering allows you to add email/SMS-based OTP or magic link as a second factor with TOTP support. +[SuperTokens MFA](https://supertokens.com/docs/mfa/introduction) offering supports a number of auth factors like email/sms based OTP or TOTP as an auth factor. -You can try out our [demo](https://supertokens.com/docs/mfa/introduction) that uses social login/email password as the first factor, and SMS OTP as the second factor. Here’s how: +It also supports the following features: -1. Clone the [GitHub demo](https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-thirdpartyemailpassword-2fa-passwordless) repository -2. Install its dependencies -3. Run the application using `npm run start` +- Allow access to APIs only if multi factor auth has been completed. +- Allow access to frontend routes only if multi factor auth has been completed. +- Use pre-built UI or your own custom UI for the second auth factor. +- Allow individual users to choose if they want to enable multi factor auth or not. +- Step up authentication +- Separate MFA config per tenant +- SuperTokens MFA can also be customized to add the following features: + - Account recovery using backup codes + - Skipping MFA for trusted devices for a period of time. + +You can test out how SuperTokens MFA works with our demo application. Get started by running the following command: + +``` +npx create-supertokens-app@latest --recipe=multifactorauth +``` + +You can find the complete documentation for [SuperTokens MFA here](https://supertokens.com/docs/mfa/introduction). ## Conclusion Traditional authentication methods have become susceptible to cyber attacks. MFA acts as a roadblock, making it exponentially harder for an attacker to compromise an account. For this reason, many companies have made MFA a requirement. diff --git a/content/fedcm-how-are-oauth-flows-affected-in-the-post-third-party-cookie-era/index.md b/content/fedcm-how-are-oauth-flows-affected-in-the-post-third-party-cookie-era/index.md index 5613db49..b7f571b1 100644 --- a/content/fedcm-how-are-oauth-flows-affected-in-the-post-third-party-cookie-era/index.md +++ b/content/fedcm-how-are-oauth-flows-affected-in-the-post-third-party-cookie-era/index.md @@ -7,17 +7,25 @@ category: "programming" author: "Joel Coutinho" --- -### Introduction +## Table of Content +- [Introduction](#introduction) +- [What are third-party cookies](#what-are-third-party-cookies) +- [The Impact on the OAuth Protocol](#the-impact-on-the-oauth-protocol) +- [Introducing FedCM](#introducing-fedcm) +- [Supporting FedCM: How Identity Providers Can Adapt](#supporting-fedcm-how-identity-providers-can-adapt) +- [Conclusion](#conclusion) + +## Introduction Federated identity has been a game changer in the authentication space. With increased security, smoother onboarding, and greater conversions it has been the most popular auth choice for applications. Although there are several methods to enable federated identity, the OAuth protocol has risen to be the most popular. In 2022, the Privacy Sandbox Team, created by Google to protect people's privacy online, issued an [announcement](https://blog.google/products/chrome/update-testing-privacy-sandbox-web/) stating the release and testing of new privacy-focused APIs with the eventual goal of retiring third-party cookies from Chrome by 2024. Why did they do this? How will cookies be accessed for different domains? How does this affect OAuth? In this blog, we explore these questions and more. -### What are third-party cookies? +## What are third-party cookies? A cookie is some information that a website can store on a user's computer. Websites use cookies for session management and personalization. Third-party cookies though are set by domains other than the domain the user is currently on. For example, when you are browsing a website and interacting with an embedded video or an advertisement the external domain will set some third-party cookies. The issue that arises is that services use third-party cookies to track user activity across websites to serve targeted ads based on their browsing and search history. This raises several privacy concerns and is the main impetus behind Google’s decision to retire third-party cookies. -### The Impact on the OAuth Protocol +## The Impact on the OAuth Protocol OAuth traditionally performs a full page redirect to the Identity Provider’s domain and accesses session cookies if they exist or allow the user to sign in. This flow is unaffected by the third-party cookie change. Some applications like google one-tap, however, want to achieve a more organic flow and allow the users to sign in without being redirected. They achieve this using an iframe and access third-party cookies to check if the user has a valid session.