Best of AuthenticationJanuary 2026

  1. 1
    Article
    Avatar of devjourneyDeveloper's Journey·13w

    Small Observation That Changed How I See Everyday Tech

    TOTP (Time-based One-Time Password) enables two-factor authentication without internet connectivity by using a shared secret key and time-based windows. Both the server and client independently generate identical OTPs by combining the secret key with the current 30-second time window step. The article includes a simplified JavaScript implementation demonstrating the core concept: dividing Unix time into intervals, multiplying by the secret, and applying modulus to generate a 6-digit code that refreshes every 30 seconds.

  2. 2
    Article
    Avatar of metabaseMetabase·14w

    We simplified embedding

    Metabase 58 consolidates embedding options into two clear paths: Modular Embedding for individual components (supporting both Guest mode with JWT signing and SSO with full user accounts) and Full-app Embedding for the entire application (SSO only). Existing embeds continue working without code changes. Static embedding maps to Modular Embedding Guest mode, while Interactive embedding becomes Full-app Embedding. The update includes an in-app setup wizard and a React SDK, with an easier upgrade path from Guest to SSO embeds.

  3. 3
    Article
    Avatar of shaafShaaf·16w

    Keycloak MCP Server: Manage Identity with Natural Language

    An MCP server enables natural language management of Keycloak identity and access management through AI assistants. The open-source project supports 45+ operations including user management, realm configuration, client setup, and authentication flows. Version 0.3 introduces JWT authentication, SSE transport, Kubernetes deployment support, containerization, and production-ready features like health checks and Prometheus metrics. Developers can manage Keycloak by conversing with AI assistants instead of using the admin console or CLI commands.

  4. 4
    Article
    Avatar of auth0Auth0·13w

    Why Broken Access Control Still Dominates the OWASP Top 10 in 2026?

    Broken Access Control (BAC) and Broken Object Level Authorization (BOLA) remain the top security risks in OWASP rankings because they are logical vulnerabilities that automated scanning tools cannot detect. Unlike technical vulnerabilities with recognizable patterns, access control flaws require understanding business context and intent. The problem persists due to distributed authorization complexity in microservices, confusion between authentication and authorization, identity sprawl with non-human identities, and ad-hoc evolution of controls. Solutions include centralizing authorization code using Policy Decision Point/Policy Enforcement Point patterns, implementing Policy as Code with tools like OpenFGA or OPA, using fine-grained authorization, scoping database access to user context, and applying schema-based validation to prevent mass assignment attacks.

  5. 5
    Article
    Avatar of github_updatesGitHub Changelog·14w

    Selectively showing "act on your behalf" warning for GitHub Apps is in public preview

    GitHub has updated the consent page for GitHub Apps to remove the "Act on your behalf" warning when apps only request read permissions for user profile data. Previously, over 50% of app authorizations were for simple sign-in purposes, but users were shown alarming warnings suggesting broader access. Now, the warning only appears when apps request repository, organization, or enterprise permissions, reducing confusion for users signing in with GitHub as an identity provider.

See all Authentication archives