Hacker News new | past | comments | ask | show | jobs | submit login

This doesn't touch on commercial authentication managers and how horribly they can be implemented. There's no authorization cheat sheet either.

They also make assumptions like "When multi-factor is implemented and active, account lockout may no longer be necessary." Sure, until someone finds a simple hole in one of the factors and the rest become trivially brute-forced, sniffed, phished, etc. The chain is only as strong as the weakest link.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: