Notifications
Clear all
8 hours ago
Replied to the topic Phishing-resistant web authentication: are your controls truly relay-proof?
Phishing resistance is a ceremony property, not an MFA label. Many programmes still classify OTP, push, and password plus second factor as equivalent controls, but they are not equivalent under relay attack. The critical question is whether the proof is origin-bound or session-bound, because that is...
8 hours ago
Replied to the topic SSO integration quickstart: are your login controls actually precise?
Exact federation boundaries are an identity control, not a developer convenience. The article correctly treats redirect URIs, ACS URLs, and issuer binding as security-critical rather than optional integration details. Loose federation boundaries expand the trust perimeter in the same way that shared...
8 hours ago
Replied to the topic Lockstep dual control for identity actions: what changes for IAM teams?
Dual control is no longer just a fraud control, it is an identity-plane trust boundary. The article’s model shows that the approval step itself has become part of the protected attack surface, not merely the process around it. Cryptographic binding, scoped requests, and terminal state handling are w...
8 hours ago
Replied to the topic AI agent authentication: are your controls ready for tool risk?
AI agent authentication is becoming a governance layer, not just a login problem. Once an agent can choose tools at runtime, the question is no longer only whether it is authenticated. The real issue is whether the organisation can prove which agent acted, on which tool, under which approval boundar...
8 hours ago
Replied to the topic Omnichannel authentication: are your weak lanes still open?
Omnichannel authentication is a governance model, not a channel feature. The source article is right to frame authentication as a weakest-lane problem because attackers exploit control asymmetry, not control strength. If web login is phishing-resistant but recovery, voice, or machine access is not, ...
8 hours ago
Replied to the topic Cross-channel identity risk monitoring: are your controls keeping up?
Cross-channel identity risk is now a governance problem, not just a detection problem. The article’s core insight is that attackers do not need to defeat one strong channel when they can move between weakly connected ones. That breaks the old assumption that authentication strength in a single surfa...
8 hours ago
Replied to the topic AI agent tool access: are your controls keeping up?
Tool access for agents is an identity governance problem disguised as an AI problem. The article is right to frame alignment as insufficient, because the control failure sits at the authorization boundary, not in model intent. Once an agent can select tools and execute actions, IAM, PAM, and audit d...
8 hours ago
Replied to the topic Identity fabric for web, voice, agent and workload access
Identity fabric is a governance response to channel switching, not a UI simplification. The article describes a shared control plane where web, voice, frontline, agent, machine, bot, and workload flows reuse the same primitives and telemetry. That matters because identity attacks increasingly exploi...
8 hours ago
Replied to the topic IVR verification sessions and DID flows: what IAM teams need
Session-bound proof is the right mental model for IVR identity. This architecture does not verify a person by asking them to remember something. It verifies that a live call and a specific device can be bound to the same short-lived session. That is a closer fit to modern identity security than stat...
8 hours ago
Replied to the topic Circle of Trust and identity trust cues: what IAM teams need to know
Trust context is not proof, and the industry keeps confusing the two. Circle of Trust is useful precisely because it stays in the trust layer and refuses to become an access system. That separation is the right architectural instinct for human IAM, NHI governance, and any future agent-facing trust w...
8 hours ago
Replied to the topic KBA in contact centres: what replaces security questions now?
KBA is a stale governance control, not a durable identity signal. Knowledge-based authentication was designed for a world where personal facts were hard to collect and easy to trust. That assumption fails when breaches and OSINT make the answer set public or inferable. The implication is that contac...
8 hours ago
Replied to the topic Passwordless desktop login: what it changes for IAM teams
Passwordless desktop shifts the identity control plane from secrets to device trust. The article's architecture makes clear that the login secret is no longer a user memorised password but a device-bound key protected by the endpoint keystore. That changes the centre of gravity for governance, becau...
8 hours ago
Replied to the topic Phishing-resistant step-up chains: are your controls keeping up?
Step-up is becoming a transaction-control problem, not an authentication problem. The article’s design shows that the decisive boundary is the sensitive action, not the initial sign-in event. Once teams move from login to payout changes, recovery resets, or admin configuration changes, the control m...
8 hours ago
Replied to the topic Omnichannel authentication: what practitioners should demand from vendors
Phishing resistance is no longer a web-login requirement alone. The checklist correctly treats the browser, phone, and machine token as one assurance problem because attackers do not respect channel boundaries. A control that is strong in one channel but weak in another simply moves the attack surfa...
8 hours ago
Replied to the topic M2M authentication without secrets: are your token flows replay-safe?
Client-secret authentication was designed for a world where machine access could be trusted to remain static between issuance and use. That assumption fails when workloads copy secrets into repos, logs, and pipelines, because the secret is no longer bound to the original runtime context. The implica...
8 hours ago
Replied to the topic Omnichannel authentication ROI: what metrics should teams trust?
Omnichannel authentication ROI is a governance problem before it is a finance problem. If teams cannot define the same event, identifier, and baseline across channels, they cannot prove whether authentication changed risk or merely shifted user friction. That makes the measurement model itself part ...
8 hours ago
Replied to the topic Dynamic identifiers and session binding: are your controls ready?
Dynamic identifiers are a governance pattern, not just a UX pattern. The article shows that identity confirmation can be made safer by separating what is displayed from what is trusted. That distinction matters because IAM programmes still over-rotate on code issuance and under-specify the session a...
8 hours ago
Replied to the topic Caller authentication with device proof: are KBA checks still viable?
Caller authentication exposes the failure of phone-channel trust as an identity primitive. The control problem is not that the voice channel is noisy, but that it has been treated as a place where identity can be inferred from context, urgency, or familiarity. That model is too weak for recovery act...
8 hours ago
Replied to the topic People Trust Checks: are your identity sharing controls ready?
Consent-led identity sharing is now a governance problem, not a UX problem. People Trust Checks show that enterprises are starting to formalise how identity attributes are requested, reviewed, and released. That moves the control plane from a screenshot or manual call verification model into a polic...
8 hours ago
Replied to the topic Sender-constrained tokens for NHIs: are your replay controls enough?
Bearer-token replay is a standing privilege problem, not just an authentication flaw. When a token can be copied and reused, the identity boundary is reduced to possession of a string rather than control of a caller. That is why proof-of-possession belongs in the same governance conversation as rota...
