Cassidy's blog·20wA pretty good email scam
A detailed account of a sophisticated email scam that used hidden forwarding rules and reply-to settings to maintain access after password changes. The attacker set up forwarding to a fake email address labeled as 'Default Forwarding' and configured reply-to addresses to intercept all communications. The incident highlights the importance of checking email account settings beyond just changing passwords when recovering from compromised accounts.
Auth0·23w.NET 10: What’s New for Authentication and Authorization
.NET 10 introduces significant authentication and authorization improvements including built-in passkey support in ASP.NET Core Identity for phishing-resistant authentication, C# 14 extension members that simplify claims management with cleaner syntax, new observability metrics for tracking authentication events and performance, and a breaking change where API endpoints now correctly return 401/403 status codes instead of redirecting to login pages. The release also includes enhanced documentation for securing Blazor Web Apps with OpenID Connect.
Laravel News·21wBuild Production-ready APIs in Laravel with Tyro
Tyro is a zero-config Laravel package that provides production-ready API functionality including authentication via Sanctum, role-based access control, privilege management, and 40+ Artisan commands. It offers built-in middleware for protecting routes with roles and privileges, supports user suspension workflows, and includes factories, seeders, tests, and a Postman collection for immediate use.
TechCrunch·23wRed Bull Racing’s secret weapon? An engineer who treats workflows like lap times
Red Bull Racing's new CEO Laurent Mekies applies engineering principles to organizational workflows, treating security and system access as performance optimization opportunities rather than friction points. His partnership with 1Password demonstrates how eliminating workflow bottlenecks—like authentication delays—can create competitive advantages. Mekies' technical background shapes his leadership approach: focusing on process efficiency, understanding root causes before moving forward, and empowering 2,000 team members rather than seeking spotlight. The team faces a major technical challenge in 2026, building their own power unit from scratch while competing against manufacturers with 90+ years of experience.
Hacker News·23wWICG/email-verification-protocol: verified autofill
A proposed web standard for verifying email addresses without sending verification emails or leaving the current page. The protocol uses DNS delegation, SD-JWT tokens with key binding, and browser mediation to enable mail domains to delegate verification to an issuer. The browser requests a token from the issuer using authentication cookies, verifies it, and provides it to the web application. This approach enhances privacy by preventing issuers from learning which applications users are accessing, while eliminating the friction of traditional email verification flows that cause user drop-off.
SingleStore·21wIntroducing singlestore-auth-iam for Server Authentication
SingleStore introduces singlestore-auth-iam, a library enabling passwordless server authentication for databases and management APIs. Building on their 2022 singlestore-auth-helper for human users, this new tool integrates with cloud IAM systems (AWS, Azure, GCP) to use short-lived tokens instead of static passwords. Servers authenticate by requesting signed identity tokens from IAM, exchanging them for SingleStore-signed JWTs. This eliminates credential storage, enables automatic rotation, and reduces security risks across CI/CD pipelines and applications while maintaining role-based authorization through SingleStore's existing permissions system.