awesome-iam

Official French denylist of money-related fraud sites.

Perfect for this use-case, as bloom filters are designed to quickly check if an element is not in a (large) set. Variations of bloom filters exist for specific data types.

🆓 A list of temporary email providers. And its

🆓 CIDR country-level IP data, straight from the Regional Internet Registries, updated hourly.

This is a general list of words you may want to consider reserving, in a system where users can pick any name.

Some basic tips on the login form.

A collection of tactics to increase the chance of users finishing the account creation funnel.

From Leaked Screenshots & A/B Tests.

Create login forms that are simple, linkable, predictable, and play nicely with password managers.

Notifications are hard. Really hard.

“In this post we will look at the humble

Help makes sense of their huge service catalog. In the same spirit:

The source of all new features added to the IAM perimeter.

Ranking, popularity and activity status of open-source digital identity projects.

All the latest accounts updates on DO.

Also of note:

Describe all GCP products in 4 words or less.

“When my 2FA code is entered incorrectly I'd like to know about it”.

Key take-away: “schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.”

Probably on the verge of paranoia, but might be a reason to rate limit 2FA validation attempts.

🆓 Open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal.

An excellent walk-trough over all these technologies.

In the same spirit as above, but this time at the service level.

An overview and comparison of all token-based authentication schemes for end-user APIs.

Customer name matching has lots of application, from account deduplication to fraud monitoring.

Why background check are sometimes necessary.

💸 Captchas solving service.

🆓 An open-source solution to protect upstream resources from scraper bots.

Reference all open-source captcha libraries, integration, alternatives and cracking tools.

Section dedicated to fraud management for billing and payment, from our sister repository.

On token invalidation.

Passwords are not the be-all and end-all of user authentication. This article tries to tell you why.

🆓 A swiss army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.

Or why passkeys are not worse than passwords.

PKI lets you define a system cryptographically. It's universal and vendor neutral.

A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.

A comprehensive list of (maintained) tools for AWS IAM.

🆓 Set of services and libraries supporting service authentication and role-based authorization for provisioning and configuration.

An in-depth, vendor-agnostic treatment of authorization that emphasizes mental models. This guide shows the reader how to think about their authorization needs in order to make good decisions about their authorization architecture and model.

The history of fast-growing AWS explains how the current scheme came to be, and how it compares to GCP's resource hierarchy.

“In my nearly 5 years at Amazon, I carve out a little time each day, each week to look through the forums, customer tickets to try to find out where people are having trouble.”

Merges concepts from cookies, JWTs, macaroons and Open Policy Agent. “It provide a logic language based on Datalog to write authorization policies. It can store data, like JWT, or small conditions like Macaroons, but it is also able to represent more complex rules like role-based access control, delegation, hierarchies.”