# Announcing our seed round Source: https://stytch.com/blog/announcing-our-seed-round/ Announcing our seed round, a $6 million seed round led by Benchmark in the summer of 2020. We started Stytch to build the future of user infrastructure, starting with authentication, and we’re thrilled to share a milestone on that journey. We raised a $6 million seed round led by Benchmark in the summer of 2020. We’re excited to be working with Chetan Puttagunta, who’s joined our Board of Directors. Index Ventures participated in the round, along with angels including William Hockey, Dylan Field, Mahmoud Abdelkader, Elad Gil, Amber Feng, Lenny Rachitsky, and Jeff Morris Jr. Authentication is a frustrating experience for both developers and users, and we're changing that. While working together at Plaid, we witnessed the security and user experience shortcomings of password-based authentication. To solve this, Stytch is building the developer platform for authentication to enable teams to easily build experiences that delight their users. We’re thankful for our team, early adopters, and investors for the help and support on the journey so far. There’s much more to come, and if you’re interested in being a part of it, we’re hiring! If you’re interested in building on Stytch, join the many developers and enterprises that are part of our early access program and sign up here. Julianna and Reed --- # The rise of cool APIs Source: https://stytch.com/blog/the-rise-of-cool-apis/ The surge of recent startups in the space, it’s clear that tomorrow’s tech companies will be powered by external APIs. API startups are hot. With the rise of Twilio, the near-acquisition of Plaid, and the surge of recent startups in the space, it’s clear that tomorrow’s tech companies will be powered by external APIs, each responsible for outsourcing a different piece of infrastructure. In this piece, Gil Feig (Co-Founder atMerge) and Julianna Lamb (Co-Founder atStytch) discuss some of the most important trends seen across rising players in the API space. Innovation is rampant as API startups emerge at growing rates. Quality has soared across documentation, implementation, design, visibility, insights, and more. But APIs, like web applications, have a frontend. This may come in the form of JSON or XML, but it’s a view that is consumed by a paying customer. It wasn’t until recently that trailblazers like Stripe took this front-end seriously, and made APIs cool. But what exactly is a cool API? A cool API is built with the user in mind. Data structures, endpoints, and documentation are all designed with the same rigorous attention typically directed towards the slick-looking landing page that first draws in customers. The cool API knows it's not just selling to product managers who desire time and cost savings, but also to engineers who are increasingly responsible for vendor decisions and, obviously, implementation. And while companies may rise and fall, both PMs and engineers have the option of introducing your product to their future employers— or not. We believe a critical factor in an APIs longevity is, then, its coolness. Think of it like making that all important first-impression at a party. Merge is a leading provider of Human Resource (HRIS), Payroll and Recruiting (ATS) integrations for B2B companies. Companies that integrate once with Merge’s API automatically offer integrations with 30+ platforms to their customers. Stytch makes it simple to seamlessly onboard, authenticate, and engage your users with passwordless authentication and user management APIs and SDKs. Despite evolving separately and solving different problems, we found that both companies developed similarities in company culture, product, and implementation. API First Early on, Merge and Stytch recognized that we weren’t just building products and then exposing them with APIs. The APIs were our products. To us, this represents a radical shift in how API start-ups operate. What differentiates this new wave of API startups is the freedom to build APIs the way we want. Systems born in the on-prem and early-cloud era lacked, up until a few years ago, the plasticity to create a modern API. These APIs were built from the backend up, and so are often limited by the implementation details of the systems they expose. We have the privilege of starting companies in an era where the API is first documented and implemented before the underlying systems are created. This ordering is crucial to provide design flexibility for our core product: the API. Our APIs are built to power experiences and flows within other products, and this design flexibility allows the use cases of our customers to be thoroughly accounted for. Through iterative customer collaboration, we’ve achieved easy to add, fully native experiences. We’ve aspired to make our APIs cool. API = A Pretty Interface Design holds a double meaning for Merge and Stytch. Our products are APIs, and so we scrutinize every field, endpoint, and available action to cater towards a robust user-developer experience. At the same time, we recognize the value of and invest heavily in “traditional” product design. Whether it’s landing pages, documentation, embeddable UI components, or dashboards we constantly ask how to better craft pages that express complex topics within a simple UI. There has been a recent wave of fantastic startups that help to design API documentation, however at both Merge and Stytch there was a clear decision to build our own. We needed flexibility to express concepts, create guides, and provide interactive experiences for our users. Though we each followed a different path to accomplish this, we couldn’t be more thrilled with the other’s result. At Stytch, we designed and built our documentation in-house. All documentation lives in a Github repo like the rest of our code, so it’s become a natural part of the development process to include documentation changes when new code is shipped. In our early days we initially tested documentation through OpenAPI. However, we became continually frustrated with the time it took to implement OpenAPI's auto-generation with our own product. We realized that not only would it be more efficient to build our own client libraries, but by doing so we would gain a far deeper understanding of how our documentation actually worked. We found that making documentation changes as a standalone changeset, separate from the implementation of API endpoints, allowed for more detailed and flexible documentation. The downside of this DIY method is that some work required to make sure that the API, client libraries, and documentation are in-sync. Merge chose to generate documentation using OpenAPI. Acknowledging that the ecosystem is young, we saw it as an opportunity to provide feedback and take part in an audacious open-source initiative. While the specification’s imperfections imposed a burden, we ultimately realized time-saving automation: changing an API endpoint automatically regenerates documentation, deploys the frontend, regenerates SDKs, and merges the code. When the backend receives new API functionality, we create generic methods that automatically generate pixel-perfect interactive experiences for the frontend. Companies who use API products are able to build their core product faster. In our expanding API-economy we’ll continue to see more and more capabilities packaged in APIs. The difference, we believe, between losers and winners lies in who creates an API that’s cool— not just functional. Merge and Stytch are inspired to help craft new standards for the next generation of API companies. Check out Merge here: https://merge.dev Check out Stytch here: https://stytch.com/ --- # Announcing our SOC 2 Type II Source: https://stytch.com/blog/announcing-our-soc-2-type-ii/ Today, we’re excited to announce that Stytch has officially received our SOC 2 Type II certification. Today, we’re excited to announce that Stytch has officially received our SOC 2 Type II certification. Our SOC 2 Type II report outlines the extensive security and availability controls that Stytch has implemented and continually operates in order to offer our customers an exceptional experience. We learned a lot going through the process for the first time and wanted to share our findings in case they’re valuable to others preparing for their first SOC 2 process. When done right, SOC 2 can be extremely valuable for establishing best practices and communicating your commitment to security to customers, but it can also be intimidating to get started.. When to start Stytch builds critical infrastructure for our customers, and so security and availability of our platform is of the utmost importance. We knew at some point we’d need to formalize our commitment to this with SOC 2, but how early is too early? We started laying the groundwork for SOC 2 before we hired our first employees because we wanted to build a culture around security from the beginning and implementing policies only gets harder with more people. We then spent a couple months trying to figure out when was the right time to actually schedule the audit period. Ultimately, we decided to wait until our product had reached some level of maturity because we wanted the report to be representative of our systems. We iterated a lot on the product and infrastructure during our early alpha period and decided to wait to graduate from that before kicking off the audit period. SOC 2 Type II vs Type I A decision you’ll have to make is whether to jump straight to a Type II, like we did, or start with a Type I. We didn’t have immediate time pressure to complete SOC 2 and so, if we were going to spend the time on SOC 2, we wanted to do it right with a Type II. A Type I certification is much faster because it is a one-time snapshot of your internal practices rather than an ongoing, multi-month audit involved in the Type II certification process. However, its value is relatively minor for SaaS companies because your customers want to know that you consistently and reliably follow best practices. Preparing for a smooth audit We use Vanta to help automate some of the SOC 2 process, their integrations and monitoring make it easy to keep an eye on things and ensure that you’re living up to your policies. While they do a lot of the heavy lifting, there are still many things that you’ll need to figure out if they’re relevant or not given your systems and the specific criteria in scope for your audit. Making sure you’re on the same page as the auditors is key and building a good relationship with them early on makes the audit process much smoother. Asking your auditor lots of questions early on ensures that you’re not just doing the right things but also documenting them appropriately. Want to learn more? If you’re interested in using Stytch, you can get started today by creating an account here. And if you’d like to contact us directly, you can email us at hello@stytch.com. --- # Building the future of authentication Source: https://stytch.com/blog/building-the-future-of-authentication/ At Stytch, we’re on a mission to eliminate friction on the internet while improving security. In the world of modern applications, the methods currently used to onboard, authenticate, and engage users are broken. They cause needless friction, leading to frustrated users, lower conversion rates, and stunted growth. At Stytch, we’re on a mission to eliminate friction on the internet while improving security. We’re building solutions that reimagine user infrastructure, starting with out-of-the-box and customizable passwordless authentication products that are easy for engineering teams to integrate. With our flexible APIs and SDKs, Stytch customers can improve user conversion, retention, and security, all while saving valuable time. Out with the old: the problem with passwords By the end of this decade, online passwords will be a thing of the past. They’ll go the way of the fax machine—a quaint technology that’s long outlived its innovative purpose. Ultimately, this will be a welcome shift, improving developer and user experience and bolstering companies’ bottom lines by removing obstacles to conversion. We aren’t waiting on a breakthrough to bring this prediction to life. Simple developer tooling built on existing technologies will make passwordless authentication ubiquitous, with Stytch leading the way. But before we lay out where we’re going, let’s take a look at where we’ve been. In with the new: the evolution of passwordless auth Since the internet exploded in the 1990s, major authentication shifts have marked each decade. For instance: In the 1990s, as the internet went mainstream, passwords were the dominant form of authentication. In the 2000s, as users opened more and more accounts, password managers—which encrypt and store online login information—were introduced to help them handle this increasingly complex landscape. In the 2010s, as online technologies advanced, alternative auth methods—often referred to as “two-factor authentication”—embedded low-friction, secure hardware (like biometrics and YubiKey) and software (like APIs for programmatic text and email) into the user experience. In the 2020s, as we begin to embrace passwordless authentication, resourceful companies like Slack, Medium, and Square Cash are leading the charge. Stytch is making it easy for every company to build and integrate a delightful, passwordless user experience in hours rather than months. Even with these developments, password overload is a ballooning issue. Surveys have found that the number of password-protected accounts per user has increased exponentially in recent years, in response to an explosion of new apps and online services. One study found that between 2019 and 2020 alone—with people likely spending more time online due to the COVID-19 pandemic—the number of passwords per user jumped 25%, from an average of 70-80 to 100. A recent poll also showed that most users don’t take advantage of existing password managers. As a result, 37% forget a password at least once a week, increasing the likelihood they’ll abandon a commercial account or leave a purchase incomplete. The good news? Best-in-class teams are now pushing their companies to go fully passwordless. This shift won’t be dominated by a single authentication method (like biometrics) but will consider the trade-offs between different options. For many companies—especially sensitive fintech apps like Square Cash, Revolut, or Monzo— requiring multiple passwordless verification methods for increased security is becoming the norm. Needless friction Considering this progress, the shift to passwordless authentication feels inevitable. Still, skeptical companies may be reluctant to abandon authentication solutions they’re familiar with. A common mistake in recent years has been treating alternative auth methods as second-factor, rather than primary-factor, candidates. Most companies are unaware that they already have passwordless flows in place, and they’ve needlessly complicated these processes for users. Whenever a customer passes through a site’s password reset protocol, they’re essentially experiencing passwordless authentication. But instead of a seamless email login link (or a “magic link”), they’re seeing something like this: Step 1: User forgets password. Step 2: User clicks “Forgot password?” link. Step 3: User enters email and requests password reset flow. Step 4: User opens inbox and clicks the password reset link. Step 5: User creates a new password with a set of 10 complicated rules. Step 6: User confirms new password with 10 complicated rules. Step 7: User is redirected to the original login page. Step 8: User enters username and new, complicated password. In this case, for a simple email verification, a user must navigate eight increasingly complex steps—all to set up a new, convoluted password they will likely forget in a couple of days. Updating tiresome login flows to newer methods like email magic links or SMS logins is just one glimpse into passwordless possibilities that will significantly boost user experience and conversion. A better path forward Password-dependent authentication methods are problematic for stakeholders across the board. For developers building out these flows, it’s a time-consuming and error-filled process that can involve multiple engineers and many months of maintenance annually. For consumers using these flows, login information piles up as they open new accounts, yielding more and more passwords they’ll forget. For businesses relying on these flows, unnecessary friction increases customer acquisition costs and reduces users’ lifetime value. Passwordless authentication platforms—like those being offered by Stytch—solve these issues with flexible APIs and SDKs that save valuable engineering time and improve an end user’s experience. By making it simple and affordable for developers to integrate best-in-class authentication options, these solutions transform the above challenges into key benefits. For developers, going passwordless saves significant resources and removes the burden of dealing with app security. For consumers, going passwordless makes logging in easier, faster, and more secure while erasing the headache of memorizing or tracking passwords across accounts. For businesses, going passwordless improves both user onboarding conversion and user retention over time. What can Stytch do for you? Keep up to date with Stytch’s new products and features through our Changelog. Jump into our Docs to learn more about our flexible, frictionless authentication solutions—or sign up for a free account to try them out for yourself. Click here to get started. --- # Announcing our $30 Million Series A to make passwords a thing of the past Source: https://stytch.com/blog/announcing-our-30-million-series-a/ We are thrilled to announce Stytch has raised $30 million in Series A funding led by Thrive. We are thrilled to announce Stytch has raised $30 million in Series A funding led by Thrive, with participation from Coatue and existing investors, Benchmark and Index. We’re also proud to welcome Thrive’s Gaurav Ahuja to our board of directors, who is joining alongside Benchmark’s Chetan Puttagunta. Additionally, we're bringing onboard new angel investors including Matthew Prince, Cassidy Williams, Neha Narkhede, and Joshua Browder. When we were at Plaid, we witnessed the shortcomings of passwords first-hand, both from a security and usability perspective. We saw how often users gave up when the authentication process was too hard and, for all the friction passwords introduce, they still leave users vulnerable to account takeover attacks. User experience and security have both evolved over the past few decades, but authentication is stuck in the 1990s despite underpinning all of our online interactions. That’s why Stytch was born - to make the next generation of authentication passwordless. We believe in building tools and infrastructure that make it easier, faster, and safer to build authentication into apps and websites. We’re making it easy to modernize your authentication flows and build great user experiences by adopting passwordless technologies. The traditional approach to authentication ignores the significant downsides of passwords. 65 percent of users reuse passwords across different accounts, posing a significant security threat and creating larger breach liabilities. At the same time, we're constantly forgetting and resetting them. When users forget their password, about 75 percent give up and don’t complete the reset process. Similarly concerning, 45 percent of users report password authentication “frequently” or “very frequently” prevents them from completing an online transaction, costing businesses money and users. Over the past several years, there has been a rise in alternative authentication methods, using advances in both hardware (e.g. biometrics, YubiKey) and software (e.g. APIs for programmatic text + email), which have paved the way for a passwordless future. But building a robust new system for authentication is no small undertaking – companies would need to dedicate entire teams to solving this problem themselves. We see this as a massive opportunity to help developers move to a new era of authentication where they can embed passwordless authentication methods through simple APIs and SDKs At Stytch, we’re building the platform that we wish we had in past roles and making it available to anyone. Today, we have more than 350 developers building on the Stytch platform adding email magic links, SMS and WhatsApp passcodes, and one-click user invitations into their user onboarding and login flows. In addition to these core passwordless features, we’ve seen companies of all sizes drawn to the simple developer experience and the flexibility offered by our API-first approach, including a handful of fortune 500 companies that are using the product. But we’re just getting started. With the new funding, we’re working on adding numerous new authentication options like mobile biometrics, WebAuthn, OAuth logins, QR codes, and push notification login to the platform. We’re also expanding the user infrastructure features that make Stytch the simplest and lowest friction way to onboard and engage users, building out session management, account recovery, and more advanced fraud detection. The future of authentication is here, and you can get up and running with Stytch today. Sound like something you want to also get behind? We’re looking for more great people, so check out our open positions. Julianna and Reed --- # Forget the password reset flow as you know it Source: https://stytch.com/blog/forget-the-password-reset-flow-as-you-know-it/ For those still using password-based authentication, implementing a password reset flow can be a frustrating step. For those still using password-based authentication, implementing a password reset flow can be a frustrating step. Not only is it a headache to build, but it introduces unnecessary friction to the user experience and frequently results in users abandoning the interaction. A password reset flow is essentially a passwordless login with many additional steps tacked on. By leaning into this and using passwordless solutions as an alternative to password resets, you can delight your users and increase conversion and engagement. To illustrate this point, we’ve identified three ways a password reset flow can undermine your app’s performance—and a glimpse at how passwordless solutions can help. 1. Users forget their passwords, and they forget them faster than you think The password reset flow is often an afterthought. If you’ve spent multiple sprints building a secure password login, it feels reasonable to wait on the password reset process and focus on your core product. After all, how many people will really forget their password in the first months after launch? The truth is, users are creating exponentially more passwords each year as they discover new apps and open new accounts. And the more passwords they accumulate, the likelier they are to forget them. According to a recent study, over 20% of users report forgetting a newly created password within two weeks. That number climbs to over 70% after just a few months. Joint study from Mastercard and the University of Oxford So, when’s the right time to build a password reset flow? If you’re choosing to rely on password-based authentication, it’s right away—before that first forgetful user reaches out for help. (Of course, we’d say never. If you go fully passwordless, you’ll avoid this problem altogether.) 2. The password reset flow is just an overly complicated email verification It’s easy to forget that the password reset flow is really just a multistep email verification process. When a user goes through a password reset, they’re essentially experiencing passwordless authentication. But instead of receiving a quick email login link—otherwise known as a “magic link”—they’re seeing something like this: Step 1: User forgets password. Step 2: User clicks “Forgot password?” link. Step 3: User enters email and requests password reset flow. Step 4: User opens inbox and clicks the password reset link. Step 5: User creates a new password with a set of 10 elaborate security requirements. Step 6: User confirms new password. Step 7: User is redirected to the original login page. Step 8: User enters username and new, complicated password. In this case, for a simple email verification, a user must navigate eight increasingly convoluted tasks—all to set up a complex new password they’ll likely forget again in a couple of days. 3. A high-friction password reset flow can lower conversion rates and put users at risk Once a password reset flow has been built, engineers tend to forget about it. But by not tending to it on a regular basis, you might miss out on key opportunities to boost user experience. Studies have shown that a weak or outdated reset flow can have a significant impact on your business and even make users vulnerable to cyber attacks. Common blunders—like sending plaintext password reminders, asking for information that is easily findable online, or using error messages that disclose if a specific email address is registered—can pose huge security threats. And demanding too many (or the wrong kind of) verification tasks can frustrate users and lead them to abandon the reset flow altogether. On average, about 10% of your active users will pass through the password reset flow each month. Of those, 75% will drop out partway through the multistep process. To put that another way: with a high-friction password reset flow, you’re losing 7.5% of high-intent users before they’ve even had a chance to engage with your application. Passwordless magic With all the problems a password reset flow can cause for an app, it’s worth considering how passwordless tools can improve the process. Forward-thinking companies like Instagram are choosing to optimize user experience and retention by replacing the password reset flow with passwordless options like email magic links. Using an email magic link cuts the tiresome eight-step password reset flow down to two simple steps. When a user clicks the “Forgot password?” link, they are prompted to enter their email address. If registered with the app, they’ll receive a magic link in their inbox which, when clicked, automatically signs them back into their account. That’s it. No fuss, no complicated new password, no compromised security. Once a magic link is used, it becomes invalid, so there are no loose threads that could put an account at risk. Integrating passwordless solutions like email magic links and SMS logins into your app’s password reset flow is a great way to quickly improve the user experience. Key takeaways A poorly executed password reset flow can have big consequences for your users and your business. Why not avoid the issue altogether by going passwordless? Secure, efficient passwordless options are available and can go a long way towards removing burdensome flows, improving the developer and user experience, and boosting conversion rates. Even if you're not ready to fully eliminate passwords from your application, you can follow our simple guide for using the Stytch API to replace your password reset flow with a one-click email magic link. Interested in ditching passwords? Stytch helps you go passwordless by providing easy-to-integrate API and SDK authentication solutions. Let us build the infrastructure, while you focus on your core product. Sign up for free to start using the API. A path forward with Stytch Stytch is on a mission to eliminate friction on the internet. Learn more about our modern, passwordless approach to authentication. --- # A founder's guide to hiring engineers Source: https://stytch.com/blog/a-founders-guide-to-hiring/ People are everything when it comes to building a company; here's how we think about hiring great people. People are everything when it comes to building a company; here's how we think about hiring great people. One of your most important tasks as a founder is to hire and retain great people who are excited to be part of the journey—especially when you’re just starting out. While recruiting is always a challenge, your first few engineering hires are critical as you begin to build your product. These team members will help establish your company culture and set the tone for future candidates. We'll focus here on hiring engineers but most of it is broadly applicable. As a founder, you may be involved in interviewing every candidate for some time. But your first team members are special because they become the ones who attract, interview, and hire the next cohort. You’re asking your earliest hires to take a chance on you and on a product and team that are just beginning to take shape. In this guide, we lay out our best hiring practices in three key areas: identifying top talent, mutually evaluating whether they’re a good fit for the team, and selling them on joining. While some of these tips are geared toward the early stages of team building, most are relevant to all stages of growth. Finding great talent Start with your network It’s hard to know where to begin when you’re building a team from scratch. The good news is, you probably already have an established network you can turn to. Better still, your close contacts are familiar with you and your accomplishments, so you’re likelier to find a receptive audience. Start by texting friends who are engineers themselves or who have many engineers in their circle. That’s how Stytch snagged one of our very first hires. This text can be informal, something like: “I recently started a company building a platform for user authentication. We’re hiring a couple of engineers, and I’m wondering if there’s anyone you know who might be interested!” Keep it open enough for that person to then send it around to their contacts. That said, hiring from your immediate network can come with drawbacks like over-indexing on people with similar backgrounds—but it’s a valuable place to start. We include some pointers below on how to ensure you keep your pipeline diverse. Leverage LinkedIn Next, start looking through your Linkedin connections to find people you don’t know well enough for a text but who could be a good fit. It goes a long way to spend a bit of time crafting a personalized message. It will show you care about them and what their strengths are. It's also an opportunity to share more about what you're building. For example, here’s a message we was sent to one of our first engineers: Hi [X], Not sure if you remember, but we grabbed coffee back when I was at Plaid. I'm now the co-founder—along with Reed, also from Plaid—of a new company building infrastructure for user auth. Stytch makes it simple for developers to build passwordless authentication flows that delight users. There's some info on our website, but we're still building that out, so I can share more details on a call. We just finished raising a seed round and are now focusing on hiring engineers in anticipation of launching to our beta customers later this year. A platform engineer is an important hire for us. Our product will be in the critical path of customers’ applications, so our infrastructure is at the core of what we do. I remembered our conversation about the work you were doing with Kubernetes—that type of experience is exactly what we're looking for, so I had to reach out. I’d love to share more if you're interested! While you should keep your message brief, be as specific as you can. Highlighting particular technologies or problems they've worked on in the past shows that you understand the type of work they do and how it would fit with your team. Be proactive with cold sourcing and outreach Sourcing talent and engaging in cold outreach will be part of your role as founder for a long time to come, so it’s worth your while to work this muscle early on. We use Ashby for our ATS and sourcing. It lets you build email campaigns, save LinkedIn profiles, find a candidate’s email address, and create an email in your drafts to send. This is incredibly helpful for running a sourcing process, and it allows you to customize a message using a Chrome plug-in while viewing a candidate’s profile. Customization goes a long way toward demonstrating your excitement about a candidate and differentiating your message from the many recruiting emails they’re getting each week. We primarily use LinkedIn for sourcing but occasionally check AngelList, as well. The benefit of AngelList is that you can tell if someone is passively looking for a new job, but generally the signal-to-noise ratio makes it a challenging tool to use effectively. It helps to tailor your searches to a specific goal. If you’re hiring across the stack, you can view a wide range of candidates by using “software engineer” as your only filter. If filling limited roles, you should search narrower terms like “platform engineer” or “product engineer,” depending on your needs. While you can conduct language-specific queries, many people don’t add that level of detail to their profiles. One approach that works well is to search through companies you know use the language or technologies in which you’re looking for expertise. As you’re sourcing, keep in mind that you’ll be limited to the talent pool that’s already part of your filters. For example, sourcing only from large tech companies will give you a pool of candidates that’s only as diverse as their teams. You can be intentional in building your pipeline by specifically targeting people from different backgrounds and environments, including from colleges and coding bootcamps. Build a great interview process Always be closing During an interview, you’re evaluating a prospective employee’s skill set and character, but you’re also selling them on joining your team. We design our interview questions to be as collaborative and representative of real work as possible so that the candidate gets a sense of what joining the team will be like. Our engineering interview loop consists of a mix of questions that cover coding, systems design, product ideation, and collaboration and communication skills. For coding interviews, a candidate can use their own environment and language of choice so it feels as natural as possible. We also encourage liberal use of Google to match their day-to-day practices. The interview should be about how well a candidate solves the problem—not what they’ve memorized around a language’s built-ins. Aim to make the experience productive, regardless of the outcome. It’s important that a candidate leaves the interview feeling like they answered your questions and you answered theirs. For instance, you can structure interviews so more challenging questions and tasks arise as candidates do well, with their ultimate “score” resting on how far they got and how much assistance they required. You should also set some time aside—about 10 minutes for an hour-long interview—for a candidate to ask their own questions and settle any concerns. Dive into references As a small team, every hire has a huge impact. It’s critical to understand not only how a candidate performs during a quick interview, but how they’ve worked with teams in the past. To get a better picture of that, we lean heavily on references. To understand the context behind a reference, you should ask the following questions: What was/is your relationship to this candidate? Ask for information around their respective roles, any shared projects, how long they worked together, and their most recent interactions. What was/is the organizational culture like at your workplace? This helps to understand any quirks of the culture and to place the reference within that culture. To get a good sense of your candidate’s abilities in their prior role, you can ask: What stood out about their character or job performance? Can you offer an example? Can you describe an instance where this candidate took initiative? On a scale of 1-10, how would you rate this candidate’s performance? More importantly, what would it have taken for them to move up one point? Would you want to work with this candidate again? What advice would you give this candidate to help them excel in a new role? Build in enough questions that you get a well-rounded idea of how your candidate fit into their last workplace personally and professionally—but try to keep the conversation concise and to the point. Move swiftly It’s a competitive market out there, and one advantage you have as a startup is speed. This is likely also a reason the candidate is interested in joining you. They want to work somewhere where things move quickly, so it’s important you meet that expectation throughout the hiring process. If you’re moving forward on a candidate, reach out to ask for references within 24 hours of the final interview round. At this point, we share our enthusiasm about potentially having them join our team, but we also make it clear that we take references seriously. We aim to timebox our references to three days. Letting them drag on too long risks losing the candidate. Get them excited We surprise candidates on offer calls with a Zoom bomb. Everyone from the interview panel joins and shares a bit about why they’re excited for the candidate to join the team. This makes candidates feel appreciated and helps them envision the impact they would have at Stytch. We then walk the candidate through the offer details and a spreadsheet that brings clarity to valuing startup equity. Evaluating early-stage startup offers can be incredibly challenging. There are many factors—like funding raised, investors, and team size—that influence what a compensation package (and particularly the equity component) might look like. At the early stage, equity is more about the potential, rather than the present value of a company. To help candidates visualize this, we share a comprehensive spreadsheet that allows them to forecast different exit scenarios. Close the deal Closing candidates is about understanding their hesitations and what it would take to overcome them. For some, they’re already sold on joining, and it just comes down to the numbers. Many times, we find that when candidates push for more equity, there’s an outstanding question in their mind around valuing the equity and the potential upside. To address this, we offer to introduce them to investors who can contextualize the offer within the current market and speak to the company’s potential. More than anything else, joining an early-stage company is about the team. To help candidates picture themselves as a part of our work environment, we facilitate conversations with team members they haven’t yet met. When the team was just the founders, we offered up conversations with angel investors who had worked with us in prior roles. Ultimately, they’ll be joining your community, so lean into building those relationships early. Create a flywheel Building an open, engaging, and responsive work culture will create the best possible feedback loop. Not only will you attract incredibly talented people, they’ll be your greatest ambassadors moving forward and bring even more talent to the table. What’s next? You’ve hired a great engineer—now what? One of the best investments you can make is taking the time to onboard new hires so they thrive in your organization right off the bat. A team that's excited about the company and culture will be your best asset in both building a great product and hiring more people to help in that mission. Why Stytch? Stytch is leading the way on modern, passwordless authentication and user infrastructure. Learn more about our vision, our values, and our amazing team here. Want to join us? We're hiring! --- # How just-in-time authentication boosts security and conversion Source: https://stytch.com/blog/how-just-in-time-authentication-boosts-security-and-conversion/ How just-in-time authentication boosts security and conversion Securing your app shouldn’t come at the cost of usability. Front-loaded, application-based authentication methods have long dominated the security landscape. But these high-friction flows are tedious for users and can negatively impact their experience and your conversion rates. Now, route-based models are making it easier for apps to verify users without compromising engagement. Let’s take a closer look at the user access journeys across each of these authentication methods, identify their key differences, and compare their respective levels of friction and convenience. Upfront friction: application-based authentication Traditionally, apps have front loaded their authentication requirements. Once users pass a number of steps—typically involving a username and password, security question, and two-factor verification process through SMS or Google Authenticator—they are granted full access to the app and can carry out any action they like, regardless of its sensitivity. For example, if a stock trading app uses this model, it doesn’t matter whether a user is pursuing a relatively minor, “read-access” task (like checking a stock price or their account balance) or a riskier, “write-access” task (like withdrawing funds). Once they’re in, they’re good to go. This front-loaded approach is called application-based authentication, because it treats the entire app as a monolith. The problem with application-based authentication is that it requires users to complete the same high-friction, burdensome flow each time they engage, regardless of the risk level of the actions they wish to take. Application-based authentication is a relic of the early days of online security, when there was really only one form of verification: the password. In a password-based world, this front-loaded approach made sense because the password was the only authentication factor. Either you’d successfully enter it and access your account, or you’d be shut out. But with the advent of new methods like SMS, email, and biometrics—which are added to existing password flows—sticking to an app-based approach overcomplicates the sign-in process without offering additional security when it’s needed most. Security when it matters: route-based (aka just-in-time) authentication Today, application-based authentication is no longer sensible. In recent years, new methods have emerged, enabling us to verify users more intelligently through a process known as route-based authentication. In route-based flows, applications only introduce friction when it’s needed, using incremental security for higher-risk actions within an app. Tasks like moving money, changing credit card information, and accessing personal data all justify this increased security and added friction. At the same time, users pursuing low-risk tasks aren’t burdened with undue verification measures. Because the process is triggered by a specific, sensitive task and the resulting access is temporary, this approach is also referred to as just-in-time authentication. So, what does it look like in practice? Consider an app like DoorDash. Users enter a username and password to access the platform. From there, they can browse local restaurants and even place an order whenever they want without signing back in. But if they try to do something riskier—like change their delivery address—they trigger a two-step, SMS verification process. By introducing friction only when it’s necessary for extra security, an app greatly improves user experience—and, in turn, boosts customer conversion and satisfaction. Breaking it down Think of these two different authentication methods like security on a house. With app-based authentication, you’re essentially putting a deadbolt or two (or five) on your front door. To be safe, you have to lock and unlock all of those bolts every time you go in and out. And once someone gets in, they can help themselves to anything in your home. With route-based authentication, you may have a lock on your front door, but you reserve the extra bolt (or alarm, guard dog, or Home Alone-type setup) for the safe inside holding your valuables. Even if you leave the front door unlocked every now and then to let your friends in, an intruder will still have a hard time getting to what matters most. It’s more secure (and less demanding) because the components are more strategically and conveniently arranged. It’s also friendlier and more welcoming for those who mean your home no harm. Key takeaways The days of heavy, up-front app security are behind us, and the future promises more seamless and organic access flows. Integrating route-based authentication methods into your app will help you safeguard what’s most important—while delighting, engaging, and converting your users. A path forward with Stytch Stytch is on a mission to eliminate friction on the internet, and our platform supports and facilitates route-based authentication flows across use cases. Want to learn more about how we do it? Read up on our easy-to-integrate user infrastructure solutions in our API docs. Interested in trying our platform? Sign up for free to test out our API. Helpful terms Let’s clear up some of the jargon: Application-based authentication is a front-loaded security method, where users must pass through a single, heavy-handed verification flow every time they access an app and are then permitted to all its internal tools and services. Route-based authentication is an incremental security method, where a user must only undergo extra checks—like two-step, SMS verification—to carry out more sensitive tasks within an app. Just-in-time (JIT) authentication is another, less technical term for route-based authentication. Step-up challenges are additional steps users are asked to take in order to verify their identity. --- # Grace Baelen-King Source: https://stytch.com/blog/grace-baelen-king/ Today is a special day, a year ago Stytch became a real team when Grace joined as our first hire! Today is a special day, a year ago Stytch became a real team when Grace joined as our first hire! To celebrate, we’re kicking off a new series where we’ll highlight different team members. In this first installment, learn more about Grace and her experience as employee #1 at Stytch! What’s your role at Stytch? I’m a software engineer on our backend team. What do you love most about working at Stytch? Getting to build the foundation of a product that is very useful. Which Stytch value resonates most with you and why? Design for the future, build for the present. That for sure; it’s exactly what I’ve been doing for the past year. I think one of the things I said a lot early on and still say is “if we’re rebuilding this in two years, that’s a success” that means it worked for that long and we’re around to do it. It’s about making sure we're not technically backing ourselves into any corners. Describe your journey into engineering. How did you choose that career? I took a computer science course because I needed a math credit and I wasn’t allowed to take any other math classes at my college because I didn’t have the proper prerequisites. So I took computer science and I was like, “oh, this is kinda cool” and my dad who is also a software engineer was like, “yeah, that’s what I’ve been trying to tell you your entire life”. I later did an internship in HR but it looked like the engineers were having more fun and my boss was like, “you could be a great HR person but you should just go be an engineer”. So here I am! What do you remember most from the early days? There were so many slack channels already when I joined, Reed and Julianna had been having conversations with each other in various channels to start to build slack culture and context. It was very satisfying to get 2 reactions on something because that meant the whole company reacted. A week later more team members joined and I remember a lot of zoom calls with Danny, our platform engineer. Danny and I would spend like 3 hours on a zoom call working on something. We wrote a lot of code really quickly and it was really exciting, like how do we set up a code base, these foundational things and some of them have been thrown away but many are still there today. It’s been fun to see what was not a great decision or was a good decision at the time and didn’t scale vs what things we did that have continued to scale with us. What have you learned starting as the first hire at a company and growing to ~25 in a year? Time is wild. I guess it doesn’t feel like it’s been a year. I still find it hard to believe that we’re that many people and really it’s just every step we take it’s like “we’re a real company” and we keep becoming more of a real company with every step. I’ve been surprised by how quickly we felt like a real company. I think that first week when it was me, Reed and Julianna, some things, it was like this is silly. For example, I think we had about the same number of slack channels that we have now. Very quickly it was like oh that’s because we’re a real company and we’re doing things. I was surprised by how quickly that feeling came. But also then other things happen now and I’m like ok now we’re a real company. It’s like being an adult. When are you a real adult? Who really knows? What’s the most interesting project you’ve worked on at Stytch? I think the most interesting project I've worked on is setting up the foundations of Stytch. Building our first product, email magic links, was really more about building the foundation of our backend codebase and that was by far the most daunting and fun project I've ever worked on. When’s the last time you did something for the first time and what was it? I recently played Animal Crossing for the first time, it was very relaxing. What’s your ideal weekend? A mix of dinner with friends, hiking in the redwoods, reading a good book in the sunshine, baking something delicious and ending with dinner at my parents house on Sunday evening. What’s the best piece of advice you've received? Work hard, get smart, get help. One of my favorite CS teachers used to say that. --- # Danny Thomson Source: https://stytch.com/blog/danny-thomson/ Today we continue our celebration of our Stytch-iversaries with two of the engineers who helped round out our first Stytch team, Danny and Mary. Today we continue our celebration of our Stytch-iversaries with two of the engineers who helped round out our first Stytch team, Danny and Mary. We’re excited to celebrate this milestone with them and share more about their journey at Stytch! Danny joined us as our first platform engineer, learn more about his experience here. What do you love most about working at Stytch? I'm constantly learning how to build and run an API-first company from an engineering and business perspective. What does a typical day at Stytch look like for you? As a platform engineer, my day to day tends to vary since I get various platform requests through the week. I aim to have a couple hours of deep focus time where I can solve my current task, and then fill the rest of my days helping troubleshoot any platform issues that pop up, reviewing PRs, and chatting with my teammates over a Zoom. I usually start working around 8:30 to 9:30 and wrap up sometime between 5 to 6. What’s been the most surprising thing about Stytch? This is obvious in hindsight, but I didn't realize how many different decisions go into building a product and a company. When I worked at larger companies, a lot of those decisions were abstracted away from me, and allowed me to focus on a narrow problem. Meanwhile, Stytch has me more touching problems across the entire company. This has made me appreciate the amount of work it takes to start a company. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? I'm constantly shocked by how fast this past year has flown by, and I've realized that startups make it easy to lose track of time since there's always more work to do. A good piece of advice I got was to occasionally slow down for a minute and appreciate all the hard work everyone has done and enjoy the exciting time of building a company from scratch. From a more technical perspective, I've learned to lean into making quick decisions for easy-to-change problems and take more time for more permanent decisions. As an example, changing a variable name in the file is a quick PR and not worth discussing, Meanwhile changing a database is usually a months-long trip project and requires significant planning. Which Stytch value resonates most with you and why? I resonate with Stytch's Think Exceptionally value. I love throwing out novel (and sometimes unfeasible) approaches to a problem and then working with my teammates to find a way to make them possible. What’s the most interesting project you’ve worked on at Stytch? My most interesting project is researching and building out Stytch's OAuth product. I've enjoyed exploring the problem space more and incorporating those learnings into building a richer user experience How did you end up becoming a software engineer? Going into college, I knew that I wanted to do some kind of engineering, and I decided to take the intro CS course in the spring quarter of my freshman year. I immediately knew that CS was the right major for me, and I built an Android app the summer after the class. After graduation, it was an easy transition to become a software engineer. When’s the last time you did something for the first time and what was it? I went rollerblading for the first time as an adult and I had a blast! I'm now getting rollerblades so I can skate along the Embarcadero. What song, hobby, or recipe got you through COVID? I love repeating cooking recipes and trying to improve the dish each time I make it. I made the same apple strudel recipe five times until I ran out of flour during the flour shortage last year. What’s your ideal weekend? A mix of hanging out with friends at a park in SF, getting some delicious food at a new restaurant, and ending the weekend with a good movie. What’s something you’re passionate about that’s not on your resume? Food! I love buying, eating, and cooking new foods that I haven't tried before. --- # Mary Gruen Source: https://stytch.com/blog/mary-gruen/ Today we continue our celebration of Stytch-iversaries with two of the engineers who helped round out our first Stytch team, Danny and Mary. Today we continue our celebration of Stytch-iversaries with two of the engineers who helped round out our first Stytch team, Danny and Mary. We’re excited to celebrate this milestone with them and share more about their journey at Stytch! Mary joined us as our first product engineer and now is the engineering manager for that team, learn more about her here. What do you love most about working at Stytch? One thing I love about working at Stytch is the collaborative culture. Everyone has their specific job duties but is primarily focused on the success of the company. If you need help debugging something or want to brainstorm new ideas, they are willing to spend time helping you out. It also means decisions aren't made in silo. What does a typical day at Stytch look like for you? Most days are different! I am primarily focused on helping my team, which includes 1:1s, product specs, PR reviews, hiring, and coordinating with other teams. I also contribute code when I have time! What’s been the most surprising thing about Stytch? I'm surprised at how fast we have been able to grow. We're able to get a lot more done with 25+ than we were with 6! Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? There's a lot of pressure to get things right from the start when building things from scratch. In order to move quickly, we can't spend weeks on every decision. Our founders introduced a framework where everyone is empowered to make decisions that are highly reversible and low impact (such as copy) without waiting for sign-off from a group while spending more time on more important decisions, like those impacting architecture or security. It's a helpful framework when prioritizing what you spend your time on. What’s your favorite part of the Stytch culture? I love Stytch's focus on feedback. We've been really intentional about creating multiple feedback channels, including formal reviews, monthly peer feedback, and 1:1s. It's great that we are constantly flexing the feedback muscle rather than waiting for yearly reviews. Which Stytch value resonates most with you and why? I love our core value around trust (Trust like it's Christmas 1914). I think it's really important when working with both coworkers and customers to assume they have the best intentions. This is a great framework when approaching a disagreement or miscommunication. I think it also embodies the idea that folks know what the best working environment and hours are for them. We don't track how long folks are online/in the office - we just care that they are getting their best work done. What’s the most interesting project you’ve worked on at Stytch? Building our docs from scratch was a fun project. We decided to build in-house rather than use a 3rd party to create a better developer experience. Users can copy code snippets with their API keys pre-filled and update their settings straight from the docs. How did you end up becoming a software engineer? I was introduced to CS in high school and ended up taking a few classes in college. I really enjoyed web development, especially focusing on user experience, where I could tangibly see what I was building. When’s the last time you did something for the first time and what was it? I learned to golf during quarantine. It was a great way to spend time outside. What song, hobby, or recipe got you through COVID? TBH I watched a lot of reality TV during COVID. And I continued to golf! What’s your ideal weekend? My ideal weekend would consist of a trip to the farmers market, wine tasting, and/or a day trip to the beach. --- # Nathan Chiu Source: https://stytch.com/blog/nathan-chiu/ We're celebrating another Stytchiversary; Nathan joined us a year ago as a product engineer. We're celebrating another Stytchiversary; Nathan joined us a year ago as a product engineer. He's spent the past year focusing on our stytch.js sdk. Learn more about his experience as one of the first engineers at Stytch and his love of food. What do you love most about working at Stytch? I'm going to give a super unique answer here, the people here at Stytch make it such an amazing place to work. I've learned so much from the smartest people I've had the opportunity to work with. What does a typical day at Stytch look like for you? I would sum it up in some form of code + planning + learning! What’s been the most surprising thing about Stytch? How fast we've hired an amazing team! It's clear we have that appealing of a vision for Stytch. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? You gotta be on your toes and don't be afraid to stretch yourself. Wearing many hats is a great opportunity and you get to own a product that you get to push forward! What’s your favorite part of the Stytch culture? Collaboration. Stytch has the biggest emphasis on team culture I've seen. I've never been afraid to ask for feedback or help. Which Stytch value resonates most with you and why? Trust like it's Christmas 1914 - has the coolest name and is why we have such a great team. It feels everyone I work with has really bought into this and is willing to trust each other on technical decisions. What’s the most interesting project you’ve worked on at Stytch? As a product engineer, learning about AWS Cloudfront and web + browser caching was fascinating. The web is such a crazy place. And we're still learning about it today! How did you end up becoming a software engineer? I studied math and econ, but dabbled a little in programming in college. Once I started building web products as side projects, I was hooked! I also heard Silicon Valley had a lot of places with free food so that was added motivation. When’s the last time you did something for the first time and what was it? I made my own cold brew during the pandemic What song, hobby, or recipe got you through COVID? This is a very hard question. But Can I Call You Tonight by Dayglow was one of my COVID bops. What’s your ideal weekend? Relaxing at a coffee shop either reading or working or very likely doing nothing significant. What’s something you’re passionate about that’s not on your resume? All things food. I love to eat to the point where it changes my mood when I'm in a bad one. And if I could solve food insecurity I would! --- # Stytch's guide to passwordless authentication Source: https://stytch.com/blog/stytch-guide-to-passwordless-authentication/ Thanks to new tools and technologies, passwords are finally being replaced with more secure and convenient passwordless authentication flows like email magic links, SMS passcodes, OAuth logins, push notifications, and biometrics. Thanks to new tools and technologies, passwords are finally being replaced with more secure and convenient passwordless authentication flows like email magic links, SMS passcodes, OAuth logins, push notifications, and biometrics. These modern strategies enable developers to choose the most appropriate authentication options for their use case and user base. One recent survey found that 75% of users feel overwhelmed trying to keep track of their proliferating passwords. A separate survey found that the majority of respondents would prefer authentication methods for their personal and professional accounts that don't involve a password—users are increasingly interested in going passwordless, but as a developer, it can be hard to know what passwordless authentication flow is right for your application. The old refrain is that there’s a tradeoff between security and usability, but that no longer applies to authentication -- removing passwords can boost both security and the user experience. 81% of all internet breaches involve weak or stolen passwords, which is why the Open Web Application Security Standard (OWASP) now recommends that all passwords should be considered to be “pre-breached”. As you begin designing your authentication flow, there are a myriad of passwordless options to consider due to recent innovations in authentication technology. In this guide, we examine many of the common passwordless methods to help you choose the right solution for your application. With each option, we’ll consider how the user experience, security, ease of implementation, and accessibility measure up, with the aim of striking the ideal balance between protection and ease of use. The (r)evolution of authentication While passwords have historically been the most common way to authenticate users, innovations over the past 15 years have yielded new authentication types that improve security and usability. Historically, the dominant choice for authenticating users has been to have them demonstrate possession of secret knowledge (think passwords and PINs). This is the something-you-know authentication factor, and it presents many security and UX challenges. Over the last decade, however, the rise of programmatic SMS/email, hardware keys, biometrics, and other authentication factors has created two new authentication categories: Something you have—authenticating by proving possession of something (e.g. a mobile phone, email inbox, or hardware key) Something you are—authenticating by proving a biological trait (e.g. a fingerprint or FaceID) As a result of these innovations, we’re seeing major shifts in how companies choose to onboard and log in users. In the 1990s, as the internet went mainstream, passwords were the dominant form of authentication. In the 2000s, as users opened more and more accounts, password managers—which encrypt and store online login information—were introduced to help them handle this something-you-have authentication methods increasingly complex landscape. In the 2010s, as online technologies advanced, alternative auth methods—often referred to as “two-factor authentication”—embedded low-friction, secure hardware (like biometrics and YubiKey) and software (like APIs for programmatic text and email) into the user experience. In the 2020s, as we begin to embrace passwordless authentication, resourceful companies like Revolut, Medium, and Square Cash are leading the charge. Others like Slack, Instagram, and Craigslist have also started incorporating passwordless options, even if they haven’t fully discarded passwords yet. Authentication types and tradeoffs These new factors open up new UX possibilities, but they can also be a challenge for teams as they consider how best to tailor each to users’ individual, situational needs without compromising on protection or usability. Each factor presents different tradeoffs. Let’s consider the relative advantages of each method of passwordless authentication, starting with those under the something-you-have umbrella. Something-you-have authentication methods SMS one-time passcodes Designed with mobile phone/device owners in mind, short-messaging service (SMS) passcodes allow users to log in to applications using their phone numbers. When a user requests access to an application or website, an authentication flow texts a one-time, numeric code to their device, which they can then enter—instead of a password—to log in. Thanks to the prepopulating, “autofill” feature on Android and iOS, users do not even need to enter the string manually. SMS passcodes: Help balance security and usability, because logins that tie users to a specific phone number are more secure than password-based authentication options. In fact, SMS messages are the most used second factor to access financial and personal websites. Feature built-in redundancy, meaning that if programmatic SMS provider fails in the delivery process, we dynamically fail over to back-ups that can pick up the slack and quickly get the job done. Allow flexible integration options, since Stytch’s flexible APIs make it simple to use this method as a primary factor or as a two-factor authentication choice to strengthen security. While SMS passcodes are a great fit for many applications, they do carry their own unique risks. For certain high value accounts such as cryptocurrency wallets, fraudsters will go to extensive lengths to try to convince cellular networks to allow them to steal a legitimate user’s phone number. While this is a real risk, the effort and cost involved for fraudsters to mount this attack is significant, involving careful curation of an individual’s sensitive personal information and sometimes even outright bribery -- the difficulty involved in this attack is why it’s primarily been targeted at very high-value accounts like Coinbase wallets. The response to this small risk should not be to discard SMS passcodes entirely. Instead, you should consider the value of the account you’re protecting and choose your passwordless options and any multi-factor authentication requirements accordingly. Large fintechs like Square Cash and Revolut effectively use SMS passcodes to protect even high value accounts by layering other 2FA methods alongside it such as biometrics or PINs. Email magic links Put simply, magic links let users log in to an application or website by entering a registered email address, clicking once on a submit button, and receiving a “magic” URL in their inbox, by clicking on the link they can instantly authenticate and log in. This action establishes that they have access to the email inbox. One click is all it takes to log in. Email magic links can: Reduce user friction by removing the hassle of remembering and storing passwords. It’s a simple, one-and-done login or authentication process, making it more likely that users will follow through with whatever they aim to do—whether that’s paying a bill, buying a product, or submitting a document. Protect your application and users by eliminating credential stuffing attacks on your login flow and preventing account takeovers. Authenticator app time-based passcodes By requiring users to prove they actually have the device they are using to access a website, applications like Google Authenticator provide an extra level of security for critical and highly sensitive services. Differing from SMS passcodes, this type of passwordless authentication asks users to confirm control of their device within a certain time frame rather than requesting a phone number to gain access, which avoids the sim swapping vulnerabilities present with SMS. Authenticator app passcodes: Help facilitate secure transactions by requiring users to demonstrate control of their devices to execute sensitive transactions. Offer the security features power users want -- if your application handles sensitive data, many sophisticated users will require authenticator apps in order to feel comfortable using your service. Push authentication Push authentication is a passwordless method that asks users to authenticate through notifications sent to an app on their mobile device. The one-tap feature enables users to quickly approve a notification, thereby gaining instant access to an application or website. They can just as easily reject a notification they do not recognize or one they did not initiate, which prevents unwanted parties from accessing secure content. Push authentications: Increase user retention by eliminating the need for users to remember or store passwords to access secure websites or applications. Facilitate secure transactions in a manner similar to authenticator apps. WhatsApp one-time passcodes Another authentication solution that lets users avoid the traditional password, WhatsApp passcodes enable users of the popular messaging app to log in to secure applications from anywhere, at anytime. By integrating your authentication flow with WhatsApp, you can leverage a network of more than three billion existing users. WhatsApp passcodes: Increase the difficulty and cost of attacks like account takeovers. Provide your users with a viable, alternative authentication option if regular text-message delivery is delayed or otherwise affected by a service outage. OAuth logins OAuth logins—which leverage industry standards like OAuth 2.0 and OpenID—help engineers easily integrate single sign-on options from popular social platforms and other third-party providers (e.g. Apple sign-in). OAuth logins: Help increase user sign-ups. In fact, most apps report a 20%+ conversion rise in sign-ups when popular OAuth options like Google, Facebook, Apple, Microsoft, and others are introduced. Newer OAuth features like Google’s One-Tap functionality offer even more eye-popping conversion boosts (Pinterest reported a ~50% improvement in web sign-ups and a ~125% improvement in mobile sign-ups when they incorporated this feature). Balance security and usability by preventing users from creating a new password for your site that they might reuse and repeat across many services—this minimizes your risk of account takeover and credential stuffing attacks. Flexible integration options -- Stytch allows you to integrate these options through either our front end SDK or our direct API if you’d like to fully own the UX. Something-you-are authentication methods The something-you-are category of authentication includes biometrics, including voice and facial recognition, and fingerprint scans. Native app biometrics You were likely first introduced to the concept of biometric authentication on your mobile devices when iOS and Android introduced the concept of fingerprint and facial recognition for native applications built on top of their operating systems. This method has become a popular way for banks, brokerages, and other sensitive applications to layer low-friction step-up authentication into user workflows. WebAuthn In the something-you-are category of authentication are biometrics, including voice and facial recognition, fingerprint impressions, and iris scans. WebAuthn (aka “Web Authentication”) falls partially under this umbrella, though it also supports something-you-have authentication methods like hardware keys as well. This passwordless authentication solution allows desktop and mobile browsers to verify users with built-in device biometrics as well as distinct, specialized hardware keys like YubiKey. WebAuthn: Can use biometrics to ensure a user demonstrates both possession of an original device and a unique biometric trait through face or fingerprint ID. Offers your users best-in-class security by doubling down on verification while also minimizing user friction. Allows you to easily integrate strong hardware authentication like YubiKey to protect sensitive applications and use cases. What happens after authentication? The above authentication methods detail how you can prove who a user is -- however, once a user has been successfully authenticated, you’ll likely want do a few things: Keep the user logged in as they navigate different parts of the app Occasionally escalate them up for additional verification (and friction) if they try to take a particularly sensitive action (like withdrawing funds or altering their account information) Continually check throughout the user’s interactions whether they have sufficient permissions to take the action they’re attempting Most of the above boils down to session management and how you manage your user’s logged-in experience. Session management regulates interactions between web-based applications and individual users. Stytch Sessions allow your users to easily implement sessions in a way that provides fine-grained control. Stytch Sessions: Offer countless advantages over JSON web tokens (JWTs) in terms of security and control. Make performing route-based authentication simple, allowing you to precisely control the level of authentication that any sensitive action requires Provide improved session security by allowing you to easily revoke sessions and protect against unauthorized access. What authentication is right for your project? Designing an authentication flow can seem overwhelming given the UX and security issues involved. When we help developers think through what's right for their authentication flow, there are three main questions we ask (you can always join our Slack community for more guidance): 1. What type of account data does your application protect? There's a big difference in the level of authentication you need if you're a fintech/healthtech app, for instance, versus a news digest app. For more sensitive applications like fintech + healthtech, we frequently recommend multi-factor passwordless authentication, which allows you to both balance UX and security. Square Cash, Monzo Bank, and Revolut are great examples of companies that weave together multiple passwordless options in order to protect their users. 2. Do users primarily engage your application via mobile, desktop, or both? Conversion rates vary across these channels. For instance, SMS one-time passcodes perform extremely well on mobile due to their autofill capabilities but create slightly more friction on desktop than email verification. Companies that Square Cash and Hippo Insurance provide users with the option to choose what’s most convenient for them. 3. What's your current reset password flow, if any? Some teams are hesitant about moving to passwordless authentication until we ask this question. Then they realize that they already allow users to log in without a password. The majority of reset password flows only require a user to demonstrate ownership of an email address or phone number—making them essentially passwordless. If you require a user to supply additional information during a password reset (e.g. some banks require the last 4 of your SSN), this can help in determining what level of user authentication you deem sufficient in allowing users to access your application. Interested in learning more? At Stytch, we worry about authentication so that you don't have to. If you want to discuss your specific authentication needs, sign up for a free account and chat with our team. If you’d like to dive deeper into the topic of authentication, you can join the Stytch Slack community here. --- # Engaging users with embedded authentication Source: https://stytch.com/blog/engaging-users-with-embedded-authentication/ Today, we’re launching a new product, Embeddable Magic Links, to give you the option to own even more of your login and user engagement experiences. Providing developers with the flexibility to build their own unique user experiences is fundamental to how we think about building products. Today, we’re launching a new product, Embeddable Magic Links, to give you the option to own even more of your login and user engagement experiences. Over the past year, we’ve introduced numerous features that make it easier to onboard and authenticate users, including SMS, email, and WhatsApp one-time passcodes as well as email magic links and OAuth logins. Embeddable Magic Links are a massive step forward in helping us achieve our mission of eliminating friction on the internet. This feature moves beyond the templated sign-up, login, and invitation magic link emails that we currently power for customers. Those existing templates allow us to abstract away a lot of complexity for customers when it comes to email deliverability, latency, and inbox placement. However, it also limits customers’ ability to craft new and inventive ways to take advantage of all magic links have to offer, including the ability to embed them into product experiences such as email and text communications with their users. What are magic links and what’s the value in making them embeddable? First, it’s helpful to align on what magic links are and what makes them special. At their core, magic links are high-entropy tokens that are appended to URLs to enable new authentication experiences. To use these tokens to power logged-in experiences, you generate a unique, temporary token for an individual user (e.g. exampleuser1@gmail.com) whenever they’re trying to access their account. The ingenuity of magic links comes from the fact that they offer significant security while also enabling “magical” user interactions where the end-user doesn’t need to take additional actions beyond clicking a link (or button). By embedding magic link authentication into existing user workflows, such as when a user casually navigates the messages within their email or SMS inbox, we have an opportunity to significantly improve the way we engage with users on the web. The value of embeddable magic links is best illustrated by considering the user experience that their absence creates today -- think about the many different emails your apps and accounts send you on a daily basis, including things like: A promotional email from your favorite clothing brand offering 10% off An email with a link to view your bank or credit card statement An email from an e-commerce store about your recently abandoned cart A reminder from a grocery delivery app to repeat your weekly purchase Today, if you click through the various examples like the above in your inbox, the vast majority of the time you’re likely to encounter a logged-out experience. You’ll be asked to sign in with a password you’ve likely forgotten, often forced to choose between abandoning completely or enduring a frustrating password reset process. This interaction similarly frustrates businesses because it leads to a high-intent user abandoning their funnel. We don’t have to live like this anymore. Today, we’re underutilizing the fact that whenever you click on one of these emails or texts, you’re entering the application from an authenticated inbox (e.g. your email or phone). Embeddable magic links offer a way to associate a user clicking a call-to-action button with an existing account -- with this context, you could either directly log the user into their account or simply use that information to determine the marketing persona of the user engaged within your application to power customized recommendations. Here's how this flow works with Stytch: Stitching it all together Embeddable magic links become even more powerful when used in conjunction with other Stytch products because it allows you to right-size the amount of authentication security depending on the level of access you’re providing to the user that has clicked through the embedded magic link. (Check out the guide in our docs to see how you can augment this product with our other features) In many cases, an embedded magic link alone should suffice for your use case. If the user is coming from a recognized device, you could provide them with full account access. Alternatively, regardless of where they’re coming from, you could instead choose to treat the user as a persona used for marketing purposes and customize general recommendations rather than directly grant account access. While embeddable magic links are great tools, they’re not invincible. Scenarios where you’ll want to be more careful involve situations where a user clicks an embeddable magic link from an unrecognized device. In these cases, there’s additional risk you’ll want to consider when determining the adequate account protection. It’s possible the user has forwarded their unique embedded magic link to a friend (or an attacker trying to phish them). To safeguard against these instances, you can consider the following options: Ask the user to complete another low-friction authentication method such as a SMS one-time passcode (on mobile, this is especially low-friction due to iOS and Android auto-fill capabilities) You can take a route-based approach to authentication where you distinguish insensitive read-access from more sensitive write-access capabilities. You could withhold two-factor authentication until the user attempts to take a more privileged action. For example, with Stytch’s sessions product, you can set a session when the user clicks the embedded magic link and then escalate them later in the session whenever you want to upgrade their session (for example, if the user tries to change their saved shipping address when checking out or view sensitive information). How to use it You can check out the new product here. When you’re ready to start testing it out, you can reach out to us at support@stytch.com to enable the feature. We’re always willing to provide guidance and input on best practices for implementing embedded authentication like magic links. --- # The ultimate guide to building user authentication into your Next.js application Source: https://stytch.com/blog/the-ultimate-guide-to-building-user-authentication-into-your-next-js-application/ Next.js is a popular React framework and we’re in the process of migrating our main stytch.com website to Next.js because of the developer experience and performance wins. Next.js is a popular React framework and we’re in the process of migrating our main stytch.com website to Next.js because of the developer experience and performance wins. We’re thankful to benefit from the Next.js ecosystem for our own product and wanted to open source that work. Building user signup and login can be a frustrating task, especially when you just want to focus on building your core product. Stytch makes it easy to build user authentication, we offer flexible SDKs and APIs so that you can own your UX and let us do the heavy lifting. In this tutorial, we’ll walk through building a Next.js app with Stytch for user authentication. We’ll be using this example app to show you how you can use our API integration to build user sign up and log in with SMS one-time passcodes. Create your Next.js app It’s simple to get an app up and running using create-next-app. You’ll need to have the Next.js cli installed if you don’t already, instructions on that here. Then you’ll want to run: Now you’ll want to run the following command to install all of your dependencies: Your app is now ready for you to get started. Follow the instructions printed in your terminal to cd into your app and then start it in development mode with: Setting up Stytch To start, you’ll need to have a Stytch account, you can sign up here. Next, you’ll need a .env.local file. You can copy our template here. For the purpose of this guide, you only need to fill out the STYTCH_PROJECT_ID and STYTCH_SECRET env variables, which you can find in the Stytch Dashboard API keys tab. Sending and authenticating SMS One-time Passcodes(OTP) One benefit of Next.js is that it supports creating backend API routes under the pages/api/ folder. These routes are made accessible at /api/. In this guide we will leverage Next.js API routes and the Stytch API by using the Stytch Node client library. Start by installing the client with: In order to use the Stytch Node client library, your app needs to instantiate a Stytch client. In our example project, we created a utility function to do this for you under lib/loadStytch.ts, as long as you created your .env.local file above, you don’t need to do anything else here. Next, we created an API route called send_otp under pages/api/. This endpoint will be available at /api/send_otp (e.g. http://localhost:3000/api/send_otp) and will take a phone number in +1XXXXXXXXXX format in the request body. Using the Stytch client, call the otps.sms.loginOrCreate method. This will send a text to the provided phone number with a OTP. The otps.sms.loginOrCreate method also returns a methodId; return and keep track of this methodId as it will be required for the authentication endpoint later. You can take a look at how we built our send_otp endpoint here. Finally, we created an authentication endpoint called authenticate_otp under pages/api/. This endpoint will be available at /api/authenticate_otp and takes the methodId from the prior send_otp response and the user supplied otpInput(the six digit OTP sent to the user’s phone). Using the Stytch client, call the otps.authenticate method, if the response status is 200, the user has successfully authenticated! You can take a look at how we built out our authenticate endpoint here. Now that you’ve set up your authentication API routes, it’s time to build a UI! Building your login page In addition to API routes, Next.js also automatically converts all remaining files under the /pages directory into page routes in your application. To add your login page, directly edit the pages/index.tsx file. For your login UI, you will want to create two separate forms. One for the user to enter their phone number (which will send them an OTP), and the other for the user to enter and verify their OTP. You can take a look at the examples we’ve built for both at SendOTPForm.tsx and VerifyOTPForm.tsx. Here’s an example of how you can tie these two forms together for your log in flow, see LoginWithSMS.tsx: Finally, you will want to create a logged-in page that the VerifyOTPForm can push to once a user has been successfully authenticated. You can see our logged-in view here and what it looks like below: Once you’ve created the login UI and your logged-in page, you are now ready to hook up your components to your API routes. Below is a diagram of what the user authentication flow should look like: Congratulations! You’ve successfully used the Stytch API in Next.js to build user sign up and log in with SMS OTP. What's next? Stytch is a platform for user infrastructure, we offer many more options when it comes to your user authentication. Explore more ways to authenticate, including email or embeddable magic links, email or WhatsApp OTP, and OAuth in our Docs! --- # Alex Zaldastani Source: https://stytch.com/blog/alex-zaldastani/ We’re so excited to celebrate another Stytch-iversary with our very own, chess-loving, Switch playing, book-club leading engineer, Alex Zaldastani! We’re so excited to celebrate another Stytch-iversary with our very own, chess-loving, Switch playing, book-club leading engineer, Alex Zaldastani! As our team continues to grow, we look forward to sharing more glimpses into our culture at Stytch through the eyes of the folks who help build it and know it best. Meet Alex! What do you love most about working at Stytch? My coworkers! Everyone is intelligent, considerate, and excited to shape Stytch's culture. They make it easy to collaborate and get unblocked. A close second – we have great lunch food. What does a typical day at Stytch look like for you? It really depends what stage of a project I'm working on. I've spent the last year building a lot of features from zero to one. So one day could be spent specing a solution by having lots of conversations with other engineers and getting feedback. Or it could be spent doing lots of heads down coding, bugbashing, and shipping. What’s been the most surprising thing about Stytch? Our growth! I've always felt confident about it, but didn't think it would be this fast. It's been rewarding recruiting and growing the company with hires who care about our work and social culture. What’s your favorite part of the Stytch culture? My favorite part of work culture is our communication. The team is great at speaking up or giving feedback. Our focus on communication has definitely helped us scale. Which Stytch value resonates most with you and why? Design for the future; build for the present. It's been at the forefront of my decision making while building out our MVPs the last year. How did you end up becoming a software engineer? I really like math and logic. Software Engineering seemed like a field where I can scratch my logical problem solving itch while working at cool, new, impactful companies. When’s the last time you did something for the first time and what was it? Rocked a middle part at a costume party. I went as Nick Dean from Jimmy Neutron. What song, hobby, or recipe got you through COVID? Definitely chess. I knew I liked turn based games and I'm surprised it took me so long to start playing chess. I love playing the Legal's Mate and the Fried Liver Attack. Also – I got into chess before Queen's Gambit, I promise. What’s your ideal weekend? A mix of dancing, games (board, video, or other), tennis, and food. Saturday mornings almost always include a breakfast sandwich from either Bandit or Devils Teeth. What’s something you’re passionate about that’s not on your resume? I really enjoy reading. My favorite authors include Haruki Murakami, Brandon Sanderson, and Cixin Liu (author of the Three Body Problem trilogy, a must). --- # Designing for dark mode Source: https://stytch.com/blog/designing-for-dark-mode/ How I designed the Stytch website with developer experience in mind. How I designed the Stytch website with developer experience in mind In November 2020, Stytch hired me to redesign their website and create a visual identity for the brand. It was crucial to the team that the website and the brand experience appeal to Stytch’s target audience of developers—which is how my journey into dark mode began. Simply put, designing for dark mode involves creating a dark background with light text and images (like white on black) rather than a light background with dark text and images (like black on white). For developers constantly viewing minuscule code, dark mode is not only easier on the eyes, it helps them concentrate for longer periods of time. That’s why some surveys have found that a majority of developers—about 70%—prefer dark themes to light ones. As an added benefit, dark mode drains less battery power over time, ultimately reducing a device’s energy consumption. As I revamped the Stytch website for dark mode, I worked closely with our lead product designer Bingrui Tang to ensure my designs worked equally well across Stytch’s products, so there would be a seamless transition from one platform to another. Here are a few things I learned—and a few tips I picked up—along the way. Designing in dark mode is less common than you might think (or hope). As I began my research, I couldn’t find any examples of other companies that cater to both light and dark mode on their website. While it’s common to encounter a dark mode setting among a company’s products, it’s rarely seen in their branding or on their homepage. I quickly pivoted to reading articles on dark mode instead. I found Google Design’s “How to design a dark theme using Material'' and Chethan KVS’s “The ultimate guide on designing a dark theme for your Android app” to be helpful entry points in understanding the basics of dark mode and learning to design within it effectively. Designing in dark mode first—and then in light—streamlines the process. It’s hard for designers to think about the same UI in different configurations, and designing in light and dark modes at the same time can be confusing. On the other hand, when an entire website is already set in light mode, reversing it to dark can take a lot of work—especially as a company grows and its pages and content proliferate. I found that it was easier to complete one mock-up at a time and that transitioning to light mode was much simpler and more intuitive than transitioning to dark. So I tackled each component—for example, the Stytch homepage—in dark mode and then translated it to light, ironing out the process as I went and saving myself a lot of time and effort. Drop shadows that work in light mode don’t necessarily work in dark mode—and vice versa. Because it’s difficult to discern shadows against dark backgrounds (as opposed to light), I had to create custom drop shadows as I designed for dark mode—and to add semi-transparent overlays on top of the images and behind the text. This layering added contrast between surfaces and their shadows, which resulted in more readable elements and allowed the UI to stand out. Exploring how your brand colors transition between light and dark mode helps create a cohesive and impactful design. Maintaining a distinctive, consistent color scheme is key to communicating your brand’s identity across UIs and mediums. That may mean tweaking your design standards to include one or two of your brand colors—instead of the whole palette—as you transition from light to dark mode. Keep in mind that traditional black and grey backgrounds can feel dark and heavy—but they’re not the only option. For Stytch, I chose a cool, deep blue for our dark mode theme to mix it up and try something a bit different. It’s worth experimenting with a variety of alternative background colors and configurations while staying true to your brand flavor to see which has the crispest definition and best showcases your content in dark mode. If designing for web, do an early accessibility and responsiveness test so you don’t have to rework your dark mode system before development. When selecting a dark mode color scheme, I was initially drawn toward white on black as an easy and accessible option. When I transitioned to blue, that meant going in and testing lighter shades of type to make sure they stood out—and occasionally picking darker or lighter hues on either side to ensure maximum readability. When it comes to dark mode, it’s also important to build out mocks in both desktop and mobile (known as responsive design) to see how dark your colors become at a smaller scale. Keep in mind, a color scheme can change dramatically depending on the amount of space it fills. Generally, the smaller the space, the darker the appearance. I found this tool to be very useful as I mastered these proportions. Key takeaways Designing in dark mode is a great way not only to delight developers but to communicate that you care about your users’ experience. I hope the lessons I took away from setting up Stytch’s website for dark mode can be a helpful resource for other designers in the field and set them up for success. Check out the website in both modes Mac users: System Preferences > General > Appearance PC users: Settings > Personalization > Colors Our design team is growing! Interested in bringing your skills to Stytch? Check out our open product design position. --- # Building an app with Stytch and PlanetScale Source: https://stytch.com/blog/stytch-planetscale-integration/ Building an app with Stytch and PlanetScale PlanetScale PlanetScale is a serverless database platform. PlanetScale was founded in 2018 by the co-creators of Vitess, the same database that has enabled products like Youtube to reach planet-scale. PlanetScale removes the complexities of manually scaling a database by providing a serverless DBaaS. The PlanetScale platform allows developers to branch their database, similar to what you would do with Git. Database branching enables developers to perform non-blocking schema changes, among other things. Stytch Building user signup and login can be a frustrating task, especially when you just want to focus on building your core product. Stytch makes it easy to create user authentication; we offer flexible SDKs and APIs so that you can own your UX and let us do the heavy lifting. What we’ll do in this post This tutorial will walk you through how to create a lightweight user dashboard that utilizes Stytch and PlanetScale for authentication. All of the code for this example app is hosted and maintained in our public GitHub. Getting started - Mise en place Building an app is easier when you’ve got everything you need already laid out and ready, so let’s get all of the requirements out of the way! We’ll walk through the following in this section: Gathering your PlanetScale and Stytch API keys Installing PlanetScale’s CLI This guide assumes you have Node.js and NPM installed on your system. You can find instructions on how to do so here. Retrieve API key from the respective dashboards Stytch API keys Create PlanetScale service token Installing PlanetScale’s CLI Check out the instructions here to install PlanetScale’s CLI, pscale, for your operating system. The pscale shell is an interactive shell for your database. Think of it as a MySQL shell that lets you directly operate on your PlanetScale database. Creating and configuring your PlanetScale database Create your PlanetScale database Create your first branch Think of your branch as an isolated copy of your database created with the current production schema. Branches can be used to develop features and test changes without impacting your production database. Connect to your branch and create your table This query will create your users table where you’ll store a record for each user that is created. Create a deploy request, deploy and merge Deploy requests enable teams to collaborate and review changes before deploying them. Create your backend If you’re not familiar with Next.js, this is a good companion blog post covering some of its features and benefits. Before getting started, make sure that you’ve set your environment variables inside your .env.local file. Setup the APIs to connect to PlanetScale Establish a connection to the PlanetScale main branch using the planetscale-node library, then inside of pages/api/ create the functions to add, remove, and get users from the DB. Setup Stytch Email Magic Links Instantiate the Stytch client via our stytch-node client library; you’ll use this client to make any calls to the Stytch API. We would like to be able to invite and add new users to our dashboard, we'll leverage our stytch-node client library to send Email Magic Links to users to do that. Next you’ll want a way to authenticate the magic links that are being sent by the Stytch SDK. Setup user sessions Now that we’ve got authentication in place, what happens when a user leaves and then comes back? We want that returning user to come back to an authenticated experience, so we will use Stytch’s Session Management API to make that happen. We will start by creating a session helper that will validate the tokens exchanged through the cookies. Add this session helper to each DB handler so we can prevent unauthenticated API calls. Now we’ll want to add logic to clear the client state once a session has expired. Doing so will allow us to gracefully re-prompt the user to log in when their session expires; when we initiated the session, we chose a session_duration_minutes of 10080 minutes, 7 days, so that users won’t be prompted to re-login if they return within that 7 day period. Backend complete You just finished all the critical backend components in our example. With the backend complete, your app can now login with Stytch Email Magic Links, manage sessions via Sessions Management, and maintain your user database via PlanetScale. Give our Stytch + Planetcale example app a try to see what the frontend experience is like as a user! We can’t wait to see what you build with Stytch! Get in touch with us and tell us what you’re building in our Slack community or via support@stytch.com. --- # A guide to passwordless authentication solutions by business vertical Source: https://stytch.com/blog/guide-to-passwordless-authentication-solutions-by-vertical/ You’ve just decided to go passwordless (an excellent choice), and now it’s time to figure out which passwordless authentication solution is right for your business. You’ve just decided to go passwordless (an excellent choice), and now it’s time to figure out which passwordless authentication solution is right for your business. There are many options on the table, including email magic links, SMS one-time passcodes, WebAuthn, OAuth, and multifactor flows using a combination of these methods. To help you navigate options, we’ve compiled years of experience and expertise building passwordless authentication solutions (at both Stytch and Plaid) into a simple guide. Essentially, which method you should choose comes down to two basic questions: What are the security requirements for your app given the sensitivity of the user data you work with? And, Who is your target audience, and how do they engage with your product? Below, we break these points down one by one and explore how they play out in different business scenarios and use cases. Keep in mind, while we use specific verticals we’ve worked with as examples—including e-commerce, fintech, healthcare, B2B SaaS, and B2C tech—our recommendations apply across industries and for a much wider swath of businesses. User data sensitivity and security requirements First, consider the following questions: Are you involved with storing or handling sensitive customer data? Are you in a heavily regulated industry? Do you consider your industry to be vulnerable when it comes to fraud and cybersecurity attacks? If you answered “yes” to any of the above, then you’re among companies like fintech, healthcare providers and government agencies that access sensitive user data such as bank account information and medical records. Industries like yours tend to be highly regulated and allow customers a wide range of activities, from facilitating mobile transfers and cryptocurrency trades to scheduling and accepting payments for medical procedures. Security is likely a top priority for your business, and you should opt for higher-friction methods of authentication (we’ll get into what that means later in the guide). If you answered “no” across the board, you’re likely operating in a highly competitive, crowded B2C market like e-commerce, media, entertainment, or edtech. You might face challenges related to rising customer acquisition costs, high cart abandonment rates, and low account creation and user engagement. But overall, you access less sensitive data, and—while security is still a priority—your primary focus is on maximizing customer conversion. You’re better off building a low-friction yet secure passwordless authentication experience, which can help move the needle when it comes to succeeding in competitive B2C markets. How your target audience engages with your product There are hundreds of ways you can segment your audience, but when it comes to authentication, there are two key factors to consider: Audience demographics (namely age) and Behavior related to mobile and desktop device usage These two data points are strong indicators of how your audience will interact with your application. They’re also often correlated. For example, research has shown that people below the age of 25 use their phones more frequently and are likely to have them in close proximity at all times. Depending on whether you offer a desktop- or mobile-first product—and whether your customers are likely to have their phones nearby while going through your onboarding flow—your path to building a great user experience and maximizing conversion can vary significantly. Toward that end, we’ve put together a helpful graph that plots common verticals along axes related to data sensitivity and audience reach. While this simplistic view won’t capture all edge cases, it’s a helpful starting point when evaluating your authentication needs: Taking this a step further, we’ve also plotted the most popular passwordless authentication methods using similar criteria: While passwordless authentication options are unquestionably more secure than password-based authentication (and thereby suitable for businesses that have access to all types of sensitive data), you can further distinguish them into remotely accessible (e.g. SMS, email) and device-tied factors (e.g. mobile biometrics). Remotely accessible passwordless factors are typically used for primary authentication, while device-tied factors are considered even more secure and are typically used for 2FA. Another thing to keep in mind when choosing one or several passwordless authentication solutions is that methods are often designed with specific users in mind. For example, as you can see in the above matrix, SMS and authenticator app passcodes are designed for mobile-friendly applications, while email magic links and WebAuthn make for great user experiences via desktop. You can read about each passwordless authentication option in detail in our comprehensive guide to authentication. Now that you have a sense of how both your business and popular passwordless auth methods measure up when it comes to security and audience, let’s explore our cheat sheet on the best passwordless authentication solutions for each vertical: We developed this data over more than two years of research and conversations with customers and leads, and we’re excited to share it publicly to help make your authentication journey easier. Before we dive into our specific recommendations, it’s worth reviewing a couple general tips that apply across verticals: While MFA is your friend, we recommend introducing friction only when truly necessary using just-in-time authentication. Don’t be afraid to let your audience choose how they want to be authenticated. Take Square’s Cash App as an example -- they let their users decide whether they want to sign-up/login with their email or phone number. In the following sections, we’ll go vertical by vertical and take a closer look at how we arrived at each recommendation. Fintech and digital healthcare Objective: Maximize security while maintaining higher conversion rates compared to password-based authentication For mobile-first, consumer-facing applications in fintech and healthcare, we recommend a low-friction yet secure authentication method as a primary factor and a much higher friction authentication method in an optimized 2FA flow. Specifically, we recommend SMS one-time passcodes as a primary authentication method—or WhatsApp passcodes if your target audience is outside North America. Using SMS/WhatsApp one-time passcodes for primary authentication will help you achieve a 50%+ increase in conversion versus password-based methods (due to the auto-fill capabilities of iOS and Android) while still offering the security benefits of preventing password re-use and the associated account takeover risk. OAuth login options like Sign in with Google + Apple can also be great primary authentication options given their ease of use and the ways users frequently secure those core accounts. For your secondary authentication method, we recommend using mobile biometrics or an authenticator app like Google Authenticator. For desktop-first applications in fintech and healthcare, we recommend a combination of low-friction yet secure passwordless sign-up or login flows. These could include email magic links or OAuth for primary authentication and authenticator apps or WebAuthn for 2FA. Note: The brands in the above and below tables use passwordless authentication methods for either primary authentication or 2FA. E-commerce and B2C tech Objective: Maximize customer conversion through a low-friction yet secure passwordless authentication experience Similar to fintech and healthcare, for mobile-first e-commerce and B2C tech applications, we recommend a low-friction yet secure authentication method such as SMS or WhatsApp one-time passcodes. Again, OAuth login options like Sign in with Google + Apple can also be great primary authentication options given their ease of use. If it’s necessary to add 2FA for your use case, use mobile biometrics or a relatively low-friction PIN verification method. For desktop-first applications, we recommend introducing a combination of low-friction, high-security passwordless user sign-up or login flows. These could include email magic links or OAuth for primary authentication and SMS or WhatsApp passcodes for 2FA. B2B SaaS Objective: Strike the perfect balance between protection and ease of use for B2B customers For desktop-first B2B SaaS applications—which comprise the majority of this industry—we recommend a combination of low-friction, high-security passwordless sign-up or login flows. This could include email magic links or OAuth for primary authentication and either authenticator apps or SMS passcodes plus WebAuthn for 2FA, depending on how much friction you want to introduce to your user onboarding flows. Continuing your authentication journey Once you’ve built your user onboarding flow, that doesn’t mean your authentication journey is over. In fact, authentication will underpin and impact all user interactions with your application moving forward—so why not get creative with your solutions? With embedded authentication methods, you can create smooth user experiences by weaving authentication solutions seamlessly into all interactions with your app. Stytch offers several options, including: Embeddable magic links which embed authentication into any customer communication channel—including SMS, email, and WhatsApp—to always provide a logged-in experience to your users Embeddable OAuth solutions which embed authentication methods like Google Sign-In directly into customer communications Learn more about our passwordless authentication solutions Looking for more information on the passwordless methods mentioned in this guide? Jump into Stytch’s API docs to get a closer look at our industry-leading products—or join our Slack community to chat with fellow engineers. --- # Announcing Stytch's $90M Series B at a $1B Valuation Source: https://stytch.com/blog/announcing-series-b/ Announcing Stytch's $90M Series B at a $1B Valuation We are thrilled to announce Stytch has raised a Series B valuing the company at $1 billion. The funding was led by Coatue, with participation from existing investors Benchmark, Thrive, and Index. When we were at Plaid, we witnessed the shortcomings of passwords first-hand, both from a security and usability perspective. We saw how often users gave up when the authentication process was too hard, and for all the friction passwords introduce, they still leave users vulnerable to account takeover attacks. User experience and security have both evolved over the past few decades, but authentication is stuck in the 1990s despite underpinning all of our online interactions. That’s why Stytch was born - to make the next generation of authentication passwordless. We believe in building tools and infrastructure that make it easier, faster, and safer to embed authentication into apps and websites. We’re making it easy to modernize your authentication flows and build great user experiences by adopting passwordless technologies. The traditional approach to authentication ignores the significant downsides of passwords. 66 percent of users reuse passwords across different accounts, posing a significant security threat and creating larger breach liabilities. It’s no surprise that 81 percent of all internet breaches stem from weak or stolen passwords. At the same time, we're constantly forgetting and resetting them. When users forget their password, about 75 percent give up and don’t complete the reset process. Similarly concerning, 46 percent of users report password authentication “frequently” or “very frequently” prevents them from completing an online transaction, costing businesses money and users. Passwords are a headache for companies and users alike, but it doesn’t need to be this way. As the web continues to evolve, there’s a future in sight where authentication is blended into product experiences in a way that introduces the right amount of friction at the right point in time. The future of authentication will be more consumer-friendly, providing users with the ability to seamlessly move their data and credentials across the web while choosing the privacy settings that fit their needs. The evolution of the wallet in Web3 presents a compelling initial concept here, but there’s still significant work to be done to make this usable en masse for both developers and users alike. Stytch is building the future of authentication, whether that be for traditional Web 2 applications or a new generation of Web 3 applications. Today, we have more than 3,500 developers building on the Stytch platform adding email magic links, SMS and WhatsApp passcodes, OAuth connections, one-click user invitations, and embeddable magic links into their user onboarding and login flows. In addition to these core passwordless features, we’ve seen companies of all sizes drawn to the simple developer experience and the flexibility offered by our API-first approach, including a few Fortune 500 companies that are using the product. It’s still early days for Stytch and passwordless authentication; with the new funding, we’re going to focus on growing our product suite to accelerate the transition to a passwordless future We’re creating new possibilities when it comes to user engagement by enabling companies to weave authentication into their product experiences with new products like Embeddable Magic Links. We are also excited to announce today our acquisition of Cotter, a leading no-code passwordless authentication platform backed by YC. We believe this combination can bring our vision of a passwordless world faster by making it even easier for developers to adopt passwordless technologies. The future of authentication is here, and you can get up and running with Stytch today. Sound like something you want to also get behind and want to build with us? Check out our open positions. Julianna and Reed --- # Improving conversion with Google One Tap Source: https://stytch.com/blog/improving-conversion-with-google-one-tap/ Today, we’re excited to launch support for Google One Tap, a passwordless technology that can significantly improve sign-up and login conversion for applications. Today, we’re excited to launch support for Google One Tap, a passwordless technology that can significantly improve sign-up and login conversion for applications. Google One Tap is a particularly powerful way to improve onboarding and login flows, and companies that have done the heavy lifting to integrate it have observed impressive results: Pinterest saw a 47% conversion increase in sign-ups on desktop and a 126% conversion increase in sign ups on Android Reddit was able to roughly double their new user sign-up and returning user conversion rates Combined with other improvements to their onboarding flow, Zapier was able to increase conversion by ~20% in a B2B context Tapping into better conversion rates With countless eye-popping conversion results, what is Google One Tap and how does it actually improve conversion? Google One Tap is a technology from Google that improves upon their traditional OAuth option for “Sign up with Google” -- instead of a user choosing to sign up with Google to initiate an OAuth login flow, Google One Tap is able to detect a user’s logged-in Chrome or Gmail session and present the option to continue with one of their recognized accounts. Google One Tap introduces two fundamental changes to the user experience: It actively primes the user to sign up, nudging them into the onboarding funnel by indicating how easy it is to get started. Often when a user lands on a website, they are still in the decision-making process of whether they want to use this product. If they’re convinced of the value of the product, they may choose to “sign up”, being redirected to an onboarding form. Google One Tap provides you with the ability to present a powerful nudge to the recognized user anywhere on the site and at any point. For example, you could display the One Tap option at a certain point in the scroll, on a time delay, or immediately upon the user landing on the site. In addition to making it more likely that a user chooses to initiate the onboarding process, the expedited One Tap process also cuts out an entire step in the sign-up process for the user. In this flow, the user won’t receive the traditional Google Sign In pop-up asking them to choose which Google account they want to connect. Zapier does a great job of illustrating the UX differences between regular “Sign In with Google” and Google One Tap in their blog post on the subject: How does Google One Tap work? Google One Tap is powered through an iframe that Google provides compared to the traditional OAuth flow of redirecting the user to a separate Google page. As a result, the available accounts are displayed within a developer’s application, and the user clicks their desired account to login or create an account. Hence, a “One Tap” experience. The Google iframe detects the available accounts by reading the Google sessions from cookies stored in the user’s browser. These sessions are set by Google when a user signs into Google or a Google service (i.e. Gmail or YouTube). Since Google allows users to sign into multiple accounts, each account gets its own session, and Google One Tap shows up to two as options. If a user has more than two accounts, Google One Tap hides the rest behind a dropdown button. When a user clicks their desired account, Google starts the authentication process. If the user is signing up for the first time, the One Tap iframe gets the consent of the user, otherwise signing them in immediately. Google returns a JWT representing that user, and the developer is responsible for verifying that the JWT is signed and valid. If the JWT is sent to a backend server, the developer is responsible for preventing CSRF attacks. Stytch offers Google One Tap through a streamlined integration with the JS SDK. This allows developers to focus on creating a delightful experience instead of worrying about authentication and security. The JS SDK allows developers to either embed the Google One Tap Iframe into the SDK like Zapier or have it as a floating window like Redfin (Make sure you aren’t logged in!). The JS SDK captures the login event and forwards the user to the Stytch API to verify the response. The API handles the CSRF protection and JWT verification for the developers as a part of the verification process before redirecting the user back to the login or sign-up redirect URL for that application. At that point, the developer verifies the Stytch request and can request a Stytch session. All of this work can be enabled through a single line of additional code and minimal configuration in the Stytch dashboard. Google One Tap is supported across all major browsers except Safari. Going Passwordless with Stytch Stytch is a platform for passwordless authentication that supports high security and low-friction authentication methods like Google One Tap. If you’re interested in integrating One Tap or other Stytch products like biometric authentication, email magic links, OAuth logins, or SMS passcodes, you can sign up for a developer account here to get started or reach out to support@stytch.com. --- # An introduction to WebAuthn Source: https://stytch.com/blog/an-introduction-to-webauthn/ “WebAuthn” is one of the most exciting passwordless technologies available to developers and users. An example of the WebAuthn user flow on mobile or desktop. WebAuthn makes it easy for users to authenticate with device biometrics (e.g. FaceID/TouchID) or a hardware key like a YubiKey. “WebAuthn” is one of the most exciting passwordless technologies available to developers and users. With WebAuthn, experiences like the below are now possible, allowing applications to authenticate users with the biometric capabilities built into the devices they use every day: Historically, integrating WebAuthn has been a complex and time-consuming activity for developers. Stytch now supports the WebAuthn protocol, so that developers can embed this feature in minutes rather than months. So, what is WebAuthn? Technically speaking, WebAuthn is a web standard that allows web-based applications to leverage public-key cryptography to authenticate users online. That’s a mouthful, so let’s break that down. In layman's terms, WebAuthn provides users with two highly secure yet low-friction options for authenticating themselves with mobile and desktop web applications -- when applications integrate WebAuthn, they can give users the option of using either of the following authentication methods for accessing their account: Built-in device biometrics such as TouchID or FaceID When using this authentication method, you’re both verifying possession of the user’s original device and biometric proof in the user’s facial ID or fingerprint. This is also referred to as a “platform authenticator” because it’s tied to the device. Hardware keys such as YubiKey This is referred to as a “cross-platform authenticator” because, unlike platform authenticators that are tied to a particular device, the hardware key can be moved from one device to another and retain your authentication method. What are WebAuthn’s advantages over existing authentication methods? Historically, when signing up for or logging into online accounts, users are asked to set up a username and password as their primary authentication method for accessing their account (of course, we’d contend there are much better primary authentication factors than passwords). Due to the prevalence of password re-use and how it contributes to stolen accounts, most applications will now also ask users to go through a two-factor authentication flow. Often, users get one or multiple of the following options for two-factor authentication: Security questions (e.g. what is your mom’s maiden name?) This is considered to be a low security form of 2FA because the information used to authenticate the user is often public information. SMS verification (e.g. receive a 6-digit one-time passcode over SMS) This is a medium security form of 2FA. A motivated attacker may try to steal a user’s phone number or trick the user into passing along their passcode to the attacker. While it’s much better than password-based authentication or security questions, it’s by no means invincible. Time-based one-time passcodes aka TOTP (e.g. enrolling with an app like Google Authenticator or Authy) This is a higher security form of 2FA. TOTP eliminates the risk of someone stealing your phone number because the authentication method is tied to a user’s device. However, a user could still be tricked into accidentally sharing their passcode with a bad actor. While TOTP is the safest 2FA method on the above list, many applications do not offer it as an option because of the friction it can create for users. Every user with a phone number can receive a SMS one-time passcode, but TOTP requires the user to download a dedicated app like Google Authenticator to enroll and use this 2FA method. As a result, many applications don’t support TOTP, and when they do support it, a large portion of users will still opt to use SMS passcodes for two-factor authentication. WebAuthn is an extremely compelling authentication method because it is both more secure and lower friction than the 2FA options listed above, encouraging users to adopt it over less secure methods. And unlike TOTP, users do not need to download anything or potentially use multiple devices to complete one login to use WebAuthn. They can simply use the TouchID on their computer or the FaceID on their mobile phone like they already do multiple times per day to log into their device. An additional benefit of WebAuthn is that it prevents the “phishing” of users because there are no passcodes for the user to expose to an attacker. This is why some refer to WebAuthn as “unphishable multi-factor authentication (MFA)”. Why aren’t we all using WebAuthn? So, if WebAuthn is so groundbreaking, why isn’t every website already using it? We expect a large number of apps will begin to integrate WebAuthn in 2022, but there are a couple contributing factors that explain why adoption has lagged so far: First, WebAuthn device support has only recently reached a critical mass, with ~90% of global users’ devices now supporting this authentication technology. Second, it’s historically been very difficult to integrate WebAuthn, so developers have reasonably chosen to focus on more product-related work rather than trying to integrate an opaque and complex web authentication standard. There are also certain poorly documented edge cases to consider when using WebAuthn, which can significantly complicate implementations if you’re not familiar with WebAuthn. In 2022, Stytch is focused on helping bring WebAuthn mainstream. Using WebAuthn with Stytch Seeing the immense benefits of WebAuthn but also the frustrations that developers had with integrating with it, we’ve built our product to be the simplest way for developers to support WebAuthn. We’ve also made it simple to offer other authentication methods alongside WebAuthn to easily support cross-device access and account recovery such as email magic links, OAuth logins, and more. If you’re interested in integrating our WebAuthn product, check out the API documentation here or sign up for a Stytch account here. --- # What is credential stuffing? How to prevent credential stuffing attacks Source: https://stytch.com/blog/what-is-credential-stuffing/ As more aspects of daily life go digital, we are increasingly grappling with threats to our cybersecurity and personal information. As more aspects of daily life go digital, the importance of defending against threats to our personal information continues to grow. And though you might be familiar with common ones like brute force attacks—also known as credential cracking—credential stuffing differs in a few key ways. This article will cover the basics of credential stuffing, its threat to businesses and individuals, and practical ways to deploy modern solutions against this particular attack vector. Forceful fraud: Brute force attacks, credential stuffing and password spraying It's important to distinguish between the methods behind traditional brute force attacks and their closely-related cousins, credential stuffing and password spraying, to know what to look for and how to defend against them. Brute force vs. credential stuffing While both brute force and credential stuffing attacks share a common goal of acquiring sensitive user information, the manner in which that information is obtained is fundamentally different. Credential stuffing uses previously stolen credentials, often obtained from large-scale data breaches, to gain unauthorized access to user accounts. Attackers automate the process of testing these credentials across multiple sites, banking on the unfortunate likelihood that users have reused passwords. This method can be highly targeted, focusing on specific user accounts or services, and is difficult to recognize because it involves valid login attempts that can easily trick security systems. Brute force attacks attempt to guess passwords indiscriminately by systematically trying different combinations of characters, numbers, and symbols until the correct password is found. Attackers use automated tools to generate and test thousands or even millions of potential passwords, often employing prescribed patterns or commonly used base password phrases. This method is less sophisticated than credential stuffing but can be equally effective against weak or poorly chosen passwords. Password spraying Password spraying is similarly indiscriminate: attackers will 'spray' stolen passwords from a database until they gain unauthorized access. Instead of targeting individual accounts with many password attempts, they attempt a small number of common passwords against a large number of accounts, thereby evading traditional lockout mechanisms and increasing the chances of compromising multiple accounts. This method often exploits weak password policies and user tendencies to use simple or common passwords across different platforms. How does credential stuffing work? As mentioned, credential stuffing is a type of cyberattack that takes advantage of compromised credentials such as usernames, email addresses, and passwords to access secure or sensitive information. Here's how fraudsters make a credential stuffing attack work: Attackers leverage stolen or breached credentials to set up automated attempts to log into multiple accounts, potentially gaining access to personal and financial information. They then use automation tools to simultaneously log into multiple accounts and check for access to secondary services or accounts. This highlights the potential consequences and the difficulty of detecting such activity. As noted, a credential stuffing attack differs from a brute force attack in that it doesn’t rely on random attempts to decode a password or username combination, instead relying on lists of username/password combinations acquired from data breaches. Lists can contain millions of these combinations, which hackers then attempt to “stuff” across different sites on a trial and error basis. Each successful combination can then be used to access lucrative information such as bank accounts, payment applications, credit card numbers, etc., leading to a cascade of fraudulent activity. How big of a threat is credential stuffing? Credential stuffing might seem laborious, cumbersome, or not very effective due to its indiscriminate approach. But the perpetrators behind these types of attacks employ sophisticated programs and applications to optimize their efforts. Unfortunately, AI and machine learning technologies have elevated the humble bots of the Eliza era to a superpower status never before witnessed in the realm of fraud. Now, using bots—which are software programs that specialize in performing repetitive, predefined tasks—malicious actors can try a multitude of password and username combinations against different services in rapid succession. The resulting large data breaches often yield millions of credentials. Attackers often use these stolen credentials on multiple sites, leveraging botnets to automate the process and increase their chances of success. So, while the success rate for the above tactics is fairly low, the sheer amount of compromised data means that thousands of users can be affected. For example, the Android Users Data Breach in May 2021 compromised the personal data of over 100 million users spanning 23 app databases. At the end of the day, digital account fraud is a numbers game that increasingly favors the hacker, with the majority of people reusing the same password and username combination across multiple services—up to 65 percent, in fact. Combine this with the reality that data breaches are becoming more common, and the threat of users’ personal data being compromised increases exponentially. Bots: Stuffing's secret weapon So what to do about it? To defend against potential credential stuffing attacks, users and developers alike first need to understand more about the bots that are essential to the process. If you’ve ever been “timed out” or briefly locked out of a website or service after a series of incorrect logins, you’ll have some idea of the basic security in place to safeguard user data. These measures are designed to prevent excessive failed login attempts by identifying suspicious login attempts. This helps differentiate between types of attacks like brute force and credential stuffing. However, bots can easily get around these countermeasures. They are capable of making multiple login attempts simultaneously and can mask these attempts so that they appear to come from different devices. In short, the system doesn’t flag the behavior as suspicious, and the bots are free to continue trying for viable username and password combinations. The humble IP address is a common tool used by bots that deploy fake IP addresses to mask their login attempts, making it harder for security systems to detect malicious activity. Blocking or sandboxing these IP addresses can be an effective defense. How to prevent credential stuffing attacks with Stytch Because bots can target multiple accounts swiftly, it's crucial to implement robust security measures that span a business' application ecosystem. To work towards this, many services are now implementing more complex cybersecurity measures, such as those outlined below. Breach-resistant passwords As hackers develop more sophisticated social engineering techniques, breach-resistant passwords offer a crucial defense. Breach-resistant passwords are strong and secure, making them difficult for bots and attackers to guess. Stytch's solution incorporates the zxcvbn strength assessment tool, which ensures that passwords created adhere to NIST password guidelines, focusing on both length and complexity to enhance security. Additionally, Stytch integrates with HaveIBeenPwned to monitor for compromised credentials, automatically prompting users to reset their passwords if a breach is detected. This ensures that user passwords remain resilient and up-to-date, significantly reducing the risk of account takeovers. CAPTCHAs CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. These tests, like identifying buses or crosswalks in images, are simple for humans but challenging for bots, which struggle with image interpretation and human-like responses. Developing bots to solve CAPTCHAs is time-consuming and expensive, and since CAPTCHAs can't be reused, bots must solve them repeatedly, slowing down credential stuffing attacks. Stytch Strong CAPTCHA offers a modern take on traditional CAPTCHA that thwarts bots and CAPTCHA farms by using proprietary device intelligence to proxy and encrypt the CAPTCHA. Visit our product page or contact an auth expert to learn more. Two-factor and multi-factor authentication Often abbreviated as 2FA, two-factor authentication is becoming an increasingly popular cybersecurity measure. A subset of multi-factor authentication (MFA), 2FA gets its name because it uses two factors to verify a user’s identity. This can be any combination of single factors such as password and username, answering a security question, or entering a one-time code delivered via text message to the user’s personal device to verify a user’s identity. More complex methods like biometric authentication (fingerprint scanning) can also be incorporated and stacked, providing two or more layers of extra security in the event that a user’s credentials are compromised. This makes multi factor authentication (MFA) a more effective countermeasure against credential stuffing attacks and a go-to for industries that deal with sensitive data, like finance and government. Device fingerprinting Stytch Device Fingerprinting analyzes and identifies unique device attributes such as browser configurations, IP addresses, and hardware characteristics to detect and block suspicious activities from non-human actors like bots. This precise identification method ensures that only legitimate users gain access while thwarting bots attempting to exploit stolen credentials. To strengthen your security and protect against credential stuffing, explore Stytch's advanced device fingerprinting solution. Going passwordless It's essential to distinguish between legitimate users and attackers to ensure that security measures do not hinder the user experience for genuine users. While there are a plethora of password generators out there that provide users with usernames and passwords specifically designed to be hard to crack, many users still rely on simple passwords reused across multiple apps and services for their user accounts. This is an inherent flaw of password authentication, one that is difficult to correct because of how ingrained and widespread it is, and it's one of the leading causes of stolen login credentials. To get around this issue, many developers are choosing to go passwordless using methods like biometric authentication and multi-factor authentication (MFA) Stytch Passwordless Authentication uses a suite of modern authentication methods designed for seamless, secure user logins, such as email magic links, SMS passcodes, WebAuthn, OAuth, and biometric authentication. This approach effectively prevents credential stuffing attacks delivered by bots, as there are no passwords to steal or reuse in a login attempt. To explore how Stytch can enhance your security strategy to prevent a credential stuffing attack and related bot attacks, get in touch with an auth expert orget started today. --- # Managing your users at Stytch Source: https://stytch.com/blog/managing-your-users-at-stytch/ Managing your users at Stytch So you integrated with Stytch, you have a buttery smooth onboarding experience for new users, and best of all…you had a ton of users sign up for your app! Awesome, you’re done! Wait, exactly how many users signed up for your app? Were they using your SMS passcode flow on mobile or using Email magic links on desktop? Good news! We just released User management in the Stytch Dashboard and our Search users endpoint in our API to help give you complete visibility into all of your users at Stytch so you can answer questions like the above. User management in the Dashboard With User management in the Dashboard we wanted to give our developers an out of the box way to view all of their users at Stytch and filter or search across them. We allow filtering your users based on their status, i.e. active or pending, and you can search across your users on name, user_id, email address, and phone number. You can also click on any user's row and see detailed information about that specific user. Search users endpoint A lot of customers have reached out to us asking for an API endpoint that would let them search and filter their users for a variety of use cases; huge thanks to those developers, we love hearing your feedback! Our Search users endpoint allows you to leverage seventeen different filters to pinpoint any slice of your users in Stytch. Check out our Docs to see all of the available filters and multiple example requests. We also released this endpoint in our Node and Go client libraries, both have helper functions to make pagination super easy! We'd love feedback Both of these features were born out of direct feedback from developers using Stytch, we love hearing about what you want and how you use our API. If you have any feedback or feature requests (or spy any bugs ???? ), please reach out to us on our community Slack, Discord, or support@stytch.com! --- # What is MFA (Multi-Factor Authentication) and how does it work? Source: https://stytch.com/blog/what-is-mfa/ In this article, we'll cover what multi-factor authentication is, how it works, and some of the most common ways it's used today to protect online accounts. Today, there is scarcely an area of life that is not touched by or managed online. From our bank accounts to our health records, to our family photo albums, everything we do depends on an online account of some kind. This means the stakes for protecting those online accounts has never been higher. One of the most important protections companies can leverage to protect their company and their customers is multi-factor authentication. In this article, we'll cover what multi-factor authentication is, how it works, and some of the most common ways it's used today to protect online accounts. Let's dive in! So, what is multi-factor authentication? MFA stands for multi-factor authentication. It's a layered approach to confirming a user's identity to ensure they have permission to access a protected website, application, network, or other digital system or perform a protected task within a digital system. As its name suggests, MFA requires users to successfully present relies on multiple authentication factors, instead of just one. This often (but not always) occurs at initial login; sometimes, the authentication factor prompts are dispersed throughout a digital experience. Why is multi-factor authentication important? As time passes, hackers only grow more sophisticated. They now have at their disposal advanced tools that allow them to generate and test username and password combinations until they arrive at the correct permutation and gain access to the system they are trying to breach. Compounding the issue is the fact that users often select weak, obvious passwords and repeat them across multiple accounts, making it possible for hackers to breach multiple systems with one set of credentials. As a result, passwords alone have been rendered insufficient as a means of protecting sensitive online data. In fact, 81% of all data breaches can be traced to weak or stolen passwords, and the Open Web Application Security Standard (OWASP) now encourages all authentication flows to treat passwords as “pre-breached.” MFA makes online systems more secure in light of this threat. By requiring users to verify their identity through multiple factors—not just a single password or password alternative—MFA makes unauthorized logins and fraudulent transactions less likely to occur. In turn, it has become a pillar of cybersecurity. How does multi-factor authentication work? MFA works according to a principle of layered security. By asking users to provide additional forms of identification, it increases the likelihood that the user is who they claim to be, reducing overall risk. Often, a user is prompted to present all of their credentials at initial login. A typical security protocol might have them submit their username and password (factor 1) and answer a security question (factor 2) before asking them to enter a one-time passcode sent to them by text or email (factor 3). Once the user completes all steps, they have access to the entire application. The advantage of MFA isn't just that it asks for more than one piece of identification; it's that it also asks for identification of different types. The most common types of authentication factors employed by MFA are: Knowledge-based (things a user knows) Possession-based (things a user has) Inherence-based (things a user is) Knowledge-based factors Knowledge-based factors include information that ideally only the user will know. These include factors like: Passwords are the de-facto authentication factor most people think of. Unfortunately, while passwords are designed to be information that only the user knows, hackers have a lot of ways of learning this information. Usernames are also knowledge-based factors. While we sometimes think of passwords as the main authentication factor, it's really the combination of the username with the password that identifies them exclusively as a factor. Pins are very similar to passwords, except they typically draw from a smaller character-base (like numbers only) and are typically a shorter string. Security question answers like “What street did you grow up on?” or “What was the name of your first pet?” are also knowledge-based authentication factors. Unlike pins, usernames and passwords, though, these are usually a second factor and not a primary. Of the categories of authentication factors, knowledge-based authentication factors are generally the least secure, particularly when not paired with second or tertiary factors. Possession-based factors Possession-based factors refer to something the user has or has access to instead of knows. These include factors like: Magic links Also called email magic links, this type of authentication method lets users instantly log in via a URL sent to a pre-registered email address. One-time passcodes SMS one-time passcodes (OTPs), which ask users to enter a unique numeric or alphanumeric sequence sent by text to a recognized mobile phone number Time-based one-time passcodes Time-based one-time passcodes (TOTPs), which ask users to confirm control of their device within a certain time frame via a passcode generated by a smartphone app like Google Authenticator. Push authentication Push authentication, which sends notifications to an app on users' devices, asking them to approve or reject a login attempt WebAuthn WebAuthn can take a few different forms, but generally combines public key cryptography with on-device biometrics or external security-key hardware – often referred to as a physical key, a hard token or physical token. Most people are familiar with these keys as a USB key called a YubiKey. Inherence-based factors Inherence-based factors rely on biological traits unique to the user. You may also hear these referred to as biometrics or factors based on what you are. Examples of biometric factors include fingerprints, hand geometry, iris or retina recognition, voice recognition, and facial recognition. Biometrics Biometric authentication is typically built into a device and is designed to scan, analyze, and recognize distinctive, measurable features — like a user’s fingerprint, facial contours, iris/retina patterns, and voice qualities. Many biometric solutions are also equipped with liveness detection tools, so they can distinguish between a legitimate user and a reproduction (like a photograph or voice recording) in order to prevent fraud. WebAuthn Wait WebAuthn is both an inherence and possession-based factor? Yes! Because WebAuthn often combines biometrics with public-key cryptography, the biometrics portion of the WebAuthn flow both confirms the user's identity (inherence) along with ownership of their device (possession). Passkeys Passkeys are a new evolution built on WebAuthn, with some key improvements. While WebAuthn pioneered the concept of a single-device passkey (i.e. a single hardware key or a biometric validation tied to your mobile device or laptop), “passkeys” as we’re discussing here refer to multi-device passkeys that can be synced to the cloud and used across devices – even across operating systems! This makes them a drop-in replacement for passwords as well as an excellent additional authentication factor for MFA flows. In customer-facing authentication, biometrics are typically paired with additional cryptographic technology. Good examples of these include WebAuthn, passkeys, and other technological standards that have come out of the FIDO alliance. What are the benefits and drawbacks of multi-factor authentication? Benefits of MFA The main benefit of MFA is security – multi-factor authentication process makes it considerably more difficult for hackers to breach a system than single-factor authentication. That's a huge advantage, especially when you consider the exorbitant costs incurred by organizations and individuals affected by security violations. Drawbacks of MFA One of the biggest drawbacks to MFA is in its effects on the user experience: in the process of making systems more secure, MFA can add some amount of friction to the system's user experience. The good news is that can be mitigated by smart authentication design. Improving MFA user experience One way to avoid undue hassle and frustration is to employ a route-based approach, in which MFA is only introduced for certain actions or transactions online. Another is to eliminate passwords as a verification factor entirely, since remembering and entering passwords are their own source of friction. Passwordless authentication methods are simpler and faster than passwords, making user retention more likely. And because they can easily be layered in a multi-factor approach and avoid the security risks posed by weak and compromised passwords, they are inherently more secure. Multi-factor authentication FAQs What's the difference between multi-factor authentication and two-factor authentication (2FA) MFA and 2FA are not fundamentally different. Two-factor authentication is just a subset of multi-factor authentication, which is an umbrella term for any authentication process that uses more than one verification factor. In other words, all 2FA is MFA, but not all MFA is 2FA, because some applications of MFA use three or more factors. What is adaptive multi-factor authentication? This is a great question. But to understand adaptive MFA, it can be helpful to understand a few different types of auth that often get mixed up: Route-based authentication refers to any incremental security method, where a user must only undergo extra checks—like a second or multi-factor authentication—to carry out more sensitive tasks within an app. Just-in-time (JIT) authentication or risk-based authentication is another, less technical term for route-based authentication, deriving its name from the fact that users are only asked to authenticate with additional factors at the moment the more sensitive tasks are being attempted. This is also sometimes referred to risk-based authentication, because users are only prompted with additional authentication factors when their behavior is flagged as suspicious or potentially fraudulent. Step-up or adaptive authentication refer to a specific type of just-in-time authentication that requires an additional authentication level specifically when trying to perform high-risk operations on an IT system. Unlike JIT, adaptive authentication is invoked based on the type of transaction, not based on user behavior or flags. All three of these terms are important because they offer ways for companies to remove friction from MFA flows without compromising security – a key to driving conversion, adoption, and user engagement for any business model. Does MFA make accounts un-hackable or unphishable? In short, no. There is virtually no authentication method or combination of methods that can guarantee 100% impenetrability from outside attacks. Just as authentication companies like Stytch are constantly innovating to improve our product, hackers are also constantly innovating to find new ways to compromise cybersecurity. MFA is no exception: while more secure than single-factor authentication processes, secondary factors like one-time passcodes and email magic links can be phished or stolen by attackers who are willing to put in the time. If phishing is a big concern for your product, it might be good to consider integrating “unphishable” authentication methods into your MFA flow – biometrics, Yubikeys, and passkeys are all much more difficult to phish or steal because they rely on inherence factors, rather than possession or knowledge. To learn more, you can check our our article about unphishable MFA. Is MFA the same thing as “zero trust”? Not exactly, though they are often mentioned together: Zero trust refers to an approach to cybersecurity in which no user nor device is trusted until their identity and access is verified. Every single device or user must be authenticated to gain access to a given network application, or server. Multi-factor authentication has become a popular approach to zero trust because it adds a few additional layers of verification to the zero trust model. Put another way, zero trust is a guideline or model for how often or in what cases you authenticate, while multi-factor authentication refers to how that authentication is performed. Which MFA is right for my business? At Stytch, we highly advocate for designing your authentication flows around what introduces the least amount of friction to your users, while still keeping them secure. Determining that usually varies from business to business. While we provide a more in-depth rundown how to choose the right MFA flow in another article, any company can start by considering three main decisions: Will you make MFA optional or require it for all users? Will you offer multiple MFA options so that users can choose what best fits their needs? How many and which options will you provide? Will you layer on? Remember, when answering these, think about what kind of information is most at-risk or valuable that hackers might want to access, how much friction your users will tolerate, and at which junctures in their signup or login flow they're most likely to tolerate that friction. Explore Stytch's multi-factor authentication solutions Looking for additional information on implementing secure, user-friendly, multi-factor authentication methods? Stytch has you covered. Sign up for a free account to get started, or talk to an auth expert today to discuss what MFA looks like for your product. --- # Bingrui Tang Source: https://stytch.com/blog/bingrui-tang/ Bing joined us one year ago and we couldn't be more excited to celebrate her and her contributions to building Stytch's product and culture. Today is the one year anniversary of the official creation of our Design team! Bing joined us one year ago and we couldn't be more excited to celebrate her and her contributions to building Stytch's product and culture. Meet Bing! What do you love most about working at Stytch? Autonomy, growth, and working with great people. What does a typical day at Stytch look like for you? A "typical" day has evolved a lot since I started managing the [design] team. I usually structure my time on a weekly basis: Mondays and Wednesdays are for independent work; Tuesday 1:1s; Thursday team review and cross-functional collaborations; Friday following-ups and relationship-building. What’s been the most surprising thing about Stytch? We have surprising numbers of pet owners! Other than that, the speed of growth is still much faster than what I imagined. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? There are so many! And I am still very inspired by the people I work with everyday. To list a few: establishing scalable structures even as a team of 1; asking for help before feeling the pinch; and, as we're still often communicating virtually, a little extra kindness and curiosity goes a long way. What’s your favorite part of the Stytch culture? I really enjoy how the team built a direct and kind communication style. I feel like I could rely on everyone for constructive feedback, while also trusting us move through challenging situations with space and grace. Which Stytch value resonates most with you and why? "Think exceptionally", which, in Stytch context means "avoiding the assumption that existing norms are the right path." We've heard great feedback on our website design, for example, and it is a "look and feel" that we deliberately established that feels right and true to us, v.s. something we rushed through following the trend. What’s the most interesting project you’ve worked on at Stytch? Designing the Design team! I enjoy puzzle games, but this is certainly far more challenging than the box of Frank Stella geometric painting puzzles I've been procrastinating on. How did you end up becoming a product designer? I worked in film prior to Product Design, and the idea of working on something forward, challenging, creative, yet still being able to go home at a reasonable time seemed more than perfect to me. When’s the last time you did something for the first time and what was it? I went ice-skating for the first time when visiting Seattle this past December, and it was so much fun! Also fascinating to watch young kids learn: some of them didn't even finish crying before they started all over again! What song, hobby, or recipe got you through COVID? I've been taking boxing and ballet classes. Also got quite into sewing and cooking everything at home in the past few months. What’s your ideal weekend? A night by the Oregon Coast, and an evening with homemade dinner, books, and tea. What’s something you’re passionate about that’s not on your resume? Writing, dance choreography, and apparel design. Maybe one day! Interested in joining the design team at Stytch? Learn more about open roles, here! --- # 10 common cyber attacks Source: https://stytch.com/blog/10-common-cyber-attacks/ Learn which types of cyber attacks are most likely to target your platform — and what you can do to prevent them. Learn which types of cyber attacks are most likely to target your platform — and what you can do to prevent them. Cybersecurity can often seem like a game of cat and mouse. No sooner do security experts get wise to the latest threats than attackers modify their tactics, discover fresh vulnerabilities, and develop new lines of offense. Still, most cyber attacks fall into a known set of categories and follow a predictable pattern. In this post, we review ten of the most frequently carried out cyber attacks, how they work, and what developers and users can do to protect their sensitive data. What is a cyber attack? A cyber attack is any attempt by malicious actors (often called cyber criminals or hackers) to breach a computer system, network, or database. A cyber attack can be launched against a single user or device or against a larger group — like a corporation or a governmental organization. In recent years, there have been several instances of successful, high-profile cyber attacks against major global companies like Uber, Twilio, Okta, Microsoft, Samsung, and Cisco, to name just a few. And, alarmingly, some studies suggest that the overall number of cyber attacks is on the rise. What's at risk in a cyber attack? What do hackers want? Generally, hackers carrying out a cyber attack want to intercept, destroy, or otherwise tamper with online assets. They may be out to steal sensitive data like account credentials, personal or financial information, or valuable intellectual property, or to install malicious software into a computer program to disrupt its operations. They may be doing this for monetary gain, for an ideological or political cause, or even just for fun. All in all, it's a highly lucrative (and highly damaging) business, with each cyber attack carrying an average price tag of $4.35 million for the impacted company. What are the most common types of cyber attacks? There are ten popular types of cyber attacks that show up time and again in security circles. Below, we share what they entail, how to spot them, and which of the latest security methods can help keep them at bay. 1. MALWARE ATTACKS Malware, short for malicious software, is an umbrella term for any invasive file, program, or malicious code introduced to a computer through a corrupt email attachment, malicious link, or fraudulent ad. In a malware attack, an unsuspecting user loads one of these programs when visiting a website, leading them to unknowingly install malware on their system. There are many different types of cyber attacks that use malware, including: Viruses that attach themselves to legitimate files or programs a user employs, then replicate and spread across different platforms, software, and devices Ransomware attacks that encrypt data or files on a device and block a user's access until they pay a certain price (ransom) or meet a specified condition Spyware that secretly monitors a user's online activity, gathers data, and then relays it to a malicious third party Trojans that (like a Trojan horse) are disguised as harmless or desirable programs and trick a user into downloading a corrupt file Bots (short for robots) that are programmed to quickly and automatically carry out attacks, with the potential to infect and control many different computers at once A classic example of a malware attack (in trojan form) is pop-up advertising for fake antivirus software. This corrupt "software" promises to rid a computer of viruses but actually introduces one to the system, as it gets a user to unwittingly install malware instead. Recently, there's also been a growing trend of malware as a service (MaaS) products. In the MaaS market, cybercriminals can buy or lease pre-made software or hardware that they can use right away, increasing the efficiency and frequency with which they can carry out their malware attacks. 2. PHISHING ATTACKS Phishing attacks are a form of social engineering. In a typical phishing attack, a hacker sends a message via email, SMS, social media, or another online channel, hoping to trick the recipient into disclosing restricted or sensitive data. Phishing attempts are often carried out en masse and at random to ensnare the largest possible number of victims. But they can also be part of a more targeted campaign, in what's known as a spear phishing attack. Spear phishing attacks are tailored to a particular individual or organization to make the message and desired action seem more intimate and trustworthy. When this technique targets high-ranking executives, specifically, it's called a whale phishing attack. One of the most well-known tropes used in phishing attacks involves an email scam where the author poses as foreign royalty, offering the recipient a share in a vast fortune if they help move the funds out of another country. As the story goes, the recipient must provide their bank account information, so the money can be transferred to them for safekeeping. Of course, an obliging reader will quickly find their account balance drained. Many protective measures have emerged in recent years to prevent phishing attacks and spear phishing attacks, including unphishable multi-factor authentication (MFA) flows, which avoid commonly intercepted credentials like passwords and email or SMS one-time passcodes. 3. MAN IN THE MIDDLE (MITM) ATTACKS In man-in-the-middle (MitM) attacks, a hacker eavesdrops on or otherwise gets hold of sensitive communications between a user/application and another platform. Think of it like a hidden, silent third party listening in on a confidential phone conversation. MitM attacks can occur as either active or passive eavesdropping attacks: Active eavesdropping attacks could take the form of session hijacking, where a hacker observes the web traffic occurring over a given network, locates an active session ID, and then uses the related session token to gain unauthorized access to a user's account. In a passive eavesdropping attack, a hacker might create a free, public WiFi hotspot — like at a park or cafe — and get a full view of all the activities and data exchanges an unsuspecting user is participating in over that wireless network. 4. DENIAL OF SERVICE (DoS) ATTACKS AND DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS A denial of service attack (DoS attack) occurs when a hacker floods a website or network with pointless or unnecessary requests — often from fraudulent accounts — overloading the system until it crashes or is shut down. This disruption means that legitimate users and user requests cannot access the site or service, thus thwarting its regular operations or business. Think of a D0S attack like a prank caller continuously phoning a pizza shop during peak hours, tying up the line so real customers can't dial in with actual orders. In a conventional DoS attack, this congestion is caused by a single source. In a distributed denial of service (DDoS) attack, however, it comes from many different sources at once. In the pizza shop analogy, a DDoS attack would look like this: Imagine the prank caller has help from a dozen of his closest friends, each calling from a different phone. It would be next to impossible to trace and block each of these numbers to free up the pizza shop's line — which is why DDoS attacks can be more difficult to stop. Given the bandwidth necessary to execute them, DDoS attacks are almost always carried out by programmed botnets, so taking bot-preventing measures like monitoring web traffic and rerouting or blocking malicious bot activity can help protect your system from a DDoS attack. 5. CROSS-SITE SCRIPTING (XSS) ATTACKS Cross-site scripting attacks (XSS attacks) rely on code injections, where hackers insert malicious code — typically client-side, malicious JavaScript code — into a trusted app or website. In other words, an attacker targets a user by hiding harmful code behind seemingly harmless content, which they load into their browser. Cross-site scripting attacks can occur when the data a user submits — like entering their name into a contact form — is not properly validated or escaped, allowing hackers to substitute the user's input with malicious JavaScript code that the browser executes automatically. Alternatively, an XSS attack can take the form of shortened or disguised URLs in a phishing email — like a fake message from a user's bank that asks them to “click here” to resolve a problem — with the included link really just running a malicious script. Following a successful XSS attack, a hacker can gain access to a user's credentials or hijack their account, control their browser remotely, or even spread worms and other malware across their entire system. 6. SQL INJECTION ATTACKS Similar to an XSS attack, an SQL injection attack occurs when a hacker inserts structured query language (SQL) code into a standard request in order to breach or manipulate a vulnerable database. One example of an SQL injection attack is when an app or website provides a form for users to enter their login information (like a username and password), which is then checked against the app's database to verify the user's credentials and grant them access. A hacker might use that form to insert SQL code instead — a programming language that allows them to communicate directly with the app's database and thus carry out their own requests. The best way to prevent SQL injection attacks is to use input validation and parameterized queries, rather than inserting user inputs directly into SQL statements, but different cybersecurity experts will have different approaches to this issue. 7. DOMAIN NAME SYSTEM (DNS) SPOOFING Domain name system (DNS) spoofing attacks are sometimes referred to by the names of their constituent parts — DNS cache poisoning and DNS tunneling attacks. A hacker first impersonates a DNS server, which is responsible for translating the domain name a user enters (like google.com) into an IP address that a computer can understand and route to. Having intercepted a user's request, the hacker instead alters (or poisons) the information in the cache of the DNS server and reroutes (or tunnels) the user to their own fake IP address, which hosts a forged version of the desired website. For example, a user may think they're heading to the Facebook login page — via facebook.com — but be redirected to a different domain hosting the hacker's fraudulent Facebook page. Any username and password the user enters there can, of course, be seen and stolen by the hacker and leveraged to breach the user's actual Facebook account. 8. BIRTHDAY ATTACKS Birthday attacks are named after the birthday paradox in mathematics — which states that, for there to be a 50% chance someone at a party shares your birthday, you need 253 people at the event. But for a 50% chance that any two people there share a birthday, you only need 23 at the event, because you're not already tying one end of the pair to a specific date. In cryptography, a birthday attack follows this same principle. It's much more challenging to find a collision or match with a specific hash function — a one-way algorithm responsible for encrypting, converting, and validating data like passwords — than it is with randomized attempts. When successful, these more dispersed attacks can then be used to crack encrypted values like digital signatures. 9. DRIVE-BY ATTACKS In a drive-by attack, the user doesn't actually have to download, open, or click on anything at all to install a hacker's program on their device. Instead, drive-by malware can piggyback on a legitimate, authorized download and deliver a hidden, harmful payload along with it. In other cases, it can exploit security flaws on a legitimate website to transfer a malicious program onto a user's device. Essentially, as the name implies, all a user has to do is visit or “drive by” a certain website to be affected. 10. PASSWORD ATTACKS A password attack is really any attack that attempts to steal a user's password, and the term encompasses many of the above strategies. Still, there are a few unique terms and techniques that are used when hackers target traditional passwords specifically, including: BRUTE FORCE ATTACKS In a brute force attack, a hacker attempts to gain access to a secure account through trial and error, repeatedly entering random credentials like username and password pairs until one works. CREDENTIAL STUFFING ATTACKS In a credential stuffing attack, a hacker uses the correct credentials — which they've intercepted or stolen using one of the above attack vectors — to sign into a legitimate user's account and break into a secure system. PASSWORD SPRAYING Password spraying is a type of brute force password attack where hackers use the same common password across numerous user accounts before moving on and trying another, allowing them to bypass simple protections like login lockouts. The good news is that it's relatively easy to prevent password attacks. It's as simple as not using traditional passwords in your sign up and log in flows — and instead relying on any of the secure, passwordless authentication options on the market to safeguard your app. AND ON AND ON… Unfortunately, this list is by no means comprehensive. Hackers are always adapting and refining their methods to bypass the newest security software, circumvent the latest cryptographic techniques, and come up with new cyber attack vectors that keep cybersecurity experts (and all internet users) on their toes. That means there's a constantly growing arsenal of cyber threats, with others including zero-day exploits, internet of things (IoT) attacks, rootkits, and cryptojacking. How to protect against cyber attacks While we could write a whole post on the best ways to guard your business or personal data against cyber attacks — and, in fact, we did — there are a few simple measures you can take right off the bat: Know your sources. This may seem basic, but verify that each file you download is coming from a known and trustworthy source, avoiding exposure to malware. Keep your software up to date. You may be annoyed by pesky update reminders, or you may not have time to install the latest version of a program or app, but not following through can leave your device open to a cyber attack that the software company or operating system has already worked hard to solve. Implement multi-factor authentication (MFA). By taking a layered approach to authentication, requiring two or more credentials to verify a user's identity, multi-factor authentication (or MFA) is one of the best and simplest ways to secure your app or website against many different types of cyber attacks. Better still, implement unphishable MFA, which uses end-to-end cryptography and key-based authentication to combat more sophisticated cyber attack methods like SIM swapping, which can compromise secure SMS-based one-time passcodes. Get rid of traditional passwords. As a company specializing in passwordless solutions, we'd be remiss if we didn't remind you that traditional passwords are the weakest link in the authentication game — whether they're easily forgotten, repeated across multiple accounts, or just downright easy to guess — and removing them from your auth equation is the only foolproof way to prevent a costly password attack. Remember: The vast majority of data breaches (81% or more) can be traced to compromised credentials, which is why industry experts at the Open Worldwide Application Security Project (OWASP) advise that all traditional passwords should now be considered "pre-breached." It's just not worth putting your data at risk when there are plenty of secure, alternative auth solutions at your fingertips. And if you must use passwords, use a next-level, modern version that eliminates conventional UX flaws and vulnerabilities. What Stytch is doing to prevent cyber attacks In the fight against cyber attacks, we're equipping developers with the latest, strongest passwordless products, from email magic links to SMS one-time passcodes to WebAuthn built-in biometrics and specialized hardware keys. To get started, sign up for a free account, and try our solutions out in a sandbox environment to see what they can do for you. --- # Introducing TOTP Authentication for Next-Level Security Source: https://stytch.com/blog/introducing-totp-authentication/ Today, we’re excited to introduce TOTP (time-based one-time passcodes), an important passwordless two-factor authentication option that can be used in situations where you need high security assurance. Today, we’re excited to introduce TOTP (time-based one-time passcodes), an important passwordless two-factor authentication option that can be used in situations where you need high security assurance. TOTP authentication solutions are ideal for particularly sensitive use cases that are also highly attractive to attackers in terms of the potential payoff they offer–think money movement in fintech or cryptocurrency spaces or access to a company’s HR or payroll information. With Stytch, developers can now embed TOTP into their authentication flows in minutes rather than months. How TOTP authentication works When integrated as a second authentication factor, TOTP serves as an additional safeguard by requiring users to prove possession of their device. It works by generating a one-time passcode that’s based on the current time and a shared secret between an authenticator app like Google Authenticator and the server (in this case, Stytch). Users, who must have an authenticator app downloaded on their device, are asked to input the unique passcode within a certain period of time, usually 30 seconds, as evidence of their identity. Once the user supplies the TOTP code, developers can use Stytch’s /totps/authenticate endpoint to verify that passcodes are valid and, ultimately, grant users access. TOTP vs. SMS passcodes If you’re familiar with SMS one-time passcodes (another great passwordless solution for most use cases), you may be wondering why you would opt for TOTP instead. It’s true that SMS passcodes are very convenient, and many users are familiar with them. Anyone who has placed an online order with a business that uses Square as its point of sale system, for example, has interacted with SMS passcodes. In this instance, users receive a text with a unique code that unlocks access to the payment information associated with their Square account, allowing them to complete a purchase. iOS and Android devices even auto-fill passcodes with a simple permissioning click. There’s nothing for users to remember, and friction is minimal; they just need to be in possession of a device linked to their phone number. While it’s possible that a hacker could steal a user’s phone number (called “SIM swapping” or “porting”), the significant effort and resources required to successfully pull off such an attack usually makes it a nonstarter. In other words, for low-to-moderate risk use cases, the cost generally outweighs the relatively modest potential reward. When elevated risk requires elevated security If, however, there’s a potential for a lucrative payoff, such as use cases involving large volumes of money movement or sensitive HR records, a hacker’s cost-benefit analysis may tip in the other direction. In 2021, for example, hackers carried out sophisticated phishing attacks against Coinbase users. By tricking them into sharing their phone numbers and other personal credentials, hackers were able to intercept SMS passcodes and access users’ accounts. TOTP evades the threat of SIM swapping by removing users’ phone numbers from the equation, tying authentication to an app on their local devices instead. By welding the one-time passcodes being generated to your local device, it no longer matters whether a phone number is stolen as the device remains with the user. This is why cryptocurrency custodians like Gemini and other applications with high-risk interests leverage the TOTP standard. As an added benefit of this design, TOTP can function offline, which may be important for users in areas of poor or no connectivity like airplanes. Meanwhile, SMS passcodes remain a great authentication option for low- to moderate-risk use cases given how convenient they are for users. Time for Stytch Stytch makes building a TOTP authentication flow fast and easy, so you can focus on your core competencies. Our product works out-of-the-box with any authenticator app that follows the TOTP protocol (e.g., Google Authenticator, Authy, Microsoft Authenticator, etc.), giving your users the freedom of choice without any additional development on your part. If you’re interested in integrating TOTPs into your apps, you can sign up for a developer account here to get started or contact support@stytch.com. --- # SDK vs. API: What's the difference? Source: https://stytch.com/blog/what-is-an-api-what-is-an-sdk-and-whats-the-difference/ Modern software development kits (SDKs) and application programming interfaces (APIs) make it easier for developers to integrate key features and functionalities into their apps. Modern software development kits (SDKs) and application programming interfaces (APIs) make it easier for developers to integrate key features and functionalities into their apps. Instead of requiring teams to build all software components in-house from scratch, SDKs and APIs allow them to connect to other platforms and leverage existing services and technologies, providing them with all the tools and resources they need to get up and running quickly. These two building blocks are often discussed interchangeably and comparatively — as in, SDK vs. API — but they can actually work together or separately to serve a variety of use cases. In this post, we explain what SDKs and APIs are, the key differences between them, and how their respective benefits can help accelerate app development. Let's start with APIs. What are application programming interfaces (APIs)? API stands for "application programming interface," with the key word being “interface.” That's because APIs essentially work as messengers or mediators that allow different apps and platforms to communicate with each other. More specifically, APIs are responsible for relaying an app user's request to a separate operating system and, once the information is processed, relaying the system's response back to the app and user. How APIs work APIs are often explained through customer service analogies. For instance, if you're working with a travel agent to plan a trip, the agent is tasked with taking your information (travel dates, passport information, etc.), reaching out to airlines, and booking you a suitable flight. But the travel agent and the airline — say, Delta — are two different entities. The agent isn't supplying the plane or flying it, but you trust them to interpret your needs and book you the ticket you want through the Delta system. In this scenario, the travel agent is the API. They're saving you the time and hassle of researching and booking a reservation yourself by coordinating with an outside service, and they're probably getting you a better deal to boot. API examples and use cases In our growing world of “headless” CMS development — where backend content is increasingly decoupled from a front-end UI that changes from channel to channel — APIs are what connect the two and maintain a seamless, consistent user experience. Most modern apps use some form of API to allow users to accomplish specific tasks without ever leaving a given platform. For example, APIs are working behind the scenes whenever users: Reserve a flight through a booking website To expand on the analogy above, online booking sites like Expedia and Travelocity use airline APIs to aggregate flight data (like schedules and pricing) and present all available options. Make an online payment When someone makes a purchase online, they're prompted to select a payment method at checkout. Whether they choose a credit card or PayPal, the e-commerce app uses that processor's payment APIs to send order information and complete the transaction. Log in to an app through a third party Many websites offer OAuth logins, where users can enter existing credentials from a Google, Facebook, Twitter, or other social media account and be authenticated through that platform's API. Add a newly scheduled appointment to a calendar app If a user books a dentist appointment online, the dentist's website might use an API to add the appointment to the user's iCal or Google Calendar. Search for the nearest storefront Many retail sites use APIs to connect to platforms like Google Maps and embed location services into their app, so users can find and get directions to the nearest shop. The benefits of APIs By facilitating interactions between different systems, APIs make it quicker and easier for developers to integrate and innovate on critical services — and for users to access them. In the above examples, for instance, the online transactions are optimized for everyone involved: App developers can provide advanced, specialized features without having to spend extra time and effort on programming. Users gain access to new services within the apps they're already using, without being bounced around to third-party platforms and presented with extra friction. API providers are able to tap into new use cases and find new sources of revenue for their products and services. It's a win-win-win, and it means everyone enjoys a more seamless digital experience. APIs and security Because APIs play such an important role in digital transformation, and because they transmit sensitive user data like payment and account information between different apps, they've become a key target for common cyber attacks, which are growing more sophisticated by the day. When integrating with APIs, it's important for developers to make security a top priority. That means keeping up with best practices and following the proper protocols — like encrypting traffic to prevent man-in-the-middle (MitM) attacks, using multi-factor authentication (MFA) to protect against credential stuffing attacks, and using just-in-time (JiT) authentication to monitor what data users can access and when. By ensuring their security practices are up to snuff, developers allow users not only to harness the connective power of APIs, but to do so safely. What are software development kits (SDKs)? SDK stands for "software development kit." As the name suggests, SDKs work as a sort of “kit” or preassembled package that gives developers all the tools and programs they'll need during the software development process. This often includes at least one API with pre-built integrations, simplifying (or even eliminating) the implementation steps involved. To continue our analogy, if an API is like a travel agent — a mediator that identifies and interfaces with other providers, but one that requires a set of instructions to operate — then an SDK is like an all-inclusive cruise. In other words, everything from the itinerary to the menu to the activities is already arranged, and all a traveler has to do is show up. For that reason, SDKs can be valuable development tools for teams that want to expend minimal effort when planning and developing software. What does an SDK include? As part of the “kit,” an SDK will typically include a compiler for translating code, a debugger to test and locate errors within the program, and the API itself. It may also include elements such as: Code samples and/or code libraries to teach developers how to create basic programs Documentation on how to use and integrate the API Guides and/or tutorials to walk them through the process Licensing by the provider that regulates the use of the SDK material Navigating SDK terminology Developers use a number of different terms and concepts throughout the development process to refer to SDKs working on the front and back end. Some, for instance, refer to client libraries (for backend code) as “admin” SDKs, and some call frontend SDKs “browser-side” or “client-side” SDKs to specify their positioning and function. SDK examples and use cases There are many ways app developers might use pre-built, ready-to-go SDKs. These include: Developing for a specific platform When teams want to develop applications for a specific platform, they must use that platform's SDK. One prominent example is the iOS SDK developers use to build targeted apps for the iPhone and iPad. Developing for a specific programming language When developers need to standardize a build around a given programming language, they might require a specific tool like a Python, Ruby, or Java development kit. running Mobile advertising Apps may need to connect to publishers and/or ad networks via an SDK to adapt ads to a specific platform and generate revenue. Running analytics tools Developers can integrate useful tools like the Google Analytics SDK with their app to collect data about users, usage, and behavioral patterns. The SDK vs. API debate Comparing APIs and SDKs as development tools is not as straightforward as it may seem. The two cover similar ground and overlap in significant ways, especially since APIs often form part of the SDK toolkit. Still, there are key differences between them, and there may be times when a developer must choose one over the other. While both APIs and SDKs can be used to build innovative features into an app, APIs are a bit more complex than out-of-the-box SDKs, and they require a bit more time, knowledge, and effort to implement correctly. That said, the right set of docs can guide any developer through the process — and, at the other end, they'll find a bit more room for creativity and customization. Going back to our travel analogy, the API of setting your own itinerary means you can choose which sights you see, but you may miscalculate the travel time, pricing, or opening hours. On the other hand, with an all-inclusive cruise, the choices are out of your hands. Keep in mind, SDKs aren't just for beginners, and they definitely don't limit what a developer can build. Rather, SDKs are useful whenever a team needs to launch a program or feature efficiently and effortlessly — especially if it's for a non-core, add-on service — so they can focus on mission-critical tasks. What's more, the best SDKs on the market today are flexible and allow for extensive customizations, so developers can enjoy the same range they'd get with an API but with significantly fewer headaches. In short: it's not SDK vs. API, but both Instead of SDK vs. API, it's really SDK and API. Together, these tools make it easier for software developers to innovate on products quickly and confidently — while leaning on expert third-party platforms to abstract away the details. Learn more about Stytch's SDKs and APIs Stytch offers both easy-to-integrate APIs and fully customizable SDKs to build your authentication flows the way you want. You can jump into our docs for a full tour of our product suite — or sign up for a free account to try it out for yourself. --- # What is the purpose of a refresh token? Source: https://stytch.com/blog/what-are-refresh-tokens/ A look at refresh tokens in authentication flows – when to use them, security risks to look out for, and best practices for implementation. When it comes to authorization, developers must carefully-balance security with user experience. On the one hand, if protocols are too stringent, a user can become frustrated. On the other, if authorization is too lax, a security breach is all but inevitable. Fortunately, there’s a solution that fulfills both needs—refresh tokens. In this post, we’ll explain how refresh tokens work, the benefits they offer for session management, and advanced security measures to consider as you implement them. What are refresh tokens? How do you use them? Used within the OAuth 2.0 authorization framework, refresh tokens are a sophisticated method for controlling the length of user sessions within native, web-based, or single-page applications. Essentially, refresh tokens allow a user to stay logged in for a longer period of time without having to repeat the authentication process, such as by entering their password. This creates a better user experience and provides an extra security layer for sensitive information. Understanding different types of tokens A token is a data artifact that can be used to verify a user’s identity. You can think of tokens as digital signatures. There are two main types of tokens that developers can use for authorization: ID tokens ID tokens are especially relevant in OAuth 2.0 and its close relative Open ID Connect (OIDC) (common in single sign on authentication flows). We won't go into those in-depth here, but in these transactions the ID token is issued whenever a user logs in. It contains information like a user's name, email, or other factors that may be important. In SSO authentication processes, the ID token confirms the user’s identity is genuine. Access tokens Access tokens are credentials for the user to access protected resources such as secured APIs. These tokens are issued by an authorization server and typically have a short lifespan (minutes or hours). Once the access token expires, the user will need to re-authenticate to receive a new access token. Refresh tokens Refresh tokens have a longer lifespan (weeks, months, years, even infinite) and are used to automatically request a new access token from the authorization server when the current access token expires. It’s important to note that refresh tokens on their own do not provide the user with any access. Benefits of refresh tokens Incorporating refresh tokens can help developers strike the optimal balance between a seamless UX and stepped-up security measures to protect sensitive data. The three main benefits of refresh tokens include: Uninterrupted user experience Refresh tokens extend session duration to prevent unnecessary reauthentication. For example, if an access token is only valid for 10 minutes, but the user is on the application for 15 minutes, the session may abruptly terminate. Clearly, this is not ideal and can lead to poor customer retention. A better approach is to use a refresh token, which enables new access tokens to be issued without a delay or additional user effort. Seamless background activity Refresh tokens can also be used to make API calls on behalf of the user. The app can receive access tokens in the background without the user intervening or even being present. Improved security The use of refresh tokens makes it feasible to shorten the lifespan of access tokens. Since an access token is a bearer token, any user (legitimate or malicious) that possesses it is considered authenticated without any additional identification. The longer the access token remains valid, the higher the risk of it becoming compromised or stolen. Pairing long-duration refresh tokens with short-duration access tokens enhances security without compromising the user experience. How is a refresh token generated and used? Refresh tokens are generated by the authorization server at the same time that access tokens are issued. When a user logs in to the application, the following sequence is initiated between the user, authorization serve, and resource server: The user successfully completes the authorization process. The authorization server gives an access token and refresh token to the user. The user provides the access token to the resource server. The resource server validates the access token, then provides the user with access to the protected resource. When the access token expires, the user presents the refresh token to the authorization server. The authorization server validates the refresh token, then provides the user with a new access token. The user provides the resource server with the new access token to maintain access without restarting the authorization process. This process of replacing asset tokens continues until one of the following occurs: The refresh token expires The user logs out to end the session The refresh token is revoked or invalidated by the authorization server The developer institutes a new authentication policy Improving security with refresh token rotation and automatic reuse detection Since refresh tokens are intended for long-time use, it’s imperative that they don’t fall into the wrong hands. When a hacker possesses an active refresh token, they have free reign to issue access token requests until the refresh token expires or is revoked. Allowing illegitimate access to your environment can have devastating consequences. Fortunately, developers can add two additional security measures to their refresh tokens: Refresh token rotation (RTR) Also called RTR, refresh token rotation turns a refresh token into a one-time-use token. When a refresh token is used, the authentication server provides a new access token as well as a new refresh token. For the duration of the session, refresh tokens are continually exchanged instead of the same token being used repeatedly. Automatic reuse detection With RTR, automatic reuse detection is designed to cut off access when a refresh token is deemed compromised. If a hacker gains possession of a refresh token, there’s a good chance the genuine user will use it before the hacker attempts to get a new access token. When the authentication server recognizes that a refresh token was returned for a second time, that token is flagged. In response, the unauthorized user is denied access, and the entire refresh token family is invalidated. Alternative methods for session management (besides refresh tokens) Refresh tokens aren’t the only option that developers have for extending user sessions. However, each alternative comes with a concerning drawback: Silent authenticating (also called continuous authentication) retrieves a new access token if the user still has a valid session, but requires an embedded iframe, which are largely considered an outdated approach. Cookies can be blocked by modern browser privacy settings such as Intelligent Tracking Prevention (ITP). Sender constrained tokens require the user to answer a secret security question, interrupting the UX. Considerations for building and using refresh tokens When building refresh tokens for your application, several factors can impact their utility and security: When does the access token expire? As previously mentioned, the inclusion of a refresh token allows you to shorten the life of an access token without impacting the user experience. The sooner the access token expires, the more refresh flows you may need—but that is often a small price to pay for additional security. Does the refresh token expire? A refresh token can remain active indefinitely, or you can set expiry terms based on when the token is issued or the level of inactivity (when it was last used to obtain a new access token). What safeguards are in place for XSS attacks? Refresh tokens can be vulnerable to cross-site scripting (XSS). Be sure to follow best practices for testing and preventing these types of cyber attacks. Where is the token being stored? Storing refresh tokens in the backend provides the highest level of security. Using the browser’s local storage offers the added benefit of maintaining sessions after a page refresh or a closed browser tab—however, this approach is more vulnerable to XSS and should only be considered when RTR and automatic reuse detection are implemented. A refreshing approach to refresh tokens and session management With Stytch’s session management, you can use refresh tokens to provide a seamless and secure user experience. To get started, sign up for a free account or reach out to support@stytch.com. --- # Derek St. Onge Source: https://stytch.com/blog/derek-st-onge/ We're celebrating the one year anniversary of the creation of our recruiting team with the hiring of Derek St. Onge! We're celebrating the one year anniversary of the creation of our recruiting team with the hiring of Derek St. Onge! Building a highly ambitious and empathetic team has been one of our top goals from the start (and we knew we couldn't do that alone). Derek has been instrumental in helping us build out today's team of talented constytchuents! Meet Derek! What do you love most about working at Stytch? I love my coworkers! What does a typical day at Stytch look like for you? Email and applicant review in the morning, meetings and sourcing in the afternoon What’s been the most surprising thing about Stytch? How excited candidates are about our mission Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? The constant challenge and open-ended nature of the work requires much more rapid personal and professional growth than a larger company. What’s your favorite part of the Stytch culture? Everyone who works here is eager to help each other, and theres a strong sense of empathy in every interaction. Which Stytch value resonates most with you and why? "Constytchuents make each other and Stytch better" Recruiting has been a highly collaborative operation since I've joined, and everyone has done a great job pitching in to help grow the team. What’s the most interesting project you’ve worked on at Stytch? Migrating from Lever to Ashby. Ashby is a powerful ATS that requires a lot of configuration to maximize its effectiveness. It's been a fun challenge getting it set up to maximize efficiency and data tracking. How did you end up becoming a recruiter? I fell into it - followed a college friend into an entry level recruiting position at Google. When’s the last time you did something for the first time and what was it? I stuffed a turkey for the first time this past Thanksgiving. What song, hobby, or recipe got you through COVID? NY style homemade pizza! What’s your ideal weekend? 12 hours of sleep a night, a scenic hike in Marin, a Little Star deep dish pepperoni pizza. What’s something you’re passionate about that’s not on your resume? Playing basketball --- # We've moved! Source: https://stytch.com/blog/weve-moved/ Today, the Stytch team in SF officially moves into its new home at 555 Montgomery Street. A new hire chats with Stytch's Head of People Operations about the making of the office move. Today, the Stytch team in SF officially moves into its new home at 555 Montgomery Street. It’s an exciting moment for Stytch, as a company born during the pandemic and experiencing rapid growth. As a new hire, I sat down and across the screen with our very own Cass Roulund, Head of People Operations, to learn more about the making of the move, what went into finding a new space and what she’s most excited about now that the doors are opening. Please, come on in… ALI: Ok Cass, let’s warm up. Introduce yourself and tell us what you do at Stytch. CASS: Sounds good. So I joined Stytch in May 2021, as the first people hire. Back then, there were only 15 of us and since then, we’ve grown like crazy. I manage everything people-related, from HR software, perks and benefits, to happy hours, performance reviews and office moves. ALI: Nice. You clearly wear many hats here…when did you put on the office move hat? CASS: The topic of a move started out as a joke between me, Julianna and Reed [Co-founders of Stytch] because there was only ever 5 people in the office at any given time. It quickly turned into a real thing when we hosted Stytch’s first hackathon (in July 2021). There was close to 20 people in the office and we realized that we’re quite big and growing, and that we might need to seriously think about finding more space. It was a weird “should we or shouldn’t we?” moment, what with Covid. We wanted people to feel comfortable enough to come in, but it was also during the Delta wave and pre-booster shots. We weren’t sure if it was silly to go bigger when we didn’t know what was going to come next. We started thinking through the timeline and realized we were hiring at such a fast pace, given our size, that it’s going to need to happen and we should get moving now. ALI: Where was Stytch located back then? CASS: In the South Park neighborhood. We moved into an office there in March 2021. Julianna and Reed wanted an office with enough space to mitigate Covid concerns, something accessible without an elevator, away from FiDi (because it was so empty), with great light. It served us really well as a first office place but we definitely outgrew it quickly. ALI: What were some of the key things you were looking for in a new office? CASS: Logistically, we were looking for a central location, close to public transportation, with space for calls, conference rooms, something that was move-in ready and had lots of light. We wanted an all hands space to gather. And we wanted a place that we’d be excited and proud to share with our employees and customers and that would let us really invest in community building. That ties back to our perks and benefits philosophy, which is anchored in three pillars: community, productivity and growth. Having a nice office helps you build for those things. We want people to feel good being at Stytch. We want them to be able to do their best work. Physical environments are so important and having a nice place to work from can make you happier and more productive. ALI: So true. Now that a lot of companies have gone fully remote, do you think about having an in-person office as being a competitive advantage? CASS: Having an office is a huge recruiting advantage. We are hearing from a lot of our candidates that that’s something they’re looking for––work-life (physical) separation and socializing. A lot of younger people and new grads who I’ve spoken to are looking to build their community and build new connections and that often happens through work. You spend so much of your time there. And having a fully virtual company can really stifle that. But just because we have an office doesn't mean that we're a 5-days-in-the-office kind of place. We're definitely hybrid and office-centric but we want to do it in a way that allows for flexibility. In a post-Covid world, working remotely might not be the right choice or fit for some people. We don't want to exclude those folks, but in line with our "community building" perks philosophy we do want to encourage and provide resources for in-person gatherings and an office (we think) is an important part of that. ALI: I totally agree. I’m a remote hire and I really appreciated that when I was interviewing, Reed and Julianna made it clear that I could travel to SF as much or as little as I wanted to. It really made an impact on me. I also love that they made office accommodations for those of us in and around the NYC area. It is so nice to have as an option. But enough about me, back to the office move–– tell us more about your journey to find 555 Montgomery. CASS: We were really specific about what we wanted. We worked with JLL Reality and sent in our specs, so everything was in line with what we wanted. We saw 15-20 spaces over 2-3 big days of viewing, over the course of a few weeks. It was exhausting but also really fun. We saw a range of startup spaces and more commercial spaces (think popcorn ceilings, fluorescent lights, more corporate). We looked at a lot of historic buildings in SF, so it was cool to get that fresh perspective. One thing that we knew for sure, was that we wanted the space to feel good when the lights were off–like you could still do work. ALI: Ok, so how did you know 555 Montgomery was “the one?” Did balloons come down from the ceiling? CASS: Hah–no, but we did feel like the elevator doors opened and all of our eyes kind of lit up. 555 Montgomery just felt move-in ready. ALI: Tell me more. CASS: It’s 14,500 square feet–pretty big–on the 17th floor. It’s fully furnished. It has room for 150 desks. There are 12 conference rooms plus phone booths. A big all hands space. Windows all around. Picturesque views of Chinatown and North Beach. You can see the bay. ALI: What are you most excited about? CASS: The views! It just feels like a place I want to be. I could see myself staying here all night (not that that would be healthy). I’m excited for everyone else to see it today. I think they’ll be blown away. It’s surreal to look for a space as a 20 person company and imagine we’d have that many people. And now––we’re already at 40. I’m excited for it to fill up. ALI: Shifting to the practical, any venders you’d recommend? Might be helpful to share. CASS: We’re still in the process of settling into the new office, but totally. Here are the top vendors that come to mind: JLL: our broker - they helped us streamline the process, made helpful recommendations, and walked us through the entire process, from start to move-in day Zoom: we upgraded to the biz plan which allowed us to better manage our zoom network and gave our employees more capabilities InGenius Solutions: partnered with us and Zoom to figure out hardware needed and will help us set everything up in the space for video conferencing and all-hands space Meter: it’s a startup in SF that we worked with to manage our Wifi networks. Meter covers installation and scheduling. They handled the entire ISP install and will now manage our network. Office Libations: for snacks and drinks. They have an online portal and you can order what you want. They come in to clean up the kitchen, and do refreshes. Tinkering monkey: they’re doing our signage. They have cool designs on their website (neon signs, etc.) and might do some mural-like wall work. Poppin: we didn’t have to do furniture but I’ve used Poppin in the past to do furniture. Nor-Cal Movers: they were recommended to us by our building and efficiently helped us move across the city while dealing with the specific needs of each of our buildings. Phin Bar: to help us celebrate the new office move today. I love Phin Bar! They come to your office and make Vietnamese Iced coffees for everyone. The coffee is delicious and strong (beware) and the staff is beyond friendly. ALI: What’s next? Cass: I hope to make it feel more like our space. I want to loop in the design team and add our own touch, look and feel. Make it feel like Stytch. Other than that, while growing, I hope to not have to do another office move again for at least another couple of years! Maybe just an expansion to another floor… Like what you hear? Good news––we’re hiring! --- # Spotlight on Dennis Huang Source: https://stytch.com/blog/spotlight-dennis-huang/ Spotlight on Dennis Huang What do you love most about working at Stytch? The people! And the sheer variety of things I get to work on. What does a typical day at Stytch look like for you? I feel like my days can be all over the place sometimes, but if I had to summarize, it would be a mix of meetings, ideally a few hours of focus time to work on some of my longer-term projects, and handling any one-off requests that come up during the day. I would say my work is a 50/50 split between dashboards/reporting and special projects. What’s been the most surprising thing about Stytch? Our culture, and I mean this in the best way possible! I think it's extremely rare to find the blend of kindness and competence we have, and it's really a testament to the whole team that our culture has continued to scale alongside our headcount. Working here is a lot of fun! Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? This may sound obvious, but just how quickly things move at an early stage startup. We're such a different company now from where we were when I first joined, and I have no doubt that we'll be a completely different company in just a few months, if not sooner. Working at an early stage company definitely requires a level of personal and professional agility/flexibility, but it's also so exciting to see how the company evolves and grows. What’s your favorite part of the Stytch culture? I hope I'm not beating a dead horse here, but our team! My co-workers are such wonderful people, and I oftentimes find myself taking a longer than expected lunch break because I'm enjoying the conversations we're having so much. Which Stytch value resonates most with you and why? “Own it” I feel like working in BizOps means supporting the team, and I'm only successful when I can help others be successful. This value resonates with me the most because I'm always trying to find ways to help and unblock others and doing things behind the scenes to reduce friction for everyone else. What’s the most interesting project you’ve worked on at Stytch? Building out our internal dashboards. There's nothing quite like that "aha!" moment when you're able to surface and visualize data. It puts everything into focus, and gives everyone else the necessary context to make the next strategic decision. There's a saying that goes, "if you can't measure it, you can't improve it", and it's been very rewarding to play a part in unlocking some insights for the team. How did you end up working in Business Operations? ¯\_(ツ)_/¯ In all seriousness, I don't have a great answer here. I started my career in I-banking, and then was a VC for a while. I knew I wanted to transition from finance to be an operator, but I really wasn't sure what functional role would make the most sense for me. Fortunately, BizOps at Stytch is more of a generalist role, and that's given me the opportunity to touch on a really broad range of things. When’s the last time you did something for the first time and what was it? I traveled to Africa (South Africa and Mozambique) for the first time for my honeymoon a few weeks ago! I'm still dreaming about that trip. What song, hobby, or recipe got you through COVID? I'm not sure if getting a dog counts as a "hobby", but we adopted Dumpling right before lockdowns and she's been a godsend. She gave us an excuse to go for long walks and explore the city, which definitely helped keep us sane! Plus she is very cute :) What’s your ideal weekend? A nice hike with the dog, getting some delicious food with friends, and watching an unhealthy amount of football What’s something you’re passionate about that’s not on your resume? Fashion. I have way too many pairs of sneakers --- # 5 Lessons for founding designers: what I’ve learned in my first year at Stytch Source: https://stytch.com/blog/5-lessons-for-founding-designers/ I lead a seven-member design team that’s split across product design, brand design, and research and partners with just about every other department. When I joined Stytch as the founding designer in January 2021, the entire company consisted of less than 10 people. One year later, it’s grown to over 40, and I lead a seven-member design team that’s split across product design, brand design, and research and partners with just about every other department. Looking back, I’ve learned so much. As I chat with others on a similar career path, a few familiar questions keep popping up. Here, I share the five greatest lessons I’ve taken away from this first year and offer some helpful tips for designers facing similar challenges. 1. Defining your role: be honest about your strengths and weaknesses The best and hardest thing about being a founding designer is that the sky is your only limit. It’s great, because there are so many ways and directions in which to grow. But it’s difficult, too, because there are only 24 hours in a day. If your company is doing well and moving fast, you may feel like you’re constantly playing catch-up in order to make any ground. I was able to define my role more clearly by creating an organizational structure through which to make key decisions. To begin, I carefully evaluated my skills as a designer, identified my core strengths and weaknesses, and determined where I would have the most impact. I decided to position myself as the design lead on developer-facing products, as a consultant on consumer-facing products, and as the creative director on branding work. This has given me a good sense of my priorities and greater clarity whenever a project needs additional support. For the design team, having a transparent understanding of what I’m good at and not so good at also makes conversations about hiring and recruiting a lot easier as we grow our team. My tip: conduct a thorough self-assessment of your skills as a designer, and don’t pull any punches. You can create your own rubric based on your specific needs or use an existing resource—like this tool from thoughtbot. My skills assessment 2. Preparing for growth: set up processes ahead of team growth When your team is small, it’s easy to say, “just ping me on Slack if you need anything.” But as your organization grows, the number of notifications and requests can quickly become unmanageable. It helped to establish design processes and communication channels as if we were already a larger team, which allowed everyone to develop muscle memory around submitting tickets for requests, leaving feedback before a review, and so on. In the past year, we’ve set up Linear ticket templates, status pad templates in Figma, formal standards for creating and providing feedback, and a one-pager for aligning on the scope of each project. We also encourage people to ask #team-design whenever they don’t know where to start as a way of spotting gaps in our current structure. This gives us a chance to reinforce our points of contact and quickly iterate on our processes so that they’re scaling along with the company. At Stytch, we created notepad templates in Figma to collect stakeholder feedback and keep track of status. Additionally, when we first started documenting visual components in Figma, we began with a rough outline and let it sit untouched for a few months. As more designers joined the team, we decided to use a components audit as the standard onboarding project for every new hire—encouraging them to go in, nit-pick the missing pieces and inconsistencies, and take liberties to improve them. It’s been great seeing the motivation and enlightenment that comes from doing such foundational work with little guidance—and it’s enabled the further expansion of our team. My tip: let go of perfectionism, and embrace change. As your team scales, be proactive about making necessary updates to your processes, and motivate everyone to step in and help. 3. Expanding your team: start early, and be prepared to pivot Your team may have breathed a sigh of relief after bringing you onboard as the first designer, but the second hire can be even trickier. My first phone screening with a potential product design hire was in March, two months after I joined Stytch, and our actual second hire signed in October—half a year later. In between, we adjusted our strategy several times, tweaking everything from our ideal candidate profile to how we structured the hiring process. We replaced the take-home project with a working session—sharing live prompts and having a two-way conversation around what to do next—to ensure we’re giving the candidate and our team a collaborative experience that’s true to life. With some practice, we were able to get a candidate through the entire hiring process from screening to offer letter within two weeks, which put us in a much better position in this competitive market. My tip: reduce friction before and during the interview stage. You can use your founders’ and investors’ influence and networks to build credibility while your company is still new and small to offload some of your hard-selling work as the hiring manager. You should also be mindful of potential biases in your hiring process—like take-home projects that assess candidates based on how much free time they can carve out around other jobs and responsibilities. As Stytch scales, we want to be extra judicious around our recruiting efforts, thinking through how our team is orchestrated instead of remaining in hyper-hiring mode. We want to take time for new hires to settle in and give the existing team a chance to define the next areas of growth before ramping up to the next round of hiring. This will set us up for success in the long run. 4. Optimizing for impact: establish viable work rhythms, priorities, and expectations I’m often asked, “how do you manage your time?” But I like to rephrase the question and ask myself, “how can I land the most impact within a set amount of time?” By focusing on impact instead of time, I get a more fluid framework to check in with myself and my team. That way, I can evaluate the goals, timeline, and expectations for my work and feel empowered to make the necessary call—whether it’s investing more in an initiative or letting go. My tip: define the specific role you’ll play and outcome you expect for every project. A design role can have very different implications depending on the scope or situation. By identifying your ideal contribution to each task, you’ll be able to quickly and clearly lay out priorities, so you can get things done without burning yourself out. Before we had dedicated support from other departments (e.g. Product), I broke down my role and expectations according to the impact I wanted to have on each project. 5. Managing energy: practice mindful scheduling and self-care as a favor to yourself and others Working at a startup is a marathon with frequent sprints, and your performance is evaluated at each stretch and across the race as a whole. Over the past year, I’ve learned how to pace myself with appropriate cross-training so that I’m constantly gaining strength without overexerting myself. For instance, I began managing my energy by auditing and updating my calendar, so the variety of my work can motivate me throughout the week. Kicking off relatively quietly on Monday gives me the bandwidth I need to wrap my head around all that’s been going on, and builds up excitement to connect with my team through one-on-ones on Tuesday. After a long Tuesday of meetings, spending Wednesday diving into meaty topics often feels refreshing and fulfilling. On Thursday, I often schedule updates and demos across the team, which is energizing. And I set aside a chunk of time each Friday to review the pain points and opportunities that emerge situationally as the company grows. Taking some moments to look through the haze can turn that chaos into an afternoon of fun, adventure, and fresh ideas. I rearranged my calendar to better balance my energy and keep a sustainable work rhythm across each week. My tip: arrange your schedule intentionally with a rhythm that works for you, set strict boundaries around your off-hours, and actively plan vacations. In addition, allow yourself small breaks like short walks between tasks. A breather usually only takes 15 to 30 minutes, but making a decision in the wrong headspace can cause hours or even days of damage. Key takeaways Here are the steps I found most helpful as I learned the ropes as a founding designer: Capacity: complete an honest self-evaluation of your design skills and shortcomings so you can better define the role you’ll play in each type of project. Organization: set up working processes early, even if that means they’re initially unpolished. There will always be room and time for improvements later. Hiring: make the process easy on your candidates and your team by keeping interviews and assessments collaborative and true-to-life. Productivity: identify the impact you want to have on every project rather than the time you want to spend, so you can easily map out and manage your priorities. Self-care: schedule your time and tasks in a way that balances your energy and gives you space to take breaks and restore your focus. Reflecting on this past year, I’m fascinated by how my time at Stytch has helped me to evolve both personally and professionally. I’ve not only become a better leader and collaborator but also, I’ve defined critical areas where I can continue to grow. I’m very excited to see where this journey will lead us next. --- # Build vs. buy: what to consider when setting up an auth flow Source: https://stytch.com/blog/build-vs-buy/ Deciding whether to build new software and features in-house or buy an API or SDK solution from a third-party vendor is a question engineers face on a regular basis. Deciding whether to build new software and features in-house or buy an API or SDK solution from a third-party vendor is a question engineers face on a regular basis. When it comes to your authentication flow, that choice can have major implications for security—not to mention your user and developer experience and the resources you’ll dedicate to implementation and maintenance. Below, we review the criteria product and engineering teams should keep in mind when putting an authentication flow in place—and examine why turnkey solutions are becoming a popular way to boost efficiency, enhance security, and optimize user engagement and conversion. The pros and cons of build vs. buy There are many factors your engineering team might consider when weighing whether to build an authentication flow in house or turn to third-party specialists, but here are the top four: Opportunity Cost Rolling your own auth means you control the process and can custom-build to your app’s needs. But you’re also going to spend a lot of time and effort doing it. While buying a readymade solution may seem like a high upfront cost, creating that same solution in-house—along with a robust sandbox environment to support and secure it—is more expensive than you might think. In addition to the initial build, you’ll have to factor in engineering costs around maintenance and upgrades as bugs emerge and industry trends evolve. On top of that, engineering projects often go over time and budget. An early study found the average overrun to be 27%, with one in six companies overshooting estimates by 200% or more. That is valuable time that could be spent focusing on building your roadmap. Complexity Any authentication solution introduces unique challenges and takes significant effort to architect and implement, which can take focus away from building your core product. This is especially true of novel solutions such as session management, biometrics like WebAuthn, and high-converting flows like Google One Tap. In other posts, we lay out the many steps that go into building auth solutions like SMS one-time passcodes and email magic links—and that’s if you only implement one. You’ll need to repeat the process if you want to leverage the significant security benefits of multi-factor authentication (MFA). Authentication providers can save you time, resources and headaches by ensuring you get a secure solution right out of the box. Edge cases with provider integrations can be costly over time. But some providers, like Stytch, also wrap in access to particularly tricky (but valuable) options like route-based (or just-in-time) authentication, which lets you stagger verification factors according to the sensitivity of a user’s actions, introducing extra friction only when it matters most. Security Dealing with app security can be a burden for engineers and open your site to potential risks and threats. To assess your appetite for taking on this risk and security management in house, ask yourself: How sensitive is the user data your app handles? What are the possible consequences of a data breach? Does your team have the time and capacity to respond in real time and troubleshoot as security vulnerabilities arise? Depending on your answers, you may want to partner with a company dedicated to handling these very issues. Top authentication providers—who are used to managing high-stakes flows, including for large-scale financial institutions—are SOC 2 Type II certified, run frequent security audits, and take proactive steps to keep up with the latest threats. Auth expertise Tech moves fast—really fast. Building innovative user experiences and authentication flows often requires inside knowledge across a variety of verticals, each with its own endpoints and edge cases. It also takes staying current to new innovations and technologies in the auth space. You can designate a member of your team to keep up with shifting industry best practices and continually update your auth. Or, you can turn to a third-party provider that’s steeped in these details and navigates the ins and outs of key edge cases for you. How a turnkey auth solution can boost your business In recent years, and with rising numbers of reliable, easy-to-integrate APIs and SDKs on the market, many engineering teams have decided to buy auth solutions instead of build them from scratch. Some of the reasons your company might choose to partner with a third-party authentication partner include: Efficiency Opting for a pre-built solution takes the heavy lifting off your engineering team, gets your auth up and running quickly, and allows you to focus on optimizing your core product. Savings Authentication providers are often able to consolidate their resources and offer solid solutions at lower cost due to increasing economies of scale. Simplicity With an auth provider, your team gets a quality solution right out of the box. You can even choose between APIs and SDKs depending on how far in the weeds you want to get with integration and customizations. Security Partnering with experts means your team can offload the anxiety of safeguarding your data and let your authentication partner worry about the details. Support Auth providers are tuned in to the latest industry best practices and keep their products up to date to drive better performance and conversion rates for partnering apps. Stytch tops the list Once you’ve decided to go with a third-party solution, the question then becomes, what is the best authentication provider for your app? There are a few reasons Stytch stands out and offers the best auth solutions on the market: Flexibility Because of the way we’ve structured our direct APIs and customizable SDKs, Stytch works entirely in the background to secure your app. Your team owns everything with the UI and UX, so users get an experience that’s 100% on-brand. Easy integration We don’t need to tell you that clear, accurate docs can make or break an integration. Stytch is built by developers for developers. We get our partners fully integrated in a matter of days, and our team is always available to jump on a call or chat. Built-in redundancy With service-based auth flows via email and SMS, communication providers can be a point of failure, effectively shutting down your login flows and user acquisition with any downtime. Stytch monitors uptime and latency, routing to multiple providers to ensure your users always have a high quality experience. Better UX and conversion As a passwordless solution, Stytch doesn’t sacrifice user experience for security. We keep friction low and track performance metrics with our SDKs, so we can identify where users might be falling off your auth flow and work with you to boost conversion. Scalability As your app expands, more users will demand more flexible authentication options. Stytch takes a one-stop approach to auth, with a variety of solutions wrapped into a single cost. Key takeaways While the buy or build debate is never simple, some careful consideration can easily tip the scale when it comes to authentication. Ultimately, you may decide that it’s worth letting a third-party auth provider own the costs and hassles of managing your flow, so you can focus your time and resources on your business. Learn more Our passwordless solutions make authentication simple, with easy-to-integrate APIs and SDKs that are fully customizable to your brand. Get started for free today. --- # Password reuse is a cybersecurity threat Source: https://stytch.com/blog/password-reuse-is-a-cybersecurity-threat/ Good password hygiene has always been the top security measure to avoid data breaches. However, with so many websites, e-stores, and social media sites each requiring strong but unique passwords, it becomes hard to remember them. A CyberNews interview with Stytch co-founder Reed McGinley-Stempel Good password hygiene has always been the top security measure to avoid data breaches. However, with so many websites, e-stores, and social media sites each requiring strong but unique passwords, it becomes hard to remember them. Having to continuously make up long and difficult-to-guess passwords results in users compromising security for sanity––they are resorting to password reuse, which can lead to countless breaches. While there are known and convenient solutions that users can adopt, such as password management tools, organizations implementing measures such as passwordless authentication on their platforms could dramatically improve security. For this reason, we invited Reed McGinley-Stempel, the CEO and Co-Founder of Stytch, a company that specializes in passwordless authentication, to discuss the relevance of authentication methods and cybersecurity issues. How did Stytch come about? What has the journey been like so far? Authentication is a frustrating experience for both developers and users. Julianna Lamb and I recognized the problem and set out to solve it. While working together at Plaid, we witnessed the security and user experience shortcomings of password-based authentication and founded Stytch to create the developer platform for passwordless authentication that enables software teams to easily build experiences that delight their users. It’s been an incredible journey so far. We believed passwordless adoption was inevitable, but it has accelerated much faster than we honestly expected, with even major organizations like Microsoft moving to a passwordless framework last year. The trend is growing even faster in 2022, and we’re excited to be building the tools that make it easy for developers to quickly and safely adopt passwordless authentication in a way that works for their users. Can you tell us a little bit about what you do? What challenges do you help navigate? As the internet has matured, it’s removed numerous points of friction, but authentication continues to pose significant security, privacy, and usability challenges. For many reasons, the old standard of a password and username simply doesn’t cut it anymore. But requiring users to create complex password and username combinations for each service they want to access can be cumbersome and inefficient. It increases user drop-off rates at both sign-up and login, directly contributing to higher customer acquisition costs (CACs) and lower lifetime values of users (LTVs). Our platform enables developers – who normally face tremendous time and effort hurdles in building authentication workflows – to build great applications that provide both safe, secure authentication and great user experiences. How do you manage to ensure secure authentication without compromising the user experience? A great user experience and secure authentication are not mutually exclusive. In fact, just the opposite. Friction on the Internet can be eliminated while improving security. 81% of all data breaches online stem from insecure passwords. And the friction of passwords primarily contributes to these security issues – when users are asked to create countless, complex passwords every day, it’s no surprise that users instead choose to reuse the same password that they use on many different sites. This creates a chain of risk when one of those services is breached. Our customers experience major conversion increases and fewer security risks simultaneously every day. How we do it is by providing a wide variety of passwordless authentication solutions for different business needs. There are many options on the table, including email magic links, SMS one-time passcodes, WebAuthn (TouchID/FaceID and YubiKey support), OAuth, and multifactor flows using a combination of these methods. We’re building solutions that reimagine user infrastructure, starting with out-of-the-box and customizable passwordless authentication products that are easy for engineering teams to integrate. With our flexible APIs and SDKs, our customers can improve user conversion, retention, and security – all while saving valuable time. Have you noticed any new cyberthreats arise during the pandemic? Cybersecurity can seem like a game of whack-a-mole. No sooner do security experts get wise to the latest threats than attackers modify their tactics, discover fresh vulnerabilities, and develop new lines of offense. We’re seeing a rise in all forms of cyberattacks, from malware to phishing and denial of service (DoS) attacks. There’s also a constantly growing arsenal of cybersecurity threats, with others including zero-day exploits, Internet of Things (IoT) attacks, rootkits, and cryptojacking. In the fight against cyberattacks, we’re equipping developers with the latest, strongest passwordless products, from email magic links and SMS one-time passcodes to WebAuthn built-in biometrics and specialized hardware keys. What are the main issues associated with password-based authentication? Password overload is a ballooning issue. Surveys have found that the number of password-protected accounts per user has increased exponentially in recent years, in response to an explosion of new apps and online services. One study found that between 2019 and 2020 alone – with people likely spending more time online due to the COVID-19 pandemic – the number of passwords per user jumped 25%, from an average of 70-80 to 100. ​​A recent poll also showed that most users don’t take advantage of existing password managers. As a result, 37% forget a password at least once a week, increasing the likelihood they’ll abandon a commercial account or leave a purchase incomplete. A seemingly logical solution to password vulnerability – mandating more complex and therefore more secure passwords – is not viable. The variety of password requirements proliferating across platforms poses major usability challenges, as Internet users confront byzantine protocols to set and reset convoluted passwords that prompt many to abandon the desired task in the first place. Moreover, experts argue that despite the oft-noted trade-off between security and usability, other efforts to improve password security are self-defeating. Requiring frequent password changes or preventing paste functionality simply leads people to adopt weaker passwords and repeat them across accounts, threatening a cascade of breaches. In your opinion, why do certain organizations fail to recognize the need for quality authentication solutions? Given the shortcomings of passwords, the shift to passwordless authentication feels inevitable. Still, skeptical companies may be reluctant to abandon authentication solutions they’re familiar with. A common mistake in recent years has been treating alternative authentication methods as second-factor, rather than primary-factor, candidates. Most companies are unaware that they already have passwordless flows in place, and they’ve needlessly complicated these processes for users. Whenever a customer passes through a site’s password reset protocol, they’re essentially experiencing passwordless authentication. One of the main problems in moving to passwordless authentication: for developers building out authentication flows, it’s a time-consuming and error-filled process that can involve multiple engineers and many months of maintenance annually. That’s what Stytch’s platform helps them overcome. Besides quality authentication methods, what other cybersecurity measures do you think companies should have in place to protect both their workload and customer data? Strong encryption for sensitive data at rest and data in motion is always recommended. Additionally, taking advantage of modern vulnerability scanning tools like Snyk is understandably a popular defense mechanism. Overall, embedding security engineering training into all engineering functions regardless of whether they are on the security engineering team is critical to building a culture of security. Talking about the future, do you think biometric authentication is going to surpass other authentication methods any time soon? We think biometric authentication is poised to see a huge uptick of adoption in the next couple of years. Historically, we’ve only been able to use biometrics with native iOS and Android applications. They haven’t been available in web-based experiences – however, with the introduction of the WebAuthn protocol, that’s finally becoming possible. This provides biometrics their best chance to become ubiquitous. While WebAuthn is really promising, it’s also complex to integrate, which is why we offer it through simple API integration with Stytch. Would you like to share what’s next for Stytch? We have more biometric authentication products coming out soon, and we’re also releasing a number of products in the Web3 authentication space. Web3 authentication has some definite UX shortcomings today, but if those are overcome, there are some really compelling fundamental shifts to how users authenticate in Web3 that we’re quite excited about. READ THE FULL ORIGINAL ARTICLE>> by Kristina Jarusevičiūtė, Cybernews --- # It's a Stytchiversary! Meet Nikhil Dilip, software engineer Source: https://stytch.com/blog/stytch-spotlight-nikhil-dilip/ It's a Stytchiversary! Meet Nikhil Dilip, software engineer What do you love most about working at Stytch? We're working on a problem that affects both developers and end users in every aspect of their daily lives. Struggles with passwords, login experiences, and breaches are frustrating and ubiquitous -- solving a problem space that large is very motivating. Our new SF office is pretty sweet too. What does a typical day at Stytch look like for you? It depends! Tuesdays and Thursdays tend to be more meeting-heavy, meaning that I'll spend time syncing with my teammates about their projects, pairing on more complicated tasks, interviewing candidates, or meeting new coworkers. The other days I'll have more deep focus time; depending on what phase of a project I'm in, that'll either be working on a design doc, writing code, or reviewing my teammates' docs/code. What’s been the most surprising thing about Stytch? Stytch is the first early-stage startup I've worked at, and I expected it to be chaotic. I learned that wasn't the case on the very first day. From a streamlined onboarding experience to a very intentional and methodical quarterly planning process, I've found Stytch to be the perfect blend of fast-moving excitement and focused execution. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? Communication is really important! The decisions we make now set the foundation for our future -- this is true for building both a product and a culture. Clear communication, especially at our remote-friendly company, is paramount at the early stages. What’s your favorite part of the Stytch culture? My coworkers! Working with a group that is both intelligent and empathetic is rare and enjoyable. I learn something new from my teammates every day and have a great time building new products with them. At such an early stage, I'm able to interact with every employee, which has taught me so much about building a business and a brand beyond just the technical aspects of our product. Which Stytch value resonates most with you and why? “Constytchuents make each other and Stytch better.” It's amazing to work at a company where everyone is focused on improving themselves and those around them. Everyone is motivated by solving the same set of problems and is willing to jump in to help when you need it. This also means that we're all entrusted to do what we can to improve the company. Our culture gives every employee the freedom and responsibility to construct a positive work environment. What’s the most interesting project you’ve worked on at Stytch? I really enjoyed building our TOTP Authenticator App product for two reasons. First, security and flexibility are very important to us at Stytch, so it was fun to work on a product that allows developers to easily integrate a secure mode of authentication. Second, it demonstrates the value of our API-first approach. TOTPs are a perfect example of a just-in-time authentication use case that gives end users a secure yet simple user experience. How did you end up working in software engineering? I grew up in the Bay Area, where it's hard to not hear about tech! I was able to learn enough computer science in high school to know that I wanted to major in it in college, and I've been a software engineer ever since. When’s the last time you did something for the first time and what was it? I went snorkeling with manta rays last week when I was in Hawaii! Highly recommend it, they're much larger than I thought but still very gentle. What song, hobby, or recipe got you through COVID? I picked up both running and cycling during the pandemic, which really helped me stay sane. SF has so many trails and roads I'm still exploring. What’s your ideal weekend? Usually meeting up with friends at fun restaurants, bars, or parks around the city. I watch too much sports, particularly Bay Area teams: Warriors, 49ers, Cal. I like to to squeeze in a long run through Golden Gate Park and/or a bike ride in Marin as well. What’s something you’re passionate about that’s not on your resume? I love doing most kinds of puzzles. Crossword puzzles, trivia nights around the city, watching Jeopardy, all of that. --- # What is WebAuthn? Source: https://stytch.com/blog/what-is-webauthn/ In our latest post, we go a level deeper on WebAuthn to share what it is, why it’s so exciting, and what are considerations for implementing it. We’ve said it before and we’ll say it again, WebAuthn is one of the most exciting passwordless technologies available for both engineers and for users. In our latest post, we go a level deeper on WebAuthn to share what it is, why it’s so exciting, and what are considerations for implementing it. WebAuthn, MFA, and U2F The Web Authentication API (WebAuthn) is a specification that allows web applications on supported browsers to authenticate a user via authenticator types such as built-in device biometrics (e.g. facial recognition on mobile and fingerprint readers on desktop) or secure hardware keys (e.g. YubiKeys). To understand WebAuthn, we need to understand its relationship with MFA and U2F. Multi-factor authentication (MFA) is quickly becoming standard practice for security-minded organizations and individuals. It consists of multiple layers of security that range from one-time passcodes to voice authentication. Universal second-factor authentication (U2F) ties two-factor authentication to a physical component, verifying a user’s identity by leveraging a USB or NFC (near-field communication)-based piece of hardware that sends a unique private key to the server. WebAuthn allows MFA and U2F protocols to be easily integrated into web-based services or applications. By streamlining the integration process and creating an open standard for engineers to build on, WebAuthn makes secure passwordless authentication accessible and compatible with a variety of authentication factors. How WebAuthn works WebAuthn uses public-key cryptography to authenticate users and protect against even the most serious cyber attacks. Public key cryptography is an encryption scheme built around the relationship between two unique keys—a public key and a private key. These keys play an important role in securing data, with the public key being used to encrypt the data and the private key being used to decrypt it. This is why public-key cryptography is sometimes referred to as asymmetric cryptography—as opposed to symmetric cryptography, which uses one key for both decryption and encryption. The public key is stored on the server, while the private key can be stored either on the local operating system or on a hardware security module like a USB or biometric scanner. When a user authenticates, the private key sends a message with a unique signature to the public key, which then decrypts access to the server. Using this scheme as its foundation, WebAuthn establishes a uniform interface for implementing passwordless authentication across web-based services. First published in 2016 by the World Wide Web Consortium (W3C), it has quickly become one of the fastest growing new standards for passwordless authentication. The benefits of WebAuthn The benefits of using WebAuthn for passwordless authentication are as follows: Reduced friction: integrating WebAuthn into your application means reduced friction for your users. It’s a seamless experience to authenticate with your registered device or hardware key. Enhanced security: based on public-key cryptography, WebAuthn’s reliance on hardware security modules or biometrics for passwordless authentication provides unparalleled security. With cyber attacks becoming more complex and data breaches becoming more frequent, WebAuthn is a trustworthy choice as an "unphishable” authentication factor. WebAuthn-supported authentication factors WebAuthn enables you to support a multitude of hardware-based authentication factors to verify a user’s identity: Biometrics: biometric authenticators are devices that use fingerprints or facial, voice, or retinal scans to authenticate users. These authenticators can be connected to a variety of devices via USB port, Bluetooth, or NFC technology. Connecting a biometric authenticator to a specific device ties it to that device's physical location or domain. To authenticate, a user needs to verify not only their biometrics but also their location, effectively preventing phishing scams. Device-based biometrics: many devices today, including most Macs, iPhones and Androids, support device-based biometrics such as FaceID, TouchID, or similar. Security keys: similar to biometric scanners, security keys can be connected either via USB port, Bluetooth, or NFC. Where biometric devices ascribe to the principle of “something you are,” security keys work off the “something you have” principle. Similarly, being tied to a physical location or device makes them an effective way to prevent phishing. They are also more widely supported than biometric scanners when it comes to U2F/WebAuthn-enabled applications. YubiKeys: while similar in functionality to a security key, a YubiKey comes with the added security measure of being able to store time-sensitive one-time passwords (OTPs). This means that on top of WebAuthn-powered U2F, YubiKeys have their own proprietary authentication method. When a YubiKey connects to a device, it generates an OTP with an individual timestamp to authenticate access. Pros and cons of WebAuthn While WebAuthn has reduced friction when it comes to implementing passwordless authentication, it is not without its challenges. Browser support is a factor that should be taken into consideration when developing a WebAuthn app. Though WebAuthn supports Chrome, Windows 10, and Safari, support is not yet uniform in regard to feature parity. While it’s early in adoption, WebAuthn continues to evolve. As it does, the number of supported browsers and devices that support it will continue to grow, providing companies and end users alike with unparalleled security and versatility. While WebAuthn has many benefits, engineers and product teams need to understand the API to implement it securely. Stytch's WebAuthn product simplifies the process by abstracting the implementation details of WebAuthn so that integration is as quick and secure as possible. Find the right WebAuthn solutions with Stytch At Stytch, we know how important it is to find the right fit. That’s why our flexible APIs make it simple to use WebAuthn as a standalone authentication option or second factor to strengthen security. --- # Auth0 pricing (and four other reasons to choose Stytch) Source: https://stytch.com/blog/why-stytch-over-auth0/ One of the most common questions we're asked by developers is: "Why should we choose Stytch vs. Auth0?" One of the most common questions we're asked by developers is: "Why should we choose Stytch vs. Auth0?" It's a fair question. Auth0 has been around for nearly a decade, while Stytch is relatively new to the authentication space (founded in 2020). That said, age isn't everything, and it may even be holding Auth0 back. More on that below. So, if this is the first time you're learning about Stytch (a special shoutout to readers who got here by searching "Auth0 alternative") we've prepared a list of the key ways in which we outperform the competition — starting with Auth0 pricing and working our way through the flexibility, reliability, and usability of our respective platforms. Looking for a point-by-point comparison of Stytch vs. Auth0? Check out our complete buyer's guide here. Let's summarize our five key advantages before diving into the details and exploring why many Auth0 customers are switching to Stytch. Cost: Auth0 pricing jumps when you need auth and access management tools beyond the bare minimum, while Stytch offers pay-as-you-go rates that decrease as you scale. Flexibility: Stytch solutions can be fully tailored to the look, feel, and flow of your app and brand, while Auth0 limits edits to widget-based customizations. Reliability: Stytch offers built-in redundancy and failover logic to mitigate vendor downtime, but Auth0 requires you to BYO integrations with no redundancy allowances. Integration: Stytch's docs are easy to read and implement for a quick integration. Meanwhile, Auth0's docs are extremely complex. Innovation: Stytch offers a range of frictionless auth solutions through a single platform in addition to breach-resistant passwords, while Auth0 continues to focus on a more traditional password approach. Now, let's take a closer look. 1. COST Simply put, Auth0 pricing models and calculators hide the true cost of their services. The more volume you handle and the more features you need, the more you pay, which can make it difficult to forecast costs at scale. Typically, Auth0 pricing works out to be two to three times higher per user than Stytch. Their free plan offers only limited features, and you're forced to upgrade to enterprise pricing to add even basic passwordless solutions — like OAuth, multi-factor authentication (MFA), one-time passcodes (OTPs), and WebAuthn — or to turn on advanced user role management options like admin roles and consolidated user stores. With Auth0, higher user tiers mean more expensive paid plans, which may require contracts with external marketplace vendors at an additional cost. Stytch, on the other hand, offers simple, flexible pricing through our partnership model. With Stytch, pricing starts at a transparent 5 cents per active user with unlimited logins, and it quickly decreases as you scale. That means no monthly commitment and no enterprise plan. Our pricing model aligns with your business model, and we only make money when you authenticate users — so you never pay for anything other than usage. Don't just take our word for it. You can see our full pricing structure here, including the details of our free plan. 2. FLEXIBILITY Whether you're a startup or an enterprise, you shouldn't have to compromise the look and feel of your product (or your brand's unique personality and style) for any vendor — even for a service as important as authentication. In most cases, your first "write" interaction is the user signup flow, which means it's the first chance a user has to form an opinion about your app and how it works. Most drop-off occurs at this stage, so it's critical for the experience to leave users with a positive impression. That's why flexible solutions are core to Stytch's offerings. Stytch offers both a direct API, which allows you to own your UI and UX from end to end, and highly customizable SDKs for Javascript, React, iOS and Android. Unlike most SDKs, Stytch gives you complete control and enables you to call the Stytch API directly from your browser. The result is a wide range of sign up and log in options, enabling organizations to build on-brand auth and access management flows. In fact, Stytch's customizable frontend components work seamlessly within custom domains with no hosted redirect page required. This delivers an auth experience that's fine-tuned to your brand and to your users' expectations. Our adaptability to different auth and access management scenarios is why Gather chose us over the competition. "When we started thinking about building our auth, I looked at three solutions: Auth0, Magic Link, and Stytch. It became clear playing with each that Stytch was going to be the most flexible." — Ryan Rosztocy, Founding Engineer, Gather In comparison, Auth0 stymies their customers' creativity because they prioritize passwords. This requires them to maintain strict control over forms and domains and limits their flexibility to widget-based customizations. 3. RELIABILITY When it comes to authentication, it's important to provide end users with a seamless experience not just the first time, but every time. That's why Stytch strives to build passwordless authentication solutions you can rely on and simpler yet more secure password-based flows. Our customers depend on us for critical infrastructure, so we invest heavily in ensuring we can maintain exceptional uptime percentages. You can see the results for yourself on our status page. Stytch builds redundancy into every communication-based auth product, monitoring uptime and using dynamic failover logic to route across multiple providers. This ensures vendor downtime doesn't impact your platform and that your users can enjoy a high-quality, uninterrupted experience with no single point of failure. In contrast, Auth0 compels you to provide your own integration for communication APIs, which are required for service-based auth via email and SMS. What's more, the Auth0 platform doesn't allow for any redundancy. While this isn't always front-of-mind for developers choosing an auth provider, we've learned through experience that it's vitally important. Case in point: at a previous company, our service provider experienced two days of downtime, during which we couldn't authenticate any user visiting our platform. This was extremely painful. It felt like we'd just poured our heart and soul into opening a new restaurant and then had to turn customers away at the door due to a broken stove. It took us over two months to solve the issue by building out a backup provider. Ultimately, our poor decision not to plan for redundancy negatively impacted not only our business but our productivity, since development teams had to be pulled away from core projects they were working on. Take it from us: Users won't be able to access your services (or give you their money) if you can't reliably authenticate them. And if they detect a dip in service, they're much more likely to churn. It's important to maintain gold-standard uptimes, avoid interruptions, and offer timely service and enterprise support to resolve any issues. “We experimented with several auth providers, but Stytch was the easiest to use by far. We also saw that Stytch had a number of handy features in the works, and we’d get access to a whole system of integrated, innovative products through one simple integration.” – Omar Torres, Co-Founder, Chessly 4. EASE OF INTEGRATION Your time is valuable. Developer to developer, we know that you don't want to spend it implementing auth. You'd rather focus on your core product. That's why Stytch is designed to get you up and running in minutes, whether you're building an auth solution from scratch or migrating from another platform. It all starts with our clear, easy-to-implement documentation. "Our product team was blown away by Stytch's ease of use. The integration was effortless compared to other tools, because we had so much support. Partnering with Stytch really eliminated the pain of having to manage and maintain an immense authentication system." – Paul Bergamo, Product Lead, Bitcoin.com Auth0's documentation, on the other hand, is incredibly difficult and time-consuming to decipher, adding unnecessary complexity to the integration process. This is largely a byproduct of their various builds and migrations — and the issue is only amplified when you attempt to level up and go passwordless. Auth0 doesn’t make it easy for you as a customer–with docs that are overly complex and don’t include copy/paste examples for their client libraries. Authentication is a crucial part of your app, but you shouldn't have to spend days reviewing docs or weeks implementing them. Standard Metrics (formerly Quaestor), chose Stytch for our intuitive docs and our laser focus on the developer experience. Full implementation took their one engineer less than a day — and, within a few months, around 35% of their monthly active users were logging in passwordlessly through Stytch. 5. INNOVATION The most fundamental difference between Stytch and Auth0 is also the most important. In addition to conventional auth methods like passwords, Stytch offers many more modern options like passwordless authentication, while Auth0's architecture is primarily password-based. That means Stytch is keeping up with the most innovative and forward-thinking auth solutions to provide secure access. When Auth0 first started out, password-based auth was the norm. Unfortunately, while they've since started exploring passwordless solutions, they've largely maintained the status quo and their passwordless offerings are relatively shallow. In stark contrast, Stytch was founded on the belief that passwordless authentication is the way of the future. Passwords are a dated auth method that causes needless friction, frustrated users, and lower conversion rates. They're also much less secure. As internet use has exploded, password reuse has become a ballooning issue. In fact,81% of recent online data breaches involve a weak or stolen password, and the latest industry standards consider all traditional passwords to be "pre-breached." Luckily, auth technology has evolved to meet this challenge, and passwordless-native platforms like Stytch are leading the way. With Stytch, you can boost both security and UX with intuitive, low-friction solutions like OAuth and OpenID. They're part of an integrated, all-in-one platform, with an evolving product suite that includes the newest, highest-converting passwordless auth methods, like Google One Tap and embeddable magic links. Google One Tap is a particularly powerful way to improve onboarding and login transactions, and companies that have implemented it have seen impressive results. For example, Pinterest achieved a 47% increase in signups on desktop and a 126% increase in signups on Android. Great user experiences translate to real business impact. Consider our partners at Lighthouse, an innovative rental platform. Lighthouse originally partnered with Auth0, but they felt hemmed in by the platform's rigidity. After switching to Stytch, they were able to offer more flexible auth and access management experiences to their users — and saw a 62% jump in conversions after they did. The bottom line Stytch not only offers more affordable authentication solutions than Auth0, but more flexible, reliable, and frictionless experiences for app developers and their customers. Discover a modern approach to authentication So, what does migrating to Stytch entail? Glad you asked. It's actually pretty easy to switch your users to Stytch by following the steps and tips in our handy migration guide. If you want to learn more about the differences between Stytch and Auth0, visit our Stytch vs. Auth0 comparison page — or reach out to our team to get your questions answered. --- # Making research an integral part of your product strategy Source: https://stytch.com/blog/leading-with-user-centered-design-at-stytch/ Making research an integral part of your product strategy When you’re developing a product or service, step one is understanding the needs of the people who will use it. Still, many startups wait to hire research roles, because the benefits seem soft and tenuous when compared with the instant payoffs of launching something quickly. Everyone knows the story of the three little pigs, but not enough startups take its message to heart. While building something quickly has its place, the company that best understands its purpose tends to win out in the end. To put that in tangible terms, the 1-10-100 “cost of quality” rule states that it costs 10x as much to correct a product’s design and 100x as much to fix its development than it does to prevent an issue in the first place through proper research. And it holds up. One Forrester report shows that, on average, every $1 businesses invest in user-centered research yields $100 in returns. I joined the Stytch design team as the first research hire in the summer of 2021, after a decade at other startups. Across that experience, I’d noticed a common trend. When product teams embraced research as part of the development process, they felt more confident in their focus, more aligned on their use cases, and more efficient in meeting their goals. I brought those lessons with me to Stytch, used them to establish research as a pivotal aspect of our product design, and saw immediate results. Below, I share some ways you can take advantage of research to help your team gain foundational knowledge, use time and resources effectively, and expose blind spots in the discovery and onboarding process, so you can optimize both your product and your productivity. Lean on evidence, not guesswork When you’re at an early-stage startup, there’s no shortage of ideas. Between brainstorms and feature requests, thoughts are always coming your way. It can be tough to cut through the noise and identify the actions your business needs to take to thrive. But if you base key business decisions on your immediate assumptions or reactions, they’ll reflect the biases of your team, not the desires of your users. This is known as the false consensus effect, or the tendency to overestimate the extent to which your preferences are shared by others. Conducting a bit of customer research upfront can help you avoid wasting efforts on a product that doesn’t actually solve your users’ problems. At Stytch, I ask my team to list their assumptions about how our users behave, make decisions, and think about a certain product early in the design process. That helps us build studies, validate or disprove theories using objective data, and learn more about our customer base. For instance, we initially assumed engineers were the ones choosing an authentication platform based on what they thought were the best security features on the market. Instead, we found decisioning power varied from C-level executives to product managers to entire development teams and often rested on unique end-user needs. A health startup, that is, may require certain levels of HIPAA compliance baked into their authentication. This sort of insight only comes from posing the right questions—and then answering them through the right level of research. Uncover your blind spots As you develop or update a product, you’ll find yourself in situations you never saw coming—often due to factors that weren’t considered at the outset but emerge as major takeaways from research. I call these blind spots, and it’s critical to bring them into focus before starting a project, so you can make effective use of your time and resources. For example, at Stytch, we realized we hadn’t considered how long it might take developers to evaluate and select an authentication provider. Through research, we found they tend to rely heavily on their familiarity with a given tool and then make a quick choice. Trust is incredibly powerful when implementing a critical service like authentication, and establishing a sense of familiarity can go a long way toward building it. With that in mind, we were able to redirect design and marketing efforts to make our products more familiar and accessible to developers before they even needed an authentication solution, ultimately giving Stytch a leg up during the decision making process. Now, we keep a diagram of the “decision sandwich” on hand to remind our team how important familiarity and customer needs are to our product development. The “decision sandwich” helps the Stytch team keep customer needs and product familiarity front of mind. Understand your use cases For startups, it can be hard to zero in on the right user experience. There are many competing factors to consider, from what competitors are doing to how industry trends are evolving to what reviewers are saying. It’s easy to forget that the only experience that matters is the one that helps your customers and your business meet their primary goals. Prioritizing research at the outset of a project helps you set a benchmark for success. You can always come back to your roadmap later to ensure you’re still on the right track and addressing the right problems (and adjust your approach if you’re not). After working to understand our customers’ decision-making process, the next logical step at Stytch was to make sure our onboarding was up to scratch. So, we did some foundational research to learn what happened after developers chose us as their authentication provider. We found that they often dove immediately into our docs and explored the possibilities before selecting and setting up a specific product like email magic links. That helped our product designers focus their efforts, make swift and practical decisions, and put together a revamped onboarding experience that would truly delight our users. Empower your team It’s common for small startup teams to lean on sales or partner conversations as informal user interviews. This can be an easy way to gather feedback and quickly assess your next steps—but it’s no substitute for formal research. I’ve found teams are less likely to pursue research if they think they’ll run into a bottleneck that will hold up their project. That’s why I empower my team with a self-service guide that helps them implement research early and often. Before, team members would have to wait anywhere from two to four weeks to book time with me and discuss their research process. With the self-service guide, they can lean on quick templates to get started and consult best practices to ensure they’re talking to the right people and asking the right questions. Now, they can create solid research plans on their own within one to two days. Key takeaways Making research an early and integral part of a user-centered design process can help your team build confidence and clarity around the customer needs you’re looking to meet. It’s an upfront investment, but one that—if made carefully and intentionally—will yield countless results for your users and your business. Our team is growing Interested in bringing your research and design skills to Stytch? Check out our available positions, and get a feel for some of the projects we’re working on. Learn more. --- # Introducing Log in with Ethereum Source: https://stytch.com/blog/introducing-log-in-with-ethereum/ Unlock Web3 via Stytch without having to touch a blockchain. Unlock Web3 via Stytch without having to touch a blockchain. Stytch is on a mission to eliminate friction from the internet and we’re thrilled to launch our first passwordless authentication solution for Web3—Log in with Ethereum. Log in with Ethereum makes crypto wallet authentication seamless, for both engineers and end users, and supports passwordless authentication for all Ethereum-based wallets (Metamask, Coinbase Wallet, etc.). What we’re solving for One of the major developments that has occurred over the past two years has been the meteoric rise of cryptocurrencies, such as Ethereum (ETH), and decentralized Web3 applications. To use price as a proxy for this growth, in March 2020, the price of 1 ETH was worth roughly $112.35. Two years later, the price of 1 ETH is now worth $2,574.75, a staggering increase of nearly 23x. And that’s with ETH’s drop from its all-time high of nearly $5K back in November 2021. In March 2020, the price of 1 ETH was worth roughly $112.35. Two years later, the price of 1 ETH is now worth $2,574.75, a staggering increase of nearly 23x. Ethereum today remains the market leader in Web3 and has the greatest share in the fast-growing non-fungible token (NFT) and decentralized finance (DeFi) markets. But despite the rapid growth of cryptocurrencies and decentralized applications, crypto wallets—the tools that house digital assets such as cryptocurrencies and NFTs—remain inaccessible and complicated for end users and developers alike. For end users, just figuring out how to create and fund a crypto wallet is daunting, and can feel as confusing and punishing as trying to decipher poorly thought out street parking signs. There are too many steps involved in sign up and it is common for people to lose access to their credentials when using private keys to determine wallet ownership. For developers, the proliferation of different wallets has led to generic and bloated user authentication experiences. And once a user logs in, developers are still faced with challenges like managing sessions for their users. Connecting a wallet is just the beginning of managing your users in Web3 applications. Our solution: Log in with Ethereum We’re introducing Log in with Ethereum to help solve for this friction. With just two calls to our API, you can allow users to log in to your app via any Ethereum-based crypto wallet. MetaMask, Coinbase, Rainbow, and any other Ethereum-based wallet can now be linked via our API in a single, smooth authentication flow alongside your existing Web2-based options. Email magic links and crypto wallets? You got it. Crypto with SMS based OTP as a second factor? No problem. Our documentation shows you, step-by-step, how to build a Log in with Ethereum flow and how to deal with the authentication logic. Via our direct API, we clearly outline what steps are necessary on the client side. Our integration guide is a one-stop shop for how to get the Log in with Ethereum flow working, end-to-end. Using Log in with Ethereum Although Log in with Ethereum can be used in a standalone fashion for connecting crypto wallets, it becomes much more powerful when you combine it with the other features and ergonomics of the Stytch platform: For session management: when you authenticate a crypto wallet, you can start a session to securely keep the user logged in. Both session tokens and JWTs are fully supported for session management. For user management: similarly, you can use the Stytch API to easily manage your users. With additional authentication factors: beyond crypto wallet auth, Stytch offers a full suite of authentication methods such as email magic links, OAuth, biometrics, SMS passcodes, and WhatsApp passcodes. With Stytch, you can build secure, low-friction authentication flows for both Web2 and Web3 users with a single authentication provider. Whether a user wants to log in with Apple, Google, their FaceID, or a MetaMask account, you can fully support all users with a single integration. What’s coming next Log in with Ethereum marks Stytch’s first foray into the Web3 space, and there is plenty more to come. Web3 is increasingly going multi-chain, with compelling new projects being built on blockchains outside of Ethereum, and so are we. We’re excited to continue to build out support for other popular blockchains like Solana so that more Web3 use cases can use Stytch for their authentication needs. At Stytch, we pride ourselves on both providing great developer experiences but also great end user experiences. We’ll be launching SDK support for our crypto wallet log in products so that we can continue to do more of the heavy lifting when it comes to building delightful user experiences, and you can focus on building your core product. Web3 user authentication is a multifaceted issue, and we’re also excited to unveil something for end consumers in the near future. Stay tuned! Getting Started Are you building a Web3 application, or are interested in enabling your users to authenticate via their Ethereum wallets? You can check out our documentation and sign up for a developer account here to get started! If you have any questions, please feel free to contact us at support@stytch.com. --- # Build a custom client portal on Airtable using Sequin, Stytch and Next.js Source: https://stytch.com/blog/build-custom-client-portal-on-airtable-using-sequin-with-next-js/ Build a custom client portal on Airtable using Sequin, Stytch and Next.js Sequin syncs APIs like Airtable to your database in real time. Stytch makes authentication easy. We’re thrilled to join forces and host one of Sequin's most popular tutorials on our blog. Read on to learn how to build a custom client portal on Airtable that uses Stytch for user authentication... In this tutorial, you’ll see how to build a scalable, secure, and flexible client portal on Airtable using Sequin, Stytch, and Next.js. You’ll set up a custom application that allows your clients to log in securely and access only the data you want them to access. Finally, you’ll see how to make this application interactive so that your clients can sign off on projects directly from the portal. Each step will be outlined in this tutorial, but if you’d like to get a working copy of the final code, you can find it on GitHub. Setting up the Airtable base This demo project will start with the Airtable Project Tracker template. Copy this template to your Airtable account and open up the base. This base includes three tables: Design projects, Tasks, and Clients. Tasks are for internal use only, so in this tutorial, you’ll focus on the projects and clients. You’ll use Stytch to authenticate users by their email address, but this template doesn’t come with a client email field. So, you need to add a new column to the Clients table called Email. Add some dummy data to each of the fields, but use your own email address for one of them. This will be your test client account so you can verify that the web app works. Connecting Sequin to Airtable While you could build a client portal that queries the Airtable API directly, this has some major drawbacks, including the following: Airtable’s API limits you to just five requests per second, so it won’t scale well. Querying related records using the Airtable API is cumbersome and often involves multiple API calls. This can significantly reduce your app’s performance, especially when coupled with the API limit mentioned above. Finding, sorting and filtering via Airtable’s API isn't easy. If you haven’t already, sign up for a Sequin account. Once you’re logged in, click the Add Base button in the top right corner. Add your Airtable API key, select the base you want to replicate (it’s called Project tracker by default), select Sync all tables in this base, and make the destination for the replica New Sequin database. When you’re done, hit Create, and within a few seconds you’ll have a Postgres replica of your Airtable data. Be sure to save the Postgres connection string shown, as you’ll need it for your web application. Creating a new Next.js application Next.js is a React-based web development framework designed to run seamlessly on Vercel. While you could set up a new React application with a backend, Next.js makes the setup and configuration process much simpler, so it’s a great starting point for building simple frontend applications like this one. Assuming you’ve got a recent version of Node.js installed (version 10+ is recommended), use `npx` to create a new application from your terminal: Enter a name when prompted (project-tracker in this example), and the required base packages will be installed. This project includes several API endpoints and one frontend route, which you’ll modify later in this tutorial. For now, navigate into the new project folder: And open the project in your text editor or IDE of choice. Setting up Stytch for authentication To allow clients secure access to your portal, you need a way to authenticate them via their email address. While you could build this feature yourself, you can also use Stytch to set this up with very little custom code. Setting up Stytch is pretty straightforward, but here is a tutorial for setting up Stytch authentication if you'd like to see how it works. This tutorial makes use of Stytch's Email Magic Links product. First, sign up for Stytch and get your project ID, secret, and public token from the Dashboard. Next, from your terminal, you need to install Stytch and a few other required dependencies. In this demo application, Stytch is being coupled with the next-iron-session utility to help with managing user sessions and data. Next, create a `.env.local` file in the root directory of your project. This will allow you to securely store your environment variables without checking them into version control. Replace each `...` with the corresponding environment variable from each of the services used in this tutorial. As a reminder, `PG_CONNECTION_STRING` is the Postgres connection string for your project from your Sequin account. Note that the Stytch public token must be prefixed with `NEXT_PUBLIC_`. This signals to Next.js that the variable should be made available in the browser, while the other environment variables will be kept securely on the server only. Now, add in the necessary elements to implement Stytch authentication, starting with a library folder containing two components: one that allows you to load the Stytch client, and another that will be used in managing session data. To do so, create a new `lib` directory containing a file: `loadStytch.js`. Here, you are initializing the Stytch client by retrieving the project_id, secret, and environment variables from your `.env.local` file. Now, add another file to the `lib` directory called `withSession.js`. This file will contain a helper function to create a session stored in your browser's cookies via a signed and encrypted seal. Next, you will create a Stytch login component in `pages/components/LoginWithMagicLinks.js`, which includes all the UI to send users a Magic Link for login. Now you can build the two Stytch API endpoints to be used for user authentication - you'll need one for authenticating Magic Links sent to users, and a second for handling logging out of the app. Conveniently, Next.js API routes allow you to build these server-side API routes in the same repository as your frontend application by adding serverless functions to your `./pages/api` folder. Create your first API endpoint by adding a file called `authenticate_magic_link.js` to the `api` directory. Then add the code below to authenticate the user from a magic link and create a long-living session: Once that's done, you'll add `api/logout.js` to delete the user session and effectively log the user out: Note that both of the `handler` functions in these authentication endpoints are wrapped in the `withSession()` helper function to help secure and manage the user's sessions. Finally, update the `pages/index.js` file to display the Stytch login form when a user is not logged in. If you’d like to test the login functionality at this point, you can run your Next.js application from your terminal. Now, visit localhost:3000. Because you did not arrive at the page through a Magic Link, you don't have an active authenticated session and should instead see a Login / Sign Up form like this: After entering your email address on the form, you will receive an email with the Magic Link. Clicking the link from the email will send you to your authentication endpoint, where you undergo Stytch's authentication process based on the data passed through from your environment file, including the Stytch token. Upon verification, a session is established and you are routed back to your app's home page. The session data is passed from the backend to the frontend using Props and the `withSession` helper function, and you are now successfully logged in! You’re now ready to integrate the frontend with Sequin to retrieve data for each client. Querying data stored by Sequin Now that your clients are authenticated with Stytch, you can use the email address of each authenticated user to make a PostgreSQL query that retrieves only the projects belonging to that client. In order to accomplish this, you’ll create another API endpoint that queries your Sequin database. First, install the node-postgres package using NPM. Since you don’t want to expose your Postgres connection string in the browser, you need to connect to Postgres from a server-side application. Create a new file at `pages/api/projects/index.js`, import the Stytch client for authorization, and connect to your Postgres database: Next, you need to export a function that Next.js will call when the `/api/projects` route is called. To check whether the the current user is authorized, you can use Stytch session authentication and make a call to the Stytch authentication endpoint using the Stytch client, wrapped in a 'try/catch' block. Add the following to your exported function: Once the user is authenticated, you can access their email from the request body. If the user doesn’t have an email or the token is invalid, this code will throw an error, so wrap it in another try/catch block. Finally, you can use the following code to get all this client’s projects. Because Airtable (and therefore, Sequin) stores the relationship between clients and projects as an array of IDs, you can use Postgres’ `ANY` clause to join clients and projects. This endpoint is now able to query directly from Sequin, so you can avoid Airtable’s rate limits. Having your data in Postgres also allows you to create more dynamic and efficient queries to get your data from Airtable. Calling the project’s endpoint Now that you’ve got an endpoint set up, you need to call it from your frontend, but only after a user logs in. You'll need to include the user's email and Stytch session token in the request body for authentication. In the `Home` class you created in `pages/index.js`, add the following: If you restart your Next.js application and log in again with your browser’s inspector open, you can see that a call is being made to `/api/projects`. In the next step, you’ll use the results from that API call to populate your client portal. Displaying projects in the portal Now that you’re able to authenticate a user and retrieve their projects from Sequin’s Postgres replica, you’re ready to display the results in the UI. Next.js already includes some basic styling, but don’t feel limited by it. One of the big advantages of building a custom portal like this is that you have complete control over the user interface and experience. Open your `pages/index.js` file again and add the following within the code that checks whether a user is logged in: Start the app again and log in, making sure to use your email address that you attached to one of the client accounts in Airtable. You should see a list of all this client’s projects like this: You now have a working client portal that will allow your clients to securely access limited data about their projects only. But what if you want to allow clients to interact with the projects in the portal? In the last section of this tutorial, you’ll see how to allow clients to save data to Airtable using Sequin’s documentation on writes. Writing data with Sequin Your clients will probably need to sign off on each project as it’s completed. To let them do this in your new portal, you can add a checkbox on each project that lets clients mark projects as complete. Sequin gives you a read-only Postgres replica of your Airtable base. This ensures that you have a single source of truth for your data, but it means that you can’t use typical Postgres `UPDATE` queries to make changes in Airtable. Fortunately, Sequin has a solution to this limitation. By using their proxy server instead of the standard Airtable API server, your updates will be instantly saved to both Airtable and your Postgres database. To use the Sequin proxy in JavaScript, install the Airtable NPM package: Next, create a new endpoint in your Next.js application that will handle update requests. Make a new file at `pages/api/projects/[projectId].js` and add the following: Similar to when you pulled the user's projects, this endpoint validates the user’s authentication using Stytch to ensure that unauthenticated users cannot access this endpoint, and then uses the Airtable API library to update the Complete field to true. Also notice that at the top, the Sequin proxy URL was specified as the API’s `endpointUrl`. This routes requests through Sequin to keep your Postgres database up-to-date at the same time as the Airtable base. Next, you need a checkbox in your template and a method to call the new endpoint from the frontend. Add this method to your `Home` component before the `return` statement: Finally, add this paragraph just below your due date inside the loop that displays all your clients’ projects in the same file: Start your Next.js application again and log in at localhost:3000. This time you’ll see a checkbox next to each project. Check one of the records, and you’ll see that the checkbox will be disabled. This prevents clients from approving the same project multiple times, but of course, you can modify this behavior to fit your use case. To make sure the synchronization works, go to your Airtable base to see if the record has been synced yet. If you’re fast, you can see Airtable marking the project complete in the base. Next steps In this tutorial, you’ve seen how to build a flexible, scalable client portal on top of Airtable. You used Sequin to replicate your data to Postgres, Stytch to authenticate users via email, and Next.js to build a frontend with two serverless endpoints. As you adapt this demo to your use case, you might consider adding pages for each project so that clients can see more details about each of them. Or you might connect multiple emails to each client to allow different stakeholders to get access to their portal. You could even integrate Stripe to allow clients to make payments directly in your custom portal. Any questions? Please contact Stytch at support@stytch.com, or visit sequin.io for any questions related to Sequin. --- # Log in with username Source: https://stytch.com/blog/log-in-with-username/ Log in with username Introducing Log in with username Today, we’re excited to introduce an important passwordless single-factor authentication (SFA) option that can be used in multiple verticals. Log in with username authentication solutions are ideal for use cases where your customers want to quickly log in without a password. Logins can’t get any easier than this, making this the most desired product to date – surpassing even account recovery by NFT. With Stytch, developers can implement Log in with username into their authentication flows in seconds rather than minutes. How Log in with username works When integrated, a user proves knowledge of their username granting access to their account. It works by proving ownership of a username because the user knows their username. Once the user supplies a username as evidence of their identity, they are either logged into an existing account or given a new one. Log in with username vs. log in with Password At Stytch, we’re committed to killing the password. We’ve released products to combat this dangerous concept before, but this is our passwordless take on an old classic. We’ve determined that a secret, complicated password isn’t needed. Why use password when username do trick? Exactly. How to integrate To log in a user with their username, integrate with these easy steps: Ask the user for their username. Hit /v1/users/authenticate with the username. Log the user in. If you have an existing project, migrate with these easy steps: Delete the password column from your users table. Security concerns Here we’ll cover several recommendations for how to deal with your users’ usernames. First, we recommend complicated, hard-to-read usernames. A common pattern we’ve been seeing is to require the following: 1 uppercase letter 1 lowercase letter 1 symbol 1 emoji (we recommend the ???? emoji because it counts toward the symbol requirement) 3 numbers that mean a lot to you If your users are struggling to come up with good usernames, consider adding a username strength check. Even better, create usernames for them, e.g., using a secure random string generator. Remember to run the username strength check after randomizing to prevent usernames like “username”, “root”, “MyspaceTom”, or “DozensOfOvals.” Second, we’ve seen success requiring users to rotate their usernames periodically, maybe thrice a year. We’re not sure if this is a proven method. Third, remind your users to not share their usernames with anyone they don’t trust online. Closing remarks As you’ve seen, the Log in with username product creates a quick and painless way to get access to a username’s account. If this product doesn’t seem safe enough for you, remember that half of your users are already sharing their passwords across many of their different online accounts, with loved ones, people who ask nicely, or their ex-co-worker Hunter the 2nd. If you still require stronger security, consider upgrading to multi-factor authentication (MFA) with one of our future products such as Log in with your Favorite Digit. --- # Stytch’s new Javascript SDK Source: https://stytch.com/blog/stytchs-new-javascript-sdk/ Today, we’re launching our updated JavaScript SDK, a flexible and friendly way to get up and running with Stytch that dramatically reduces the amount of backend code you need to write. At Stytch, we’ve been working a lot to build the “what”: low-friction, passwordless authentication that seamlessly connects your users to your product. But any good “what” needs an equally strong “how”: straightforward and helpful ways to implement Stytch. Today, we’re launching our updated JavaScript SDK, a flexible and friendly way to get up and running with Stytch that dramatically reduces the amount of backend code you need to write. The release includes the vanilla JavaScript library, stytch.js, as well as the stytch-react package for React-built applications. Whether you’re looking for a product to handle the entire user auth journey, or simply give some programmatic assists along the way, the Stytch SDK is there to be your partner for a smooth setup experience. Two halves to the whole You can think of the JavaScript SDK as two distinct pieces: Customizable UI flows for Stytch’s various auth products that you can embed directly in your product, as opposed to directing users to a new window or widget. SDK methods to call the core Stytch API directly from the browser so you can use Stytch without needing to build your own internal API that routes authentication requests from your client to your servers, and still maintain full control over the UI. A flexibility-first Stytch In talking to our customers, one thing is clear: everyone’s authentication needs are different. Where some teams appreciate all-in-one experiences that “just work”, others may feel stifled by that loss of control. In designing our new SDK we put your feedback front and center by decoupling drop-in UIs from helper functions, which is why there are two distinct ways you can utilize the library: SDK with UI components: configure and place Stytch’s UI components as you see fit in your product. Whether it’s users selecting an SMS country code or authenticating the resulting one-time passcode, Stytch takes care of the auth flow. Headless SDK methods: design your own authentication flows, and attach SDK method calls to your own components. Use Stytch to power your authentication and session management while bringing a user experience unique to your product. Our customers’ authentication needs can also vary within their product, which is why the SDK can be used in tandem with the core Stytch API based on what’s needed at a given moment. For example, you may opt to dynamically generate embedded Magic links via the API, while providing Google OAuth and Google One-Tap as a sign-in option to your users via the SDK. Client-side Stytch and session automation In addition to the availability of customizable UI flows for your product, loading the SDK on your front-end also unlocks the ability to automatically connect Stytch’s sessions product to the browser cookie. By inserting user session data directly into the cookie, we reduce the effort required for your team to not only authenticate users, but also verify on return visits that your application can persist the same session your user had prior. This client-side interaction pairs naturally with familiar front-end practices like event listening and React hooks, letting you respond easily to updates as users authenticate and provide additional factors: Reference the Stytch session object alongside other state data to keep your app renders responsive to user updates, whether that’s the change from anonymous to signed-in or something more dynamic like conditional links or feature access. You can also use these hooks and handlers to perform actions like syncing session updates across multiple browser tabs. With the recent addition of JWTs to our sessions product, developers can seamlessly route a variety of minted tokens into browser storage and process user sessions as they see fit. Getting started The Stytch docs contain the full SDK reference and associated guides on how to get up and running with this new implementation route. If you’re looking for a low-friction way to get up and running with password-free auth, you can register a developer account here or contact support@stytch.com. --- # Introducing Log in with Solana Source: https://stytch.com/blog/introducing-log-in-with-solana/ Today, we’re excited to announce our second Web3 product: Log in with Solana, allowing seamless, secure authentication across any Solana crypto wallet (Phantom, Glow Wallet, etc.). A few weeks ago, we launched our first passwordless authentication product for Web3: Log in with Ethereum. Today, we’re excited to announce our second Web3 product: Log in with Solana, allowing seamless, secure authentication across any Solana crypto wallet (Phantom, Glow Wallet, etc.). Log in with Solana works for both Web2 and Web3 applications that want to offer Web3 wallet authentication, as well as with all of the rest of the ergonomics of the Stytch authentication platform (session management, magic links, reCAPTCHA, biometrics, 2FA, etc.). Overview: what is Solana? Solana is a Layer 1 blockchain, similar to Ethereum. And like Ethereum, Solana is a major player in the burgeoning Web3 ecosystem. Web3 is defined by having applications that are built on an open and decentralized database and compute layer. In contrast to Web2 companies and their infrastructure (Google, Meta, etc.) where all user data lives on a centralized server, with Web3 applications that data is recorded on a shared, decentralized, and publicly accessible ledger. Although there’s no denying Ethereum’s continued and dominant popularity among Web3 developers, Solana has been rapidly gaining market share. The main driver of that growth, and what makes Solana stand apart from other popular blockchains, is its speed and cost. Solana’s innovation is Proof of History (PoH). PoH is a consensus mechanism that allows transactions to be logged as they enter the network at a specific moment in time, as opposed to being batched by block. Although Solana still technically uses Proof of Stake (PoS) as their consensus mechanism, PoH balances the speed vs. centralization tradeoff by instantly timestamping each transaction as it comes through. By having this agreed upon timeline, Solana can have a vast amount of validators to ensure decentralization without sacrificing speed. In practice, this means that Solana’s transactions per second (TPS) and cost per transaction are much more favorable to rival blockchains. Smart contract platforms comparison. Source: Solwealth [Cointelegraph.com] Rapid growth, growing friction Solana saw incredible growth in 2021. The Solana team put together some highlights in their Solana Solstice 2021 report that are truly staggering. From January to December 2021: 360 global validators -> 1,331 global validators 70 projects in the Solana ecosystem -> 5,145 projects 0 Solana NFTs -> 5 million NFTs $100 million in Total Value Locked (TVL, sum value of crypto assets deposited in a decentralized finance (DeFi) protocol) -> $11.4 billion TVL 10 billion total transactions -> Over 45.5 billion total transactions Perhaps nothing sums up Solana’s banner year better than this chart from Phantom, the leading Solana wallet. There is clearly rabid interest in the Web3 ecosystem Solana is powering, and developers and users alike are flocking to it. However, similar to the Ethereum ecosystem, all of this growth has come in spite of the fact that the user experience for both end users and developers is convoluted at best. For end users, not only does Web3 introduce a completely new paradigm for user accounts and authentication, they now have to juggle multiple wallets, one for each blockchain they want to interact with. For developers, not only are there now multiple wallets for each blockchain, there are now multiple blockchains they need to consider as well. And once a user logs in, developers still have to deal with standard user challenges like managing their users’ sessions. Stytch’s solution User authentication in Web3 is multidimensional, and Stytch is addressing another wrinkle with our second Web3 product, Log in with Solana. Log in with Solana supports seamless, passwordless authentication for all Solana-based wallets (Phantom, Solflare, Sollet, etc.) There are two primary benefits in working with Stytch: Ease of use Our documentation will show you, step by step, how to build a Log in with Solana flow and how to navigate the authentication logic. Via our API docs and integration guides, we clearly outline how to get the Log in with Solana flow working, end-to-end. Stytch ecosystem With Stytch, you can build secure, low-friction authentication flows for both Web2 and Web3 users with a single authentication provider. Whether a user wants to log in with Apple, Google, their FaceID, or a Phantom account, you can fully support all users with a single integration. So while our crypto wallet authentication products can be used in a standalone fashion, they become much more powerful when you combine them with the other features and ergonomics of the Stytch ecosystem and platform: Additional authentication factors: Beyond crypto wallet auth, Stytch offers a full suite of authentication methods such as email magic links, OAuth, biometrics, SMS passcodes, and WhatsApp passcodes. Multi-chain support: With Stytch, you can now support both Ethereum and Solana wallets in the same user authentication flow. Session management: When you authenticate a crypto wallet, you can start a session to securely keep the user logged in. Both session tokens and JWTs are fully supported for session management. User management: Similarly, you can use the Stytch API to easily manage your users. Announcing javascript SDK support for log in with crypto We’re excited to also be launching support for both log in with Ethereum and log in with Solana in our javascript SDK. Explore our docs to quickly get up and running to enable your users to log in with their wallets. The SDK seamlessly integrates with additional Stytch features like session management, to save you more time so that you can focus on building your core product. What’s coming next The Web3 ecosystem is constantly evolving, with new protocols and projects constantly being announced. We are excited to continue building out support for other blockchains so any Web3 developer can use Stytch for their authentication needs. We’ll be launching SDK support for our sign in with crypto wallet products so that we can do more of the heavy lifting when it comes to building delightful user experiences, and you can focus on building your core product. Finally, we’re excited to be announcing something for end consumers in the coming weeks. The lines between our different worlds are getting blurry, with Web3 going increasingly multi-chain and Web2 companies continuing to explore what is possible for them in Web3. End users are caught in the middle of these currents, and we hope we can provide them a vessel to better navigate these changing waters. Getting started Are you building a Web3 application, or are interested in enabling your users to authenticate via their Solana wallets? You can check out our documentation and sign up for a developer account here to get started! If you have any questions, please feel free to contact us at support@stytch.com. --- # It's a Stytchiversary with Jeremy Kaplan! Source: https://stytch.com/blog/its-a-stytchiversary-with-jeremy-kaplan/ It's a Stytchiversary with Jeremy Kaplan! What do you love most about working at Stytch? I learn so much all the time! I'm constantly trying new things to see how they'll work, and that's always fun. Sometimes the things are even useful! What does a typical day at Stytch look like for you? I try to consolidate meetings onto Tuesday and Thursday, so I do lots of focused work on the other days. That could be solving bugs, building out a new feature, or writing a spec for a future feature. Collaboration is mostly async, so I do a lot of writing and reading. What’s been the most surprising thing about Stytch? We've done so much with such a small team! Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? When doing something truly new, the best way to refine a good idea really is to just ship it and see where it goes. I knew this in theory because I've heard it tons of times, but it's different to feel it myself. What’s your favorite part of the Stytch culture? I like our emphasis on open, async, written communication by default. I've learned so much by passively consuming conversations that other people are having, and it's really easy to look back and learn why a particular decision was made. Which Stytch hiring value resonates most with you and why? Both of them! But I really like "be ambitious" because I believe that we can have (and make!) nice things if we try hard enough. What’s the most interesting project you’ve worked on at Stytch? You probably won't get to see it (unless you join us ????), but I had a lot of fun building out our `apitest` library to make it easier to read and write end-to-end tests for the API. How did you end up working in engineering? My first year in college (when I thought I would go into bioengineering), a friend of mine challenged me to learn Python and compete with him in [Project Euler]. I ended up spending more time exploring Python than doing my organic chemistry homework, so I changed tracks and followed that through into software engineering. When’s the last time you did something for the first time and what was it? Biked to a wetlands preserve to watch birds through binoculars. I saw a heron pluck a fish out of a stream! What’s your ideal weekend? Video games, good food, and trying to build something in a programming language I've never used before. What’s something you’re passionate about that’s not on your resume? Linguistics! I'm fascinated by the way language evolves over time. Ask me how I feel about emoji reactions! --- # Save time, save the planet–go passwordless! Source: https://stytch.com/blog/save-time-save-the-planet/ In honor of Earth Day, Stytch conducted a thought experiment to determine how much time (and energy!) you can save by eliminating passwords. In honor of Earth Day, Stytch conducted a thought experiment to determine how much time (and energy!) you can save by eliminating passwords. Think about it. How often do you find yourself stuck on the login page, trying to remember which iteration of your go-to password did you use? Or have you given up and reset your password for the umpteenth time? Or even worse, gotten stuck in a reCAPTCHA loop, desperately trying to prove you’re not a robot? Ever think about how much screen time you’re wasting on passwords? Ever wonder the environmental impact of all this screen-time wasted on passwords? Let's break it down... How much time are you wasting? Starting with some assumptions: Under these assumptions, we can conclude that the average human spends about 1.5 hours typing in their passwords and 10 hours resetting their passwords, each year. This does not even include the time spent setting up their accounts and a new password! A study has shown that the average human has about 100 passwords (and therefore 100 different accounts or so). In recent years, the number of passwords is also increasing rapidly due to the spike in online shopping and entertainment from the pandemic. Assuming these accounts do not use OAuth logins, embeddable magic links, or any other passwordless solution, setting up all these accounts may take as long as 30 minutes. This means, in a lifetime, the average human can spend up to 27.5 days on passwords. (That’s practically the whole month of February!) And since it's Earth Day, let’s consider the carbon footprint of 27.5 days of screen time. How much energy are you wasting? Assuming all password usage is on the laptop, a single person’s password usage results in 0.01-0.03 metric tons of CO2, the equivalent of 3.2 gallons of gasoline consumed. This may not seem like much, but this is just for one human. If we step back a bit and just consider the carbon impact across all adult Americans, this number increases to 4.1M metric tons of CO2! This is the equivalent of the greenhouse gas emissions from 877,415 gasoline-powered passenger cars in one year and would take 4.8 million acres of US forests to sequester the carbon for one year. For context, that’s all the forests within the state of New Hampshire. (We have references! See below.) Turns out, we spend a lot of screen-time on passwords and as a by-product, produce a non-negligible amount of CO2. What would you do with a whole month saved? Life doesn’t have to be this way - learn how Stytch can help lead us to a passwordless future! Get started with Stytch Whether you’re looking to save more time, to ship more features, plant a tree, or have more quality time, learn how to go passwordless with Stytch. See here for all of our product offerings and to find the best solution for you and subscribe to our Changelog to keep up with all the things we’re shipping! You can register for a developer account here or contact support@stytch.com. Notes & References: *This is a thought exercise; assumptions were made based off research and the following resources: Average length of passwords: 9.6 characters. Source: Infosec. Average typing speed: 190 - 200 characters per minute (assumes upper end). Source: Livechat. Average log-in times: assume 5x a day based on user research. Included in assumptions: health advisors recommend taking a 5 min break, every hour working at a laptop, and social media trends. Source: Quora. Password resets: at least 5x a month, at least 10min each time. Source: Study Finds, The National News. Digital lifespan: Current life expectancy (2022): 72.98 years. Source: Macrotrends. First email usage: 10 - 15 years old (assumes upper end) Source: MarketingCharts. Average person has 100 passwords. Source: Tech.co. Setting up an account: Average full name: 13.6 characters. Source: Researchgate. Assumes username is an email. Average email length: 25 characters. Source: Baymard. Assumes process consists of typing in a full name, an username, a password twice. American adults who own a laptop: ~190M. 256.6 million adults (2020). Source: Datacenter. 74% adults own laptops (2019). Source: Statistica. Carbon Emissions: Laptop uses between 50 - 100W/hour (assumes average to high end). Source: Energuide. Greenhouse gas equivalencies calculator. Source: EPA. New Hampshire has 4.8 million acres of forest. Source: Stacker. --- # FinanceNow demo app - powered by Argyle, Unit, and Stytch Source: https://stytch.com/blog/financenow-app-powered-by-argyle-unit-and-stytch/ When Argyle, a startup building amazing tooling for developers around employment and income data, reached out to Stytch with some login flow questions for a new demo app they were working on, we knew we had to partner with them. When Argyle, a startup building amazing tooling for developers around employment and income data, reached out to Stytch with some login flow questions for a new demo app they were working on, we knew we had to partner with them. FinanceNow just launched today, it is now available in Argyle’s pre-built template library, check it out here! In the demo app you can see a super smooth login flow powered by our SMS passcodes product, incredible banking features powered by Unit, all wrapped together by Argyle’s powerful product. FinanceNow offers an amazing foundation on which you can build better, stronger financial solutions; we’re super excited to see what y’all build. Check out Argyle’s full blog post here! About Argyle Argyle is building the leading user-consent-based platform for employment data, helping people avoid situations where their personal information is sold or used without their consent or knowledge. With Argyle, any business can process income and work verifications, gain real-time transparency into earnings, as well as view and update worker profile details. By removing the barriers between a worker, the companies they make money from, and the business they buy services and products from, Argyle has reimagined how employment data can be leveraged to benefit both institutions and individuals. About Unit Unit is the leading banking-as-a-service platform that empowers companies to embed financial services into their product. Unit's platform accelerates time to market and enables companies to build and launch bank accounts, cards, payment, and lending products. Unit is headquartered in New York and Tel Aviv and is backed by Accel, Better Tomorrow Ventures, Aleph, Flourish Ventures, TLV Partners, Operator Partners, and more. --- # Web3 and the future of data portability: rethinking user experiences and incentives on the internet Source: https://stytch.com/blog/web3-and-the-future-of-data-portability/ Web3’s fundamental improvements to data portability and user authentication enable new, exciting experiences, but solvable shortcomings remain. Web3’s fundamental improvements to data portability and user authentication enable new, exciting experiences, but solvable shortcomings remain. Tech conversations are now peppered with a new, contentious buzzword: Web3, and we’re all likely to hear a lot more of it in the coming years. It's an umbrella term for disparate ideas all pointing in the direction of making the internet more decentralized using blockchain-based applications. If Web3 fully materializes, which we believe will happen once a few acute shortcomings are addressed, it is going to have profound implications. Web3 optimists point to decentralized technology’s ability to challenge the power of big internet middlemen like Facebook, Google, and Twitter, while Web3 skeptics understandably struggle to connect the dots on how the current state of Web3 applications could ever truly rival the user experiences and network effects that Web2’s most successful tech companies have built. Given the current state of Web3 applications (nascent but improving quickly), you won’t need to squint much longer to see the potential of this technological paradigm shift. Web3 means many things to people, but our team finds the most important characteristics of the shift from Web2 to Web3 to be the following: Data portability was an afterthought in Web2, but it’s a first-class citizen in Web3. There’s nearly no end-user friction involved in porting your data from one service to another in Web3. We shouldn’t underestimate the impact of improved data portability—users’ aversion to friction influences most of our online actions today, so changing the friction involved in switching services or trying new apps is powerful. Web3 is rewiring incentive structures on the web, unleashing user behaviors that directly challenge the advantages incumbents have long enjoyed in Web2 When the friction of porting user data from one service to another service approaches zero, companies will need to radically rethink how much value they extract from users without offering comparable incentives to that user. By making data portability virtually frictionless, Web3 has provided the technological foundation to chip away at the moats many large internet businesses rely on today to fend off upstarts. While Web3 has the potential to reimagine how we use the internet, it also raises thorny issues around privacy, user experience, and how much control users truly want. We believe many of the underpinnings of Web3 are here to stay, but we’re likely to see major shifts in the user experience of Web3 as it goes mainstream. An Open Sea of opportunities Web3’s technological merits are best understood when using tangible examples of how it is already reinventing what’s possible in our digital lives. On December 25, 2021, many participants in the crypto economy woke up to an unexpected gift. The cryptocurrency market’s blistering performance in the past year owed part of its success to the growth of non-fungible tokens, or “NFTs." (NFTs are unique, digital items that are represented on a blockchain, which have recently found popularity in use cases such as giving ownership rights to digital art and video game items.) As the NFT craze took off, a marketplace enabling peer-to-peer NFT sales called OpenSea became one of the most popular Web3 applications. For hundreds of thousands of users exploring NFTs for the first time, OpenSea became the gateway into this new asset class. When users buy or sell NFTs through the OpenSea platform, they are actually interacting with OpenSea’s smart contracts. These smart contracts run on the Ethereum blockchain, which introduces a notable difference in how most of our digital interactions in Web2 occur. In Web2, unless we’re publishing something to a public newsfeed (e.g. Twitter), data about our interactions is known only to the specific application we’re interacting with. When I buy tickets to a concert, only TicketMaster knows of that transaction. However, when interacting with a Web3 application (e.g. OpenSea), the smart contracts fueling the application live on a public ledger (e.g. Ethereum) and our interactions are captured as publicly-available data tied to our pseudonymous blockchain accounts. This poses real privacy concerns (which need to be addressed for Web3 to truly flourish), but it also introduces significant opportunities. OpenSea users have been lobbying the company to perform an “airdrop” for years, asking the company to issue their own token to reward loyal users of the platform. Many OpenSea users feel that their usage of the platform (and the fees they have paid) have helped the marketplace to reach its current market position, and they want to share in that upside. In a situation like this, Web3’s technical architecture becomes very interesting. One of the unique traits of tracking interaction data on a public ledger is that OpenSea’s user base and activity is publicly available on the blockchain by their wallet addresses. If you have a bit of know-how, you have the ability to pull a list of every pseudonymous user of OpenSea and can calculate their usage (and the associated fees) on the platform. In Web2, achieving this level of competitive intelligence is likely impossible without committing a crime to leak that information from a private ledger like a centralized database. Which brings us to Christmas Day 2021 when an organization named The OpenDAO emerged with a savvy use case built on top of this public user intelligence. The OpenDAO issued a new token with the ticker $SOS to proportionally divide across OpenSea’s users based on their usage of the marketplace. This practice of issuing a new token and allocating it to users based on certain criteria is called an “airdrop” in the crypto world—it’s a fairly frequent occurrence, but the $SOS airdrop is the first successful, large-scale example of an organization choosing to airdrop a token to users based on their interaction with a third-party product that it doesn't have a formal relationship with. We can only begin to imagine how this ability to invent new incentive structures based on third-party application usage might reshape modern competitive dynamics. However, rather than using this airdrop as an incentive to convince users to jump ship from OpenSea to a competitive platform, The OpenDAO's initial focus has instead been to provide valuable features to OpenSea’s user base that are not available from OpenSea today. For example, a proportion of the new tokens created are allocated towards compensating scam victims on OpenSea (like elsewhere in the crypto ecosystem, scams remain common): Nearly 200,000 OpenSea users claimed the $SOS token by connecting their crypto wallet to prove they own the blockchain address that had used the OpenSea product, allowing them to claim these tokens. The OpenDAO airdrop of the $SOS token exemplifies many magical pieces of Web3 technology: Recording data on a public ledger means that this data can be used in inventive ways by companies that aren’t the first-party application where the user generates that data. When incentivized, users can verify their ownership over this data with virtually zero friction. All you need to do is click a button to connect your crypto wallet. With these building blocks, Web3 makes it easy to rewrite user incentives on the web. The OpenDAO project provides insights into what’s possible when users own their data and can easily port it to other services. In the future, this could allow users to control how they share their own data and bounce around, say, from social media to a finance app to shopping using a single personalized account, creating a public record on the blockchain of the core parts of that app’s activity. This level of data portability that Web3 enables will challenge many of the expectations we have of how applications work on the internet. Historically, most applications have built either closed or tightly permissioned gardens, which limit users’ data portability. As a result, we’ve ended up with companies that have built mammoth network effects that are nearly impossible for a truly competitive market to unseat. The 1-2-3 of the Web One thing is certain: in a Web3 world, users will navigate the Internet and gain access to its services in very different ways. First, it helps to understand how the Web has evolved. The early days of the Internet in the 1990s were Web 1.0. The web then was composed mostly of static sites that you could read, but there wasn’t much interaction. It was a little disorganized and difficult to navigate. In a world of static sites, there’s not much need for authenticated user accounts. As an example, a static site serving blog posts would serve the same content regardless of whom the reader was. Then came Web 2.0 in the mid-2000s. Sites became dynamic, and there was an explosion of apps that allowed users to do more than simply read data. Platforms like Google, Amazon, Facebook, and Twitter made it possible to connect and transact online. These applications required the ability to store user data on their servers and then reproduce it in the future. As Web 2.0 proliferated, users collected hundreds of different accounts siloed across different applications. The common authentication method that proliferated (the password) has become one of the shortcomings of navigating the web, due to user difficulties and security shortcomings. Web 3.0 (Web3), based on blockchain technology that already underpins things like Bitcoin and Ethereum, uses an open, decentralized database and compute layer rather than each application reproducing the database and compute layers on their own siloed application. As users cruise the internet and use applications, the data from those interactions no longer solely lives on that single application’s server. It’s recorded on a shared and publicly accessible ledger. Authentication doesn’t live on the application’s server either. Rather than storing a memorized secret like a password, users can apply public key cryptography to sign up, access sites, and take sensitive actions by using private keys to deterministically prove ownership of a represented account on a shared ledger. It may sound like voodoo to the average person, but it is a bit like electricity. Flip a switch, and it comes on—without the need to understand what’s happening behind the scenes. Pros and cons of Web3 Web3 offers many advantages. Namely, data flows freely and is publicly verifiable. Companies no longer need to build user authentication using things like passwords into their applications. Instead, users can have a single account for the internet in their Web3 wallet: think of this as a “bring-your-own-account” architecture where the user verifies their account as they browse different websites, without the need to create a unique username and password for every site. Because authentication is based on public-key cryptography, certain security gaps with the Web2 approach to authentication (e.g. weak passwords and password reuse) are nonexistent. Users don’t have to remember passwords or fill out multiple screens when they sign up for an application. As with everything in tech, there are disadvantages too. Web3 eliminates the password, but it introduces other weaknesses. Anybody who has tried to set up a Web3 wallet like MetaMask knows that the user experience (UX) can be foreign and unfriendly. It requires introducing users to a completely novel concept of secret “seed” phrases, which are 12-to-24 words long and required for users to be able to recover their account when they switch devices. The UX burden for users that are new to Web3 can be overwhelming. A new user is introduced to this strange concept of seed phrases and told that failing to properly store their seed phrase will result in the irreversible loss of everything in their Web3 wallet. Additionally, wallets like MetaMask ask users to also create a password for their wallet, and users’ confusion only compounds when they learn that this password cannot be used in any way to recover or access their account from another device. Instead, the password only works to unlock the “local” copy of the wallet on their device, which runs counter to everything users have been taught about the portability of passwords since the web’s early days. The UX burden of seed phrases and non-portable passwords presents a number of risks for users. These confusing and foreign authentication concepts can lead to users being more easily scammed. Unwittingly, users might provide their seed phrase to a phishing site because they want to take a shortcut when confronted with a clunky, mentally taxing UX flow. Users might also lose or misplace a seed phrase and therefore forgo any chance of recovering an account. Traditional account recovery (“reset your password”) does not exist in Web3 wallets. There’s also no 2-factor authentication today for users to retain additional control over authentication. Whether the transaction is $1 or $1 billion, wallets by default only require private key signing. Data is transparent. That also means it’s public. While accounts are pseudonymous, users may take actions that accidentally leak their identities when they don’t intend to. Adding to the challenge, transactions are irreversible, which puts even more burden on the user to not make mistakes. In the Web3 world, users can’t call their credit card company to reverse a fraudulent charge. Making Web3 the best it can be To make Web3 work, users will need to reorient their thinking, from creating a new account for every app to a “bring-you-own-account” structure with one wallet, or passport, for navigating the web. It will be a big positive change, because Web3 accounts can be authenticated with cryptography, without the dreaded password, and with a lot less friction. Companies will need to build Web3 experiences that passively detect identities and accounts. If a user provides consent, then authentication and data provisioning can happen in one click. This is one way companies can reduce friction and drop off in their funnels. Another way to reduce friction is to blend identity and payments—something that’s relatively easy to do with Web3—and seamlessly prove and provide both to applications that users trust. There are still unknowns with where Web3 will go, but its momentum is undeniable and its advantages outweigh the disadvantages. The best thing to do is to build the best possible version of Web3, one that’s safe and easier to navigate for internet travelers. For that, everyone is going to need a passport to the internet, and companies will need to make it safe, secure, and easy for everyone to navigate. --- # It's a Stytchiversary with Cass Roulund! Source: https://stytch.com/blog/its-a-stytchiversary-with-cass-roulund/ It's a Stytchiversary with Cass Roulund! What do you love most about working at Stytch? The people! (duh!) Stytch is a group of uniquely empathetic and ambitious folks. We all really enjoy working together and working hard to make Stytch not only a successful product but a really great place to work, too. What does a typical day at Stytch look like for you? Depends on the day! I'm usually in the middle of a cycle for something People-related. For example, we're currently in the middle of our 360 reviews, so I'm preparing a presentation for a manager meeting on how to write reviews and how to avoid bias, also putting together calibration sheets for our managers (to review performance and compensation), and pulling benchmarking comp data to make sure our bands are up to date. I also just got back from a recruiting event in New York, we're throwing a launch party for some exciting Stytch web3 developments this Thursday (DM for details), and planning for our company offsite in July! (Never a dull moment on the People team.) On the Recruiting side of the house, we're hiring for a lot of roles (come join us!). Usually we start the week with a sourcing sync to ensure our priorities are aligned and that we're allocating our time in the right ways. We have an end of the week sync with some hiring managers to review pipelines and the rest of the week is spent looking for and chatting with potential Constytchuents to join the team. But regardless of what I'm doing, the day is usually sprinkled with coffee chats with coworkers, lunch together (or trying to snag a lunch from someone who actually remembered to order before the deadline), and trying not to snack too much. What’s been the most surprising thing about Stytch? How much we love hot sauce here... (sort of kidding). In reality, I was super surprised to receive a recruiting email from a 15-person company looking for a People hire. I thought it was extremely rare (and cool!) that a company of that size was seriously interested in building out People processes and foundations from such an early stage. Reed and Julianna have since continually proven that our Constytchuents are a priority and I could not be more thrilled to work for such empathetic founders. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? Not everything needs to be a process, sometimes you just need to get things done. Coming from a slightly larger company, I often felt like there needed to be a process or a policy in place for every ask, when more often than not, I was dealing with a one off issue or something that could be solved by just getting something done. Process is good (and often needed) but usually done is better than perfect. What’s your favorite part of the Stytch culture? The people and empathy :) Which Stytch value resonates most with you and why? Own it. My favorite thing about working at a startup is how many "hats" you get to wear and how many areas you get to flex into. At this size, every person has a significant impact on the company and "owning it" isn't just an exciting part of the job but an essential part. What’s the most interesting project you’ve worked on at Stytch? So many things (like rolling out levels and comp bands and recruiting metrics) but we’re currently planning our full company offsite (which is a first for me) and I’m both excited and nervous to see how it turns out! (But most of this is being handled by our amazing OM & People Ops person (Zack) who is an absolute gem and born to plan great events.) How did you end up working in People and Talent? I serendipitously fell into it. I started my career in TV production and decided to move to SF on a whim (a room opened up in my best friends' house). I texted everyone I knew asking for a job and one of my friend's from college was hiring a recruiter. I loved that my job involved interacting with people all day and I loved learning more about the tech world via the recruiting role. I eventually moved into a hybrid People Ops role and then fully into an HRBP role and now I'm back doing a little bit of everything I love. In the People world you face a lot of hard, ambiguous problems in a space where metrics are harder to come by (but finally emerging!!) but you get so much value in helping people and enabling them to be a tiny bit better at their job or a tiny bit happier in their role (which compounds!). Whereas on the recruiting side, success is a little bit more obvious and metrics are easier to come by (and act on) but the thing that often differentiates a great recruiting team from an average one is the candidate experience and people skills. When’s the last time you did something for the first time and what was it? I went to Washington DC and ran a 5k all in one trip! Be careful who you date, it might be a Turkey Trot kind of family. What hobby got you through COVID? Rollerskating and water coloring. I learned how to spin on my skates and how to paint poppies and jellyfish. What’s your ideal weekend? Coffee, yoga, more coffee, then spending the day eating my way through SF with friends. (Or a hike in North Bay!) What’s something you’re passionate about that’s not on your resume? Balkan history! I studied a bit in Croatia and then worked a bit in Bosnia and absolutely fell in love with the people and countries of former Yugoslavia. If you're thinking about visiting, reach out! I might have some good recs :) I definitely have enough enthusiasm to at least convince you to go! --- # Introducing Vessel, powered by Stytch Source: https://stytch.com/blog/introducing-vessel-powered-by-stytch/ Today we’re proud to launch our first consumer-facing authentication solution: Vessel, powered by Stytch. Imagine never having to create another user login again. Never having to reset another password. If the frustration of private keys and seed phrases went away. Since Stych’s founding, our core mission has been to eliminate friction from the internet, and authentication remains one of the biggest points of friction on the modern web. Over the past two years, Stytch has been building out the authentication platform for developers, making it easy and seamless to integrate passwordless authentication into websites and applications. Today we’re proud to launch our first consumer-facing authentication solution: Vessel, powered by Stytch. Your passport for the internet Forget about remembering hundreds of passwords, seed phrases and creating siloed, disparate accounts as you travel Web2 and Web3. Vessel allows you to create a singular account and wallet that travels with you and gives you 1-click entry to connected sites. Technically speaking, Vessel is a fully non-custodial, multi-chain crypto wallet and identity vault. In plainer terms, you can think of Vessel as your digital wallet and your digital identity rolled into one. It’s a single, portable identity and account that travels with you online and opens access to Web2 and Web3. A tool that allows you to manage your online identity in one place, have control over what data you share, and the power to revoke access to it at any time and from one central location. That’s the vision behind Vessel. To create Vessel, we combined the best of Web2 authentication innovations to simplify account creation and data provisioning with the power of Web3 wallet architectures to condense authentication, identity (e.g. NFTs), and payments into a single secure browser extension. In doing so, we’ve built much more than a Web3 wallet—we’ve built a passport for the internet. Connect safely and seamlessly For Web2 user experiences, Vessel removes the need to create passwords for every site you visit or verify your email + phone number for every account you sign up for. Vessel helps you explore the internet through connected sites (sites that are enabled to detect the Vessel browser extension). You always have control over what sites you add to your connected site list and you can always add or remove sites. Once you download the Vessel browser extension, a private Web3 ID is created that allows you to be anonymously authenticated as you land on connected sites. With your anonymous Web3 ID, you have the ability to manage both your Web2 digital identity (today, that’s your verified email and phone number) and your crypto wallets. You’re also in complete control of your data and can choose to share it, or not, with sites you trust that require this data. Crypto made accessible Creating a crypto wallet requires you to create a private key. The typical way this private key is derived today is that a wallet presents users with a seed phrase, a collection of 12-24 words, that you must remember or else your account is lost forever, adding stress to an already new and confusing authentication experience. To enable a simpler onboarding to Web3, Vessel is a fully non-custodial wallet (meaning a wallet controlled by you rather than a third party) that eliminates the need for seed phrases. Vessel currently supports both Ethereum and Solana, allowing you to explore and use apps in both of these rich Web3 ecosystems. Vessel uses common Web2 patterns (a password & a PIN), in lieu of seed phrases, to generate a non-custodial private key, so you can manage your crypto assets without headache. Under the hood, Vessel introduces new security approaches to make this type of Web2 simplicity possible––incorporating data from public data breaches and running the Vessel account credentials through 3 million rounds of computationally expensive PBKDF2 cryptographic hashing, we provide significant security while simplifying the Web3 wallet onboarding experience. Get started with Vessel We’re proud to release Vessel as a first of its kind innovation that will help to eliminate friction and help to make Web3 accessible to more people online. Learn more about Vessel here and if you’d like to dive right in, download the extension for free at the Chrome web store. To enable your site and become part of the Vessel connected network, check out the Vessel GitHub repositories to quickly add support. It’s simple. So is sharing feedback—we can’t wait to hear what you think of Vessel. --- # Behind the scenes with Vessel: designing a brand for the first-ever passport for the internet Source: https://stytch.com/blog/designing-the-vessel-brand/ Vessel is a secure browser extension that works as a digital identity and multi-chain wallet rolled into one. Vessel is a secure browser extension that works as a digital identity and multi-chain wallet rolled into one. In simpler terms, that means instead of users having to set up and enter credentials (like a username and password) for each app or website they open, they’re logged in once through Vessel and can then “bring their own account” as they surf the web. That’s why we refer to it as a passport for the internet. As an exciting new entry into Web3, we knew we needed to differentiate Vessel from Stytch’s core brand and platform of passwordless authentication solutions for developers. And that presented new challenges for our design team. For one thing, Web3 is a complex space. Many new users find the concept of decentralized auth difficult to understand, and it’s a design team’s job to make the process look and feel as welcoming as possible. For another, designing for Stytch means designing for businesses—usually a specialized team of engineers. Vessel, on the other hand, is a consumer product intended for a broad audience. In this post, we share how we navigated this new terrain to develop an approachable, accessible brand in a particularly intimidating space—and introduce the dynamic brand assets we created. Picking the perfect name Stytch’s founders, Reed and Julianna, picked the name Vessel from hundreds of possibilities brainstormed by a cross-functional team of product managers, designers, engineers, and marketing specialists. Snapshot of names brainstormed As a word, “vessel” evokes something that transports passengers across different environments and—like a passport—provides them with secure access to new experiences. Having a powerful name in place at the outset of our branding initiative gave us a clear sense of direction and helped us organize our efforts around a cohesive theme that could guide the rest of our designs. Setting the mood As with most branding projects, the story behind Vessel’s visual style begins with a mood board—a collage of the different images, typefaces, and other design elements that shape a brand’s color palette, logo, and wordmark. As a tech-forward market, Web3 products tend to use developer-friendly “dark mode” tones, 3D illustrations, and ultramodern imagery. But we wanted Vessel to appeal to seasoned Web3 users and newcomers alike. That meant balancing innovative, futuristic elements with more recognizable, everyday aesthetics. Accordingly, we put together three visual spreads, which we titled Professional Futurism, Vaporwave Chic, and Bold Brutalism. In each batch, we worked to set fun, sci-fi inspired images against the professionalism, reliability, and security expected of an authentication platform. From left to right: Professional Futurism, Vaporwave Chic, Bold Brutalism Final mood board Finally, we combined these collections into a final, multidimensional mood board that would serve as a north star to guide the rest of Vessel’s branding. When it comes to a final mood board, our philosophy is that it's okay to deviate a bit and let the brand’s look and feel come together organically. To us, mood boards are a jumping off point—helpful guidelines, rather than strict rules. Adding a touch of color A color palette is one of the primary ways a brand sets a visual tone, elicits emotional responses, and engages its audience. The three initial palettes we came up with for Vessel took inspiration from our mood board, each pulling in unique color combinations to test their compatibility. We also applied these colors to a number of assets so we could see how they would look and feel in practice. Exploring color palettes Actually seeing the colors in true-to-life examples helped us to zero in on the middle option for Vessel’s palette. In a Web3 landscape typically dominated by darker blues, blacks, and purples, these colors felt fresh and playful—happy tones that remind viewers of a sunrise or sunset while staying true to the cool, modern tech foundations of the brand. Landing on a logo The name Vessel can have many different interpretations and lead in many different directions, from nautical voyages to aerospace exploration to circuitry and circulation. We wanted the logo to convey both travel and communication, speaking to an industry and audience that are between two worlds—that is, between Web2 and Web3, the known and the unknown—while staying firmly grounded in familiar, comfortable graphics. We played with many possible logos, including a space helmet, rocketship, and satellite, before ultimately deciding on a curvy sketch of a submarine using echolocation. We liked the idea of using deep sea navigation as a metaphor for discovery in the strange new realm of Web3—with the sonar helping explorers (like internet users) easily find their way. For Vessel’s wordmark, we paired this logo with a strong, crisp font that adds a bit of gravity and a sharp, contemporary edge to the playfulness of the submarine. Exploring logos and wordmarks Three final directions Putting it all together With these design elements in place, the entire Stytch team could align around a vision for Vessel and begin building out the wireframes, user flows and experiences, and brand assets that would truly bring our product to life. Final brand look and feel Applying the brand look and feel to the product Working in the uncharted, unconventional space of Web3 and tackling new creative challenges allowed us as designers to think outside the box and develop a pioneering, tech-forward brand that’s still simple and accessible for beginners to grasp. Get onboard with Vessel We’re proud to release Vessel as a first-of-its-kind solution that will help eliminate friction on the internet and make Web3 accessible to more people online. You can learn more about Vessel here. Or, if you’re ready to dive right in, you can download the extension for free at the Chrome web store and check out Vessel’s GitHub repositories to get quick support, enable your site, and become part of the Vessel connected network. Don’t forget to share your feedback through our Vessel research survey—we’re excited to hear what you think and keep building toward a better, stronger online experience. Get started for free today. --- # Vessel + Ratio: making crypto accessible Source: https://stytch.com/blog/vessel-ratio-making-crypto-accessible/ Ratio is on a mission to make crypto as accessible as possible, by making adding money to your crypto wallet as easy as adding money to Venmo or Cash App. Ratio is on a mission to make crypto as accessible as possible, by making adding money to your crypto wallet as easy as adding money to Venmo or Cash App. That means giving crypto wallet users familiar “add money” options, like payroll direct deposit and instant transfers from a bank account. All without the funding fees, processing fees, and wait times associated with traditional crypto exchanges. This mission was something that really resonated with us, as crypto accessibility is one of the core reasons why we embarked on our journey to build Vessel, our reimagined take on what a more approachable and inclusive crypto wallet could look like. Vessel eschews confusing seed phrases, and instead, uses known Web2 patterns (a password & a PIN) to generate a non-custodial private key. This lowers the barrier to entry for many users, without sacrificing the security and data portability that Web3 offers. Starting today, you can use Vessel to sign up and sign in to Ratio. When you sign up for Ratio using Vessel, your Vessel wallet addresses become the default for both Ethereum and Solana payouts. Because Vessel is multi-chain by design, you don’t have to juggle separate wallets for Ethereum and Solana. We’re so excited to be partnering with Ratio on their mission to make crypto more accessible for everyone, and we’re incredibly proud to see them officially launch and take the covers off of their product! You can sign up for Ratio today here to start saving crypto, fee-free, or learn more about Ratio at their blog. You can also download the Vessel Chrome extension here. --- # Introducing JWTs for session management Source: https://stytch.com/blog/introducing-jwts-for-session-management/ We’re excited to launch support for JSON web tokens (JWTs) as part of our session management product! Now, developers can choose between JWTs, session tokens, or a hybrid approach. We’re excited to launch support for JSON web tokens (JWTs) as part of our session management product! Now, developers can choose between JWTs, session tokens, or a hybrid approach. Stytch’s JWT support allows you to mint JWTs that can be verified without needing to hit Stytch’s API. This allows for highly performant authorization for your product when you need it, while also providing the control to revoke access when and where you want it. JWTs vs session tokens To authenticate a user, developers can either implement a JWT or session token-based solution. A JSON Web Token (or JWT) is an open standard that allows clients and servers to communicate and share critical information. It’s a form of stateless authentication as all user data is stored client-side within the token itself. This makes JWTs a popular session management solution among developers looking to reduce their server load and improve latency — it makes managing sessions faster and scaling architecture easier. JWTs offer numerous benefits, but one downside is that session revocation can be more difficult because the validation happens client-side rather than server-side. Conversely, session tokens are a session management solution that stores the token on the server-side, along with user data. Session tokens are verified against the server’s database with every user request, and a single token can be easily revoked at any time. This results in higher latency than JWTs. However, when control over session revocation is critical, this solution can be beneficial since it guarantees instant session revocation when needed. Get the best of both worlds Developers often have to decide which session management solution is best to implement and make the tradeoff between security and latency. Here at Stytch, we provide flexibility to strike the right balance for your application. With Stytch session JWTs, the JWT can be validated locally within your app or remotely with the Stytch API. The JWT will expire every 5 minutes in order to ensure that any session revocations are honored in a reasonable time frame, but you will be able to retrieve a new JWT through the Stytch API so long as the underlying session is still valid. You can also customize how frequently you check in with the Stytch servers by setting a lower max_token_age threshold in our client libraries or by triggering a refresh request before allowing particularly sensitive actions. JWTs for session management are a great solution if: Your performance needs require that your app needs to be able to validate sessions without an external network request on every call. You’re using Stytch session management to authorize actions outside of your app and that authorization works via JWTs. How Stytch session JWTs works Utilize session JWTs exactly the same way as opaque session tokens, by substituting session_token with session_jwt. Every response in our sessions product that contains a session_id and session_token will now also contain a session_jwt. The session_jwt value can be used to attach new factors to existing sessions to enable step up authentication, extend the lifetime of an existing session as well as authenticate and revoke sessions. A session JWT is a signed snapshot of the session at the time it was issued, and that signature is valid even after the session is revoked in the Stytch API. This means that the JWT is still locally valid even after the session is revoked. In order to ensure that there is a limit to how long a stale JWT could continue to be locally valid despite the underlying session being revoked, the JWT has a 5 minute expiry that is distinct from the configurable session expiry. The Stytch API will return a 404 error if the JWT passed is associated with an invalid session. To authenticate locally, use your client library’s version of authenticate_jwt. Stytch signs all JWTs for your project with project-specific signing keys. The verification keys for those signatures are available at a project-specific URL. The URL is publicly accessible, so any other JWT consumers outside of your app can also use it to verify JWTs from your project. We also offer support for custom claims in JWTs and allow you to store custom user data. Subscribe to our Changelog to find out about new products we ship and be alerted when we add additional features to existing products. Getting started If you’re interested in using JWTs, check out our Docs and sign up for a developer account here to get started! If you have any questions, please feel free to contact us at support@stytch.com. --- # Painting the town Stytch: the making of an OOH campaign Source: https://stytch.com/blog/the-making-of-an-ooh-campaign/ We decided to take our passwordless revolution to the streets and billboards of San Francisco. We built Stytch on a single, fundamental truth: passwords should become a thing of the past. They’re hard to remember, easy to hack, and all too tempting to reuse across internet accounts. That’s why we make it simple for developers to add passwordless authentication to their apps and websites — unlocking better security, a better user experience, and ultimately better conversion. It’s also why we decided to take our passwordless revolution to the streets of San Francisco. After seeing great early feedback from customers in 2021, heading into 2022 we were ready to raise brand awareness and celebrate Stytch as a solution to the password problem. Why not launch an epic out-of-home ad campaign spanning our native city? Below, we share how we put it all together with some amazing partners by our side — along with thousands upon thousands of handwritten sticky notes. Go big or go home Stytch’s OOH campaign wouldn’t have gotten off the ground without our partners at Brex. Brex’s core focus is on corporate cards and cash management, but their greater mission is to help growing companies achieve their full potential. That means offering value-added services — like their Billboard Rewards program — that help ambitious young startups amplify their message. With Brex’s Billboard Rewards program, we put the points we earned through regular spending toward this valuable media placement and one-on-one consultations around it. Among other perks, that included the expertise of Brex’s dedicated out-of-home media strategist, Kasper Koczab. Having launched a striking, city-wide OOH campaign for Brex, Koczab knew how to push the envelope and truly capture the public’s attention. “We adopted a philosophy of, hey, we want to be noticed by everybody — not just decision makers, but the people they talk to,” he said. “We look at it almost as performance art. We’re out to buy a spectacle. We’re out to buy the city. Out-of-home is a channel where, if you do it right, you can make a splash that’s impossible to miss. With this campaign, it wasn’t just about billboards — it was about, let’s paint San Francisco Stytch.” Koczab put together a bold, sweeping plan that included dozens of billboards, five transit shelter takeovers with first-in-market custom shadow boxes to accommodate our 3D sticky notes creative, 150 standard transit shelters, and buses that travel deep into residential areas. He advised on how to negotiate with city officials, make profitable investments, maximize the impact of every unit, and create visuals that work for pedestrians and highway drivers — in short, practices that can make or break an OOH campaign. Best of all, Kasper connected us with a dynamic, creative agency that instantly plugged into our vision and delivered just what we were looking for. It’s all in the design To develop the ad content, we turned to Division of Labor, an award-winning San Francisco agency with plenty of OOH experience and a firm grasp of the local market. It didn’t take them long to land on a compelling direction for our campaign. “Chemistry is everything, and it felt like our working styles were very much aligned,” said Rebecca Reid, account director at Division of Labor. “When that happens, it’s like magic. Stytch’s founders have such conviction and clarity on what Stytch is as a brand and what they want to communicate, and it made our work together fly.” “Stytch sent over a blog post titled Kill the Password — and that was really all we needed to see,” said Josh Denberg, Division of Labor’s founder and creative director. “No matter who you are or what you do for a living, you experience the same frustration with passwords. With other clients, we may have to search for a common enemy. But with passwords, it’s universal.” Denberg and his team got right to work. With many units to play with, they weren’t afraid to push the limits, try new approaches, and strike a balance between playful and pragmatic messaging. “There was a lot of collaborative back-and-forth,” said Denberg. “Stytch was really open to humor, so there’s a line about how the average person resets a password more often than they have sex. But then, there’s another that speaks to how passwordless auth can increase conversions by 60%.” Overall, we wanted to explore a mix of creative copy that would speak to the pain of the password in different ways and resonate with different audiences. All told, Division of Labor came up with four dynamic themes to fit distinct media types. Billboards featured memorable statements and statistics, while buses had long, cryptic password strings — like d0nTUh8pA55w0rD5L1kETh15? — stretched along their backs for drivers to puzzle over. Most impressively, they covered a handful of bus shelters with tiny, handwritten sticky notes — the kind people use to write down and remember their proliferating passwords. Brand messaging that sticks Needless to say, the sticky note project took a huge effort, involving custom glass cases for each shelter, loads of note pads and work hours to fill them, and multiple tests to get it all right. Division of Labor estimated they’d need a thousand sticky notes across five shelters, amounting to a grand total of 5,000 individual notes. “No problem, right? We brought in 15 people for an afternoon session and had them design each sticky note as a little canvas,” said Denberg. “At the end, we weren't even close. So we did it again, then again, and we were still a thousand short.” Finally, they held a Friday evening charity session, where friends could donate $400 per finished sticky note pad to the relief efforts in Ukraine, and Stytch sent a goodie basket of food and drinks to cheer them on and fuel their creativity. By the end of the night, Division of Labor had the last batch of sticky notes they needed — and had raised over $5,000 to boot. Koczab happened to know artist and metal worker Ron Lester from Iron Maverick, who took on the monumental task of assembling the shelter boards, layering note over note into an aesthetic, 3D sticky note sculpture. And the rest is advertising history. Approximately 1,000 hand-written sticky notes cover each of five transit shelter installations. Keeping the campaign rolling Through the OOH ads, we established a fun, unique presence in San Francisco and beyond — and we have an incredible story behind us to propel the Stytch brand forward. “This is a team that cares about the work they’re doing, and that was clear on day one,” said Denberg. “You don’t get that very often. After the campaign launched, everyone at Stytch embraced it and took photos with their dogs in front of it. It’s been great to see that organic push.” As the ads were unveiled, we hired videographer Michael Shainblum to document the experience, as well as the context and culture of the surrounding neighborhoods. With a three-man crew, he shot 10 hours of footage in just three days, including using a drone to capture the Stytch team in our offices, with sticky notes spelling “Stytch” across the windows. He edited it all down into the lively, minute-long sizzle reel featured earlier — you can also check it out here. (In case you’re wondering, the super catchy song is Sonny Cleveland’s “Don’t Stop.” You’re welcome.) While he filmed in slow motion, Shainblum sped up his footage for the final reel, giving a sense of the fast-moving pace of the city and the sheer scale of our campaign. “We see so much signage day after day, and frankly most people don’t pay any attention. But this was something different, something intriguing,” he said. “When so many people work on a project — not just the people devising and designing the campaign, but also the people actually putting up the signs — it’s incredible to have a visual record that brings it all together and spreads the word far and wide.” Measuring the impact So far, we’ve seen incredible feedback, and we’re excited to see interest in our campaign and our company grow with each passing day. The ad campaign’s success — and the greater public awareness of Stytch’s solutions — has resulted not only in an organic increase to our web traffic, branded searches, and recruiting efforts, but in a palpable boost to our team’s morale and enthusiasm. In the end, it’s not just the dislike of passwords that connects us, but the power and promise of a passwordless future. Go passwordless Want to see for yourself what all the hype’s about? Jump into our Docs to check out Stytch’s flexible, frictionless, and fully passwordless authentication solutions — or open a free account, and try them out for yourself. Get started for free today. --- # Launching Drop-in UI support for Web3 Logins with Ethereum and Solana in the Stytch SDK Source: https://stytch.com/blog/drop-in-ui-support-for-web3-logins-in-the-stytch-sdk/ Launching Drop-in UI support for Web3 Logins with Ethereum and Solana in the Stytch SDK Today, the Stytch JavaScript SDK is launching UI support for Web3 authentication for all wallets built on the Ethereum or Solana blockchains. As the future of online identity and experiences take shape, our goal is to equip your product with straightforward tools to interact with these new means of authentication. Web3 login support in the Stytch SDK is the simplest way to build crypto wallet authentication into any Web2 or Web3 application. This product update includes headless SDK methods you can attach to your auth flows for crypto wallet auth as well as customizable UX flows we’ve designed to easily guide your end users through the process. Supporting crypto wallet auth could mean you aim to incorporate blockchain elements into your core product or simply want to provide login routes for early technology adopters — whatever your Web3 appetite, the JavaScript SDK can help assist. Building for user-owned identity A focal point of Web3 is shifting the ownership of data that defines our online selves from companies back to the individual, as opposed to the many accounts and credentials that we hand off to sites and apps. Digital wallets running on protocols like Ethereum and Solana have paved a path to moving around the internet in a new way. For products supporting these Web3 logins, one’s wallet acts as the single touchpoint they need to provide for various authentication, identity, and payment actions required throughout your UX. By the numbers, popular wallets like Coinbase, Metamask, and Phantom account for over 13 million users on Chrome browsers alone, with an even broader base of wallet extensions and mobile apps beyond that. As consumers develop more opinions on who has access to their data and when, supplying a wallet auth option can help users log in on their own terms. Designing wallet detection for Web3 logins Connecting to apps via a wallet also presents a new frontier in auth UX, as users might own one of any number of the crypto wallets in circulation. With lightweight, high-converting experiences as our design focus at Stytch, we’ve built automatic wallet detection that will present only Web3 logins that are relevant to each individual user, rather than imposing an exhaustive wallet catalog. https://youtu.be/dFqidd6LAcg Knowing that your end users will vary widely in terms of what wallets they carry — and whether they’re yet involved enough with Web3 to have a wallet at all — we’ve designed flows that account for a diverse set of scenarios while preventing clutter. Putting it all together Let’s look at an example of combining crypto wallet logins with the SDK’s user management functions to determine whether we render a login experience or present the logged in user’s wallet address: Use the all-in-one Stytch component for a UX flow you can modify and insert directly into your application, or attach the SDK methods to UI elements you’ve designed to create your own experience. Getting Started The Stytch docs contain the full SDK reference and associated guides on how to get up and running with this new implementation route. If you’re looking for a low-friction way to get up and running with password-free auth, you can register a developer account here or contact support@stytch.com. --- # It’s a Stytchiversary! Meet Allison Chuang! Source: https://stytch.com/blog/meet-allison-chuang/ It’s a Stytchiversary! Meet Allison Chuang! What do you love most about working at Stytch? Most definitely the people! I’ve had so much fun working at Stytch because of the people I work with. I also love that at this size of a company you have the opportunity to get to know everyone and are constantly meeting new people as they join. Grateful to have been able to make so many friends here. What does a typical day at Stytch look like for you? It really depends on what I'm working on for the month. I like to be around people, so I go into the office most days. I would say I generally spend around 65% of my time doing technical work and my remaining time syncing with teammates, interviewing, etc. What’s been the most surprising thing about Stytch? Just how many features / products I’ve had the opportunity to collaborate on and build out this year! Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? I knew that early stage companies evolve quickly, but I didn’t realize how fast things would change. Every 3 months I feel like I am at a totally different company from the previous 3 and I’ve really enjoyed seeing the team grow. It’s so important to be able to adapt to all the changes that come with a startup and I’ve learned a ton along the way. What’s your favorite part of the Stytch culture? I love how collaborative everyone here is at Stytch. I feel like I can go to anyone to get more context on something and they’ll happily take time out of their day to get me up to speed. At this point I’ve worked on projects that spanned across both eng and non-eng and it’s always been a really rewarding experience being able to collaborate together. Which Stytch value resonates most with you and why? “Own it” It's exciting to own a full product from start to end and to see the amount of impact it creates. It also promotes a level of accountability within the company in a way that I know everyone I work with is putting in their best effort. What’s the most interesting project you’ve worked on at Stytch? I was part of the core team that launched Vessel a few weeks back. It was definitely a wild ride jumping into a consumer product for the first time, but I had a ton of fun building out the UI from scratch and thinking through all the different user interactions for the extension. How did you end up working in Software Engineering? I actually went into college thinking I would major in English or Psychology. I took an introductory CS course to fulfill an education requirement and realized how much I enjoyed the logic of it / the ability to create something out of nothing. And I was also pretty good at it! When’s the last time you did something for the first time and what was it? I started taking long walks around the city not too long ago. It’s been a nice way to reset my brain and to appreciate everything around me. And not to mention SF has some incredible views. What song, hobby, or recipe got you through COVID? I got really into pickleball during COVID and have been playing around 1-2 times a week since. If you’re looking to get into the sport — hit me up. It’s super fun, I promise! What’s your ideal weekend? Friends, authentic Chinese food in Outer Sunset, a long walk through Golden Gate Park. What’s something you’re passionate about that’s not on your resume? Human behavior and organizational psychology. One of my favorite newsletters is Psyche, which covers topics on psychology and philosophy. Give it a try if you’re interested! --- # 4 Ways to use Stytch's Embeddable Magic Links Source: https://stytch.com/blog/4-ways-to-use-stytchs-embeddable-magic-links/ An Embedded Magic Link contains a piece of information attached to the link that can execute an additional action. Online authentication is continually evolving. Initially, authentication required only a username and password. Today, measures like two-factor authentication via SMS or authenticator applications have become standard practice. While these methods enhance security, they can be inconvenient due to the number of steps required. Installing an application, accessing a mobile phone to copy and paste a code, and remembering passwords turn what was once a single action into an unnecessarily frustrating user experience. Fortunately, another means of authentication is gaining popularity: magic links. Magic links provide frictionless and passwordless authentication to end users without compromising account security. Magic links are typically single-use and expire quickly. Each magic link contains a token that’s used to verify the user. These tokens are embedded in communications sent to a user’s email or phone number, requiring the user to prove they have access to the email or phone account to access the application. Stytch’s Embeddable Magic Links add even greater function and flexibility. An Embedded Magic Link contains a piece of information attached to the link that can execute an additional action. For example, an email offering a 10 percent discount can embed a magic link that opens the website, logs in the user, and automatically applies the coupon code. Previously, a secure promotional email would entail providing a general website link and a copyable discount code. The user would then need to log in and manually paste the code. However, an Embeddable Magic Link already contains the secure authentication token and the instructions to apply the coupon code. The customer only needs to click the link. This user experience is frictionless and offers unparalleled ease. In this article, we’ll explore several uses for Stytch's Embeddable Magic Links and how they can help your organization meet its business needs in new and creative ways. Marketing emails and SMS messages A primary example of the power of Embeddable Magic Links is the ability to send “smart” marketing emails and text messages that greatly improve user experience and eliminate friction. Consider the example mentioned earlier: emailing customers links that automatically log them in and apply a coupon code. A marketing email can feature several product links, each an embedded magic link that brings the customer directly to the product page and automatically applies the discount. Alternatively, SMS messages can contain the same types of links. Both of these options ease the user experience. A user doesn’t need to remember — or even provide — a username and password to access their account. This makes for one less barrier between a customer and the targeted website. As well, pre-applying the discount code reminds the customer of possible savings and speeds up the checkout process. By allowing users to make purchases with fewer clicks, the business can boost conversion rates and improve overall user experience. Account updates Currently, the digital banking sector is transforming at a rapid pace. Most customers who use online banking can view their statements, transaction updates, e-transfer notifications, and history using their bank’s website or smartphone app. However, accessing these items typically involves logging in and providing additional security credentials. Moreover, increasingly stringent password requirements make them harder to remember, resulting in countless modes of insecure password storage. In these scenarios, an Embeddable Magic Link can be instrumental in altering the user experience. With embedded authentication, the user can then log in with magic links sent to the associated email or phone number. The token serves as proof of user authentication without the need for entering complex passwords that have been stored with suboptimal security. Text reminders Despite arguments to the contrary, email isn’t yet an obsolete technology. However, the accessibility and flexibility of text messages provide a considerable opportunity for sending timely reminders and notification updates. As you’ve likely experienced, many retail companies and couriers like Amazon, FedEx, and UPS already use text-based services to keep users updated on their items’ delivery status. However, these SMS messages typically contain basic links. Personalized updates often require users to log in to their accounts before viewing the linked content. More frustrating still is the fact that the login process doesn’t always redirect to where the original link intended. This leaves the user manually navigating through an account or returning to the SMS notification to retry the link. Embeddable Magic Links can eliminate this hassle. They can immediately bring the customer to the target web page and automatically log them in. Last leg signup Cart abandonment rates today are over 69%, with mobile abandonment over 85%. An estimated 26% of users will respond to retargeted ads following an abandoned signup flow. But too often these targeted follow-ups will require users to begin the sign up process from the very beginning. Fortunately, Embeddable Magic Links removes friction from this process by returning users where they left off in the sign up flow, rather than requiring them to start all over. No re-entering of basic fields like name, email, etc. Embeddable Magic Links help customers skip the line, cut through the red tape, and get back to their cart or complete their sign up registration as quickly as possible. This helps you maximize conversions without minimizing security. Combining Embeddable Magic Links with multi-factor authentication Using Embeddable Magic Links doesn’t completely remove multi-factor authentication (MFA) from the security picture. For delicate or sensitive information, you can combine these technologies by first providing the securely authenticated magic links and then using an MFA or one-time password (OTP) solution. This extra authentication step is especially beneficial when there’s a chance that an email account or cell phone may be compromised. During such scenarios, the extra layer of security is both functional and reinforces to the user that the safety of their personal information is a priority. Conclusion As our information security demands evolve to address more sophisticated threats, magic links can provide an intelligent solution for secure authentication without the hassle of multiple login steps. Furthermore, Embeddable Magic Links can elevate your organization’s security protocol to a level of enhancing the user experience and generating more profitable web traffic. One of the greatest parts of using Embeddable Magic Links is that they don’t have to be a drain on your internal resources. Stytch provides simple and secure passwordless authentication solutions, so that you can stay focused on your core product. To learn more about Stytch’s solutions, check out our documentation and experience Embeddable Magic Links for yourself. --- # It's a Stytchiversary! Meet Spyri Karasavva! Source: https://stytch.com/blog/its-a-stytchiversary-meet-spyri-karasavva/ It's a Stytchiversary! Meet Spyri Karasavva! What do you love most about working at Stytch? The people! But because everyone says that, here's my second favorite thing about Stytch: the opportunity to have direct impact on the company's trajectory, user experience, and culture. What does a typical day at Stytch look like for you? It changes a ton — I feel like I've switched three jobs since I joined Stytch. At the moment, I spend a lot of time thinking about user acquisition and activation strategies. What’s been the most surprising thing about Stytch? How open everyone is to learning from each other, as well as giving and receiving feedback. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? What got you to 1 won't get you to 100, and at an early stage company every single person can have an outsized impact. What’s your favorite part of the Stytch culture? The openness and transparency when it comes to decision making. Which Stytch value resonates most with you and why? Are we thinking big enough yet? I love pushing each to do better for our customers and end-users, while having a ton of fun in the process. What’s the most interesting project you’ve worked on at Stytch? Starting and scaling our startup partnerships! I found it extremely rewarding to lead this initiative from ideation, to scale and optimization. How did you end up working in growth marketing? I like working on complex problems, making data-driven decisions and being able to measure the impact of my work. Growth marketing felt like a no-brainer! When’s the last time you did something for the first time and what was it? I went bowling a few weeks ago, and discovered that I actually have a decent aim. Growing up in Greece, bowling was definitely not something we did for fun! What song, hobby, or recipe got you through COVID? I roadtripped across the US for a year. Favorite stop: Sedona, AZ What’s your ideal weekend? Looking for the perfect chocolate croissant (The Mill is still my #1), movie night at the Roxie, and park hangouts with friends. What’s something you’re passionate about that’s not on your resume? See above ^ --- # Landing Email Magic Links in your user's inbox Source: https://stytch.com/blog/landing-email-magic-links/ Stytch Email Magic Links (EMLs) enable one-click email login to sites and applications. As one of Stytch’s most popular products, much of what makes EMLs “magic” for users is the seamless authentication experience of a simple click-through from their inbox. Stytch Email Magic Links (EMLs) enable one-click email login to sites and applications. As one of Stytch’s most popular products, much of what makes EMLs “magic” for users is the seamless authentication experience of a simple click-through from their inbox. Behind the scenes, we’ve put a lot of thought and effort into the whole packaging of Email Magic Links and how we send them out to your users. In creating that truly streamlined user flow, we ensure that EMLs always land in your user’s inbox — and the ‘Primary’ tab, too. Email clients and inbox providers like Gmail and Apple Mail all have different rules for how they classify emails as spam, what fonts they support, how they render dark mode, etc. Here at Stytch, we design and test our emails specifically to address all of the complex and changing rules, preventing emails from landing in users’ promotions tab or their spam folder. In this post, we’ll take a deeper dive into three ways that Stytch works in the background to ensure email deliverability for your users: 1. Reliability and domain reputation Stytch uses multiple email delivery services to achieve the highest deliverability success rate for your end-users. Knowing that even the most reliable services can experience outages, our built-in logic will automatically failover to another service provider if one service is down. We keep our email address and domain (login@stytch.com) reputation in tip-top shape, which ensures they won’t be marked as spam in your user’s inbox. The domain and address we use is kept separate from the one you send out changelogs and promotional emails from. We intentionally keep a separate domain for sending out Stytch changelogs and product announcements, so that the “login@stytch.com” address remains reserved for EMLs. We also have published SPF and DMARC records for our domain that authenticate all of our messages, which prevents email spoofing. 2. Design and copy Our emails are designed with your end user’s experience in mind, from the raw HTML formatting to the text copy itself. The simplistic layout is intentional in making it as easy as possible for users to authenticate with their Email Magic Link, unlocking that frictionless experience. In addition, being selective about the number and placement of graphics in our HTML helps minimize the chance of the email landing in a ‘Promotions’ tab. When it comes to the copy, even seemingly harmless words can land your email in the ‘Promotions’ tab of your user’s email client. For example, we discovered that omitting just one word can make a world of difference. In a recent round of testing, we ran over 20 permutations on an email's subject line and found a huge variation in email delivery. For instance, “You’re invited to Stytch” had a much lower success rate of landing in a user’s primary inbox than“You’re invited to join Stytch.” 3. Email customization Stytch provides you with the flexibility to create emails that align with your branding on your Stytch Dashboard without impacting your email deliverability: upload your logo, select your preferred font, customize your button colors, etc. We’ve researched and tested our list of font offerings across the top email clients and platforms (desktop, mobile, WebMail) to make sure that they’re supported and will render correctly for your users. Stytch holds accessibility as a core design principle and offers guidance on best accessibility practices in our Dashboard, automatically detecting and showing you the contrast ratios of the colors you choose, and displaying previews of dark mode so you can easily optimize for your users’ preferences. Though accessibility doesn’t always directly impact email deliverability, it is crucial for creating a frictionless EML experience that includes all of your users. Your Stytch Dashboard allows you to test and preview different customizations on your emails. At Stytch, we’re on a mission to eliminate friction from the internet. Though the complex rules from email clients add friction to email deliverability, Stytch helps take that load off, so you can focus on your core product. We’re always looking for ways to go beyond the status quo, and elevate authentication by making turnkey and human-centric experiences for developers and end-users. Try customizing your emails on our Dashboard, and read our Docs to see how easy it is to get started with Email Magic Links. With our out-of-the-box EML product, Stytch is able to fully handle the frustrating and complex pieces of email deliverability, latency, and inbox placement. If you’re looking for a more flexible way to use Magic Links such as sending them from your own domain, check out our Embeddable Magic Links here. --- # It's a Stytchiversary! Meet Shane O'Neill! Source: https://stytch.com/blog/its-a-stytchiversary-meet-shane-oneill/ It's a Stytchiversary! Meet Shane O'Neill! What do you love most about working at Stytch? Our customers. I’ve had the opportunity to work with many of our earliest customers, and everyone we’ve partnered with has been an absolute joy to work with — and they are solving exciting problems across a myriad of verticals. What does a typical day at Stytch look like for you? Next question? Every day is something new — which makes working at Stytch so enjoyable. What’s been the most surprising thing about Stytch? The most surprising thing about Stytch is the speed at which we ship. Our product and engineering teams move very fast, and I’m always blown away by how many updates are included in the changelog each week. It takes a lot of focus (I enjoy it) to ensure I'm up-to-speed on our products! Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? Cherish the small wins and commit to the journey. There are ups and downs in every early-stage company. So celebrate the small wins throughout your early-stage voyage, and enjoy it! Too often I hear of people wanting a result without the requisite effort. Most of the fun at an early-stage company is rolling up your sleeves and committing. And long as you progress (albeit gradual at times) towards your north star, everything else will work itself out. What’s your favorite part of the Stytch culture? We don't take ourselves too seriously, yet at the same time, we are seriously ambitious. It's a tricky balance to strike, and we've nailed it. Which Stytch value resonates most with you and why? Fail Fast. It encourages us to explore while also quickly identifying something that might fail so that we can make it a success. What’s the most interesting project you’ve worked on at Stytch? No one project comes to mind but working with our earliest customers was was very interesting and fun. How did you end up working in Sales? I went to school and studied Political Science, thinking I wanted to become a diplomat. But I was always interested in technology so I decided to make the leap after a stint in Financial Services. And I haven't looked back. What song, hobby, or recipe got you through COVID? I was living in a small flat in London when COVID hit. And Maison Bleue, a shop right around the corner, got me through COVID. They have delicious coffee, food, and provisions. Check out their Insta! https://www.instagram.com/maisonbleue19/?hl=en What’s your ideal weekend? Sipping a coffee while reading the Financial Times weekend. Then off into the outdoors. What’s something you’re passionate about that’s not on your resume? Sunday Roasts. I fell in love with Sunday Roasts after spending two years in the UK. If you know of any pubs/restaurants in the Bay Area with a proper Sunday Roast, hit me up! --- # How Apple’s passkeys just brought us one step closer to a passwordless internet Source: https://stytch.com/blog/what-apple-passkeys-mean-for-passwordless/ Apple announced their new passkeys feature, a next-gen approach to authentication that’s set to launch with iOS 16 and macOS Ventura this fall. Stytch was founded with the mission of eliminating friction on the internet. The first major source of friction we’ve tackled? Password-based authentication. We’ve consistently highlighted the many ways passwords contribute to database hacks and account breaches — not to mention the friction and frustration they cause for users, who are forced to memorize dozens (if not hundreds) of passwords and often end up abandoning login flows because of forgotten or mistaken credentials. Now, we’ve picked up a major ally in our push for a passwordless, frictionless internet. Last month, Apple announced their new passkeys feature, a next-gen approach to authentication that’s set to launch with iOS 16 and macOS Ventura this fall. Apple’s passkeys log users in via biometric factors like Touch ID and Face ID rather than through conventional passwords, and they’re a major leap forward when it comes to making fully biometrics-based (that is to say, fully passwordless) auth not only familiar but mainstream. In this post, we explain where passkeys fit in Apple’s wider trajectory of innovation, how they work, and why they’re a big deal for the future of authentication. A brief history of Apple’s innovations in authentication Over the past decade or so, Apple has consistently been at the vanguard of passwordless authentication across web and mobile devices. Among other groundbreaking moves: In 2013, Apple released the first widely available biometric login with Touch ID, allowing users to authenticate into the iPhone 5 via fingerprint. In 2016, Apple expanded biometric auth options from mobile devices to laptops, building Touch ID logins into the MacBook Pro. In 2017, Apple introduced Face ID, a biometric auth factor allowing users to scan their facial features to log in to iPhones and iOS applications. In 2022, it’s all about passkeys, building biometrics like Touch ID and Face ID into every online interaction and across every device. What’s new? From the above timeline, it’s clear biometrics have been around for a while — so you may be wondering why they haven’t already become the default for authentication. The main reason has to do with UX shortcomings of current solutions on the market. Historically, biometric solutions like Touch ID and Face ID have been stored locally on a mobile device or laptop, making it impossible to transfer their login data across platforms. For example, if a user signed up for an app on their iPhone but then wanted to log in to the same app on a different phone — or on their MacBook — they’d need to undergo a separate verification method (like a username and password or an email magic link) to gain access. That’s why, even though biometrics are instant, easy, and totally secure, they’ve typically been relegated to serving as a secondary factor in a two-factor authentication flow (2FA). In an ideal auth world, biometrics would be transferable across devices. A user would be able to sign up for an app on their phone using Face ID, log in on their laptop using Touch ID, and have each system recognize them as the same user. Well, that’s where passkeys come in. How passkeys work Passkeys back up the cryptographic key containing a user’s biometric data to their iCloud account, which is already logged in on each connected device. It may feel like the biometric readers inspecting a user’s fingerprints or facial features have been magically replicated on their phone, tablet, and computer — but really, their iCloud account is simply syncing the cryptographic keys that power those device-level biometric attestations. Part of the magic of this approach to leveraging synced cryptographic keys is that biometric data is never actually stored in iCloud. So, users can verify their identity and log in without having to worry about who has access to their biometric data. In short, passkeys make biometrics more practical and portable by rendering them interoperable. That is, passkeys still rely on a “something you are” authentication factor — but they recognize that you’re still you no matter where you go or what device you pick up. Where does Stytch come in? We’re thrilled Apple is adding an original, sophisticated passwordless auth method to the market, and we’re excited to offer passkeys through our platform as an integral part of our product suite. Stytch is all about giving developers and end users (great) options and making them quick and easy to integrate. Apple passkeys are a huge step forward for our mission of eliminating friction on the internet — and doing it in a way that’s intuitive, effortless, and secure. While passkeys will have a significant impact on how users authenticate online — similar to how Apple Pay impacted online payments — they alone won’t solve all of our authentication needs. For instance, even though Apple Pay improved the user experience for online payments, businesses still need to provide multiple payment options at checkout to allow users to choose their preferred method. Passkeys’ impact on authentication will be similar — it will improve the authentication experience for most users, but other methods (like email verification, OAuth logins, and passwords) and tooling (like session and user management and 2FA) will persist. That’s where Stytch comes in. Stytch helps companies support compelling new technologies like passkeys — while also meeting the rest of your users where they are through our full suite of authentication solutions. Learn more Stytch’s auth experts are always on hand to walk you through our modern, passwordless solutions and help you embed them seamlessly into your product. If you’re ready to get up and running, sign up for a free account today to explore our product suite and get in touch with a member of our team. Get started. --- # Stytch introduces a modern upgrade to Passwords Source: https://stytch.com/blog/introducing-passwords/ Today, we’re introducing a password-based authentication solution, rebooted for the modern era. Today, we’re introducing a password-based authentication solution, rebooted for the modern era. Stytch was founded with the mission of eliminating friction on the internet. Authentication today is a frustrating experience for both developers and users and we set out to fix that. We’ve reimagined what password-based authentication can look like and believe that introducing Passwords will bring us closer to a passwordless future. In this post, we share more on why we’re launching support for Passwords and how we’ve innovated from the ground up to uplevel security and user experience. Bridging to a passwordless future The first major source of friction we've attacked at Stytch is password-based authentication, given the UX hurdles involved as well as the security issues it can create. Over the past two years, we’ve created a suite of passwordless authentication solutions to serve as the infrastructure layer for a passwordless future. Passwordless authentication is more secure, more seamless, and it drives better conversion. We strongly believe that building an all-in-one authentication platform that is passwordless-first is the best path towards our vision of a frictionless internet for both developers and end users. At the same time, we’ve also spoken with hundreds of companies of varying sizes and at different stages of growth — we’ve come to realize that not every company and customer base is ready to flip the switch and go 100% passwordless today. The username/password paradigm is still heavily entrenched in the way many end users currently engage with applications. Research shows that while a full 92% of businesses believe going passwordless is the future for their organization, many are not ready to make the leap to a fully-passwordless authentication flow. A full 85% of IT and security professionals don’t think passwords are going away completely. As a leader in authentication, Stytch’s job isn’t just to point the way forward but to acknowledge barriers to entry and help resolve them. That’s why we’re launching a password-based solution to meet more customers and end users where they are now and help ease them into a passwordless future. Instead of ignoring the present state, Stytch believes that the best path forward is to meet companies and people where they are and guide them along the adoption curve towards passwordless. Modernizing passwords The design of password authentication really hasn’t changed much over the past few decades. We knew that if Stytch was going to take the plunge into passwords, we’d need to design a fresh and modern solution to elevate both security and user experience. To support our customers and ensure users are given a low-friction yet secure experience, we've completely reimagined password-based authentication from the ground up. Stytch has built four key innovations into our Passwords solution: Breach detection: password reuse opens the possibility of credential stuffing attacks. Stytch integrates with HaveIBeenPwnd and prevents users from setting passwords that are present in their dataset of nearly 12 billion compromised credentials. Every time someone logs in with a password, Stytch checks HaveIBeenPwnd to see if those credentials have been compromised since last authentication and triggers a password reset if a breach is detected. Strength assessment: in the face of password overload, users default to using easy-to-guess passwords. Stytch uses Dropbox’s zxcvbn password strength estimator, which provides a flexible strength assessment based on how resistant a password is to modern password guessing techniques. This feature is designed to make picking a strong password easy for humans to generate and hard for robots to guess. Safe account de-duplicating: Stytch de-duplicates accounts by email regardless of the authentication method. This allows users to change which authentication option they are using to log in to an app without accidentally creating a new account (e.g. a password user can switch to sign in via Google OAuth) or being forced to re-authenticate with the same method originally used. More human-centric password reset: when an end user triggers a password reset, most of the time they really just want to access their account, not change their password. With Stytch, customers have the option to integrate a traditional password-reset email OR integrate a password reset powered by Email Magic Links for a more seamless experience. We’re building our password-reset email template to be more human-centric, focusing more on UX and conversions than traditional password-reset flows. Get started with Stytch Stytch is committed to helping your company on its journey to passwordless authentication, no matter what stage of the adoption curve you’re in today. Our platform is modularly designed, which means it's easy to get started with low-effort, high-impact products that layer on to password-based flows and build holistically and sequentially from there. You can learn more about our Passwords solution and discover our full suite of authentication products at Stytch.com. You can also read more about why passwordless authentication matters — or sign up for a free account and jump straight into our docs. --- # Protect against password spraying Source: https://stytch.com/blog/protect-against-password-spraying/ Password spraying is one of the most effective, threatening approaches. While sometimes confused with credential stuffing, password spraying represents a different attack vector targeted at passwords’ weaknesses. Businesses operating in cloud-native environments can be especially susceptible to certain types of attacks, with both their company’s and their customers’ sensitive data at risk. Password spraying, also known as a password spray attack, has proven to be one of the most effective attack methods in the digital era. While sometimes confused with credential stuffing, password spraying represents a different attack vector targeted at the weaknesses of the traditional password. In this article, we’ll explain how to prevent password spraying attacks and how they're different from credential stuffing, with recommendations on how you can protect against them. What is a password spraying attack? Password spraying is a type of brute force attack: A cyberattack where a hacker tries to access a secure account of verified account users through trial and error by repeatedly entering random credentials like passwords with 'brute force' until one works. With password spraying, instead of trying a large number of passwords against a targeted account, the same password is used, or 'sprayed,' at many accounts simultaneously. The vulnerability of passwords and account lockouts Most authentication systems are programmed to both prevent password spraying and brute force attacks by locking out the account after entering the wrong password three times, known as account lockouts. Many organizations set a default password for new users, which can be easily exploited in password spraying attacks. Password spraying tries to bypass this defense technique by only using common passwords and spraying them across a wide range of different user accounts, avoiding account lockouts and minimizing failed login attempts. Plenty of password data exists in the public realm for attackers to glean from. For example, Nordpass publishes an annual list of the 200 most commonly used passwords for educational purposes that can be used by attackers in their password spraying attempts. Other common targets of password spraying attacks are passwords based on easy-to-guess personal information, such as birthdays or names. Weak passwords, combined with a lack of account lockout policies and password complexity requirements, make it harder for organizations to detect password spraying attacks and render them more vulnerable. How do attackers choose their targets? Password spraying attacks typically target cloud-based services such as Microsoft Office 365 or other popular email providers. Attackers usually look for login pages where the username/email field is publicly visible, as this simplifies the process of finding valid usernames and complex passwords to spray against. They may also look for login portals that do not have multi-factor authentication (MFA) enabled, making it easier to gain access using just a password. As a result, organizations using cloud-based services are particularly vulnerable to password spraying attacks if they do not have adequate security measures like MFA in place. Password spraying vs. credential stuffing While password spraying is often used interchangeably with credential stuffing, there’s a key difference. In a credential stuffing attack, attackers use known compromised usernames and passwords (often exposed in large data leaks), to gain access to a user's password accounts by testing these known credentials on different services to see if passwords have been re-used. This enables attackers to access multiple accounts belonging to the same user. Password spraying, on the other hand, does not assume to know a particular users’ compromised credentials. Instead, it targets the fact that humans are predictable, commonly using passwords like “Password123” or “P@assword1” or “Qwerty123.” The goal of password spraying is not to gain access to a specific account, but rather any account with a weak password. This is why it’s important for users to have strong passwords and unique passwords for each of their accounts - and why it's equally important for businesses to implement additional security for when this is not the case. Aside: Both credential stuffing and brute force attacks seek to gain access to sensitive information by compromising a user’s login credentials. While organizations can prevent traditional brute force attacks by configuring authentication systems to limit the number of password attempts, the best method for preventing password spraying and credential stuffing is to move to more modern password solutions or passwordless solutions. Stytch passwordless authentication employs alternative methods such as biometrics, SMS one-time passcodes, or email magic links to verify a user’s identity, eliminating the need for credentials to be stored in a database that can be breached. Learn more. The ripple effects of a password spraying attack As mentioned, in a password spray attack, attackers typically start by obtaining a list of usernames and then use common passwords to attempt access. Once the hackers have identified a valid username and password combination, they can gain unauthorized access to the account without immediately alerting security systems. With access to even a single account, attackers can escalate their privileges by exploiting security vulnerabilities or by using social engineering techniques to gather more sensitive information from compromised accounts (otherwise known as ‘phishing’). Aside: Stytch's "unphishable" Multi-Factor Authentication (MFA) leverages advanced public-key cryptography along with security keys and biometric login features to provide robust protection against phishing. Unlike traditional MFA methods, Stytch uses a two-key mechanism: a public key stored on the server and a private key only the user can access. This setup ensures that capturing public data doesn’t compromise security. Learn more. Far-reaching consequences The damage of password spraying attacks can have ripple effects, going far beyond the point of access to the account. For example, if an attacker obtains access to one password for an email account, they can reset passwords for other linked services, further compromising the user's digital security. Advanced attackers may use this foothold to spread laterally within a network, targeting higher-privilege accounts and extracting or encrypting valuable data for ransom. As a result, the initial stages of a password spraying attack, although seemingly benign, can have far-reaching and devastating consequences for individuals and organizations alike. Practical prevention measures Historically, the most effective prevention measure against password spraying attacks has been to ensure that strong, unique passwords are used (no easy feat). This makes it harder for attackers to guess or spray passwords across multiple accounts. But given that many humans will always opt for memorable (read: vulnerable) passwords, a strong fraud prevention and authentication protocol is now table stakes for any modern organization's security roadmap, including measures like multi-factor authentication (MFA). Additionally, organizations can implement security tools like intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and prevent suspicious patterns of activity on their network. These systems use advanced algorithms to analyze network traffic and identify potential attacks, including password spraying attempts. How Stytch can prevent password spraying attacks Stytch offers cutting-edge authentication solutions to help modern organizations combat password spraying attacks. By anticipating our human tendency towards password reuse, Stytch offers a breach-resistant Password solution that protects users against using weak and compromised credentials to avoid data breaches. Stytch Device Fingerprinting identifies unique characteristics of a user's device, such as the operating system, browser version, screen resolution, and even unique identifiers like IP address, helping distinguish between human and machine to safeguard against brute force attacks like password spraying. This reduces the likelihood of unauthorized access, as suspicious devices can be flagged and blocked. Stytch ‘unphishable’ Multi-Factor Authentication (MFA) adds an extra step in the authentication process, requiring users to provide a one-time code or use biometric authentication before gaining access. This ensures that even if passwords are compromised through password spraying attacks, there is an additional layer of protection in place. In addition to these features, Stytch also offers secure and easy-to-use single sign-on (SSO) solutions. With SSO, users can log in once and gain access to multiple applications without having to remember multiple passwords, reducing the risk of password spraying attacks but also improving user experience by simplifying the login process. By working with Stytch, developers and businesses can greatly reduce the risk of password spraying attacks and other common forms of cyber threats. Learn more about our flexible, modular authentication solutions and get started with Stytch today. --- # What is password hashing? Source: https://stytch.com/blog/what-is-password-hashing/ Password hashing is a strategy to ensure that passwords are stored securely. In this blog post, we’ll explain what password hashing is, why it’s important, and how Stytch's hashing process helps make our Passwords product as modern and secure as possible. Building a product that requires passwords for user authentication means that you need to implement a method to verify your users’ passwords. However, storing plaintext passwords in your database comes with significant security risks. Holding this data opens your app up to risk if your database gets breached. Hackers — who can be rogue employees that have access to the database — benefit from these attacks because of the prevalence of users re-using the same password across different websites. Even if your application isn’t particularly security sensitive, attackers hope your users have used those passwords at higher value accounts like their bank accounts. Securely storing passwords is essential to mitigate these risks. Password hashing is a strategy to ensure that passwords are stored securely. In this blog post, we’ll explain what password hashing is, why it’s important, and how Stytch's hashing process helps make our Passwords product as modern and secure as possible. The basics of password hashing Password hashing is the practice of algorithmically turning a password into ciphertext, or an irreversibly obfuscated version of itself, as a means of blocking against the threat of password breaches. Essentially, one string of characters in a password is transformed into a completely different string using a mathematical hashing function. Once a string (password) has been hashed, there’s no way to reverse the process and each time a user logs in, their hashed password is compared with a recorded hashed value. That might sound a bit technical, so let’s put hashing into human terms — say you have two users, Alice and Bob, who create an account on your website or platform. When they finish registering with a username/email and password, you store their passwords in a database. When you’re storing these passwords, the worst thing you could do is store them in plain text. Storing in plain text means you’re directly tying your user’s identity to their password in a readable data format, as seen in the image below: Even if the database is itself secured by authentication, this password storage mechanism remains highly vulnerable. If a hacker is able to break into the server, they’ll have access to all of the application’s password credentials without clearing any additional hurdles. This endangers both the hacked application and any applications where that user has re-used the password. With this information in tow, bad actors can take these login credentials and use them across websites other than your own. Although it’s a poor practice to use the same password for multiple accounts and across multiple platforms, over half of us still do. And if user passwords are exposed and continuously exploited from a data breach stemming from your website or platform, your users could ultimately hold your organization responsible, which can have reputational, financial, and legal consequences. It would be a mistake to believe that the remedy to storing passwords in plain text is to simply use encryption. There’s no doubt that compared to plain text, encrypting the passwords is an improvement. If a hacker gets access to the encrypted passwords, they won’t be able to use them immediately, as the encrypted passwords are harder to crack and represent a randomized alphanumeric string, as in the image below. You might be safe from hackers for a while using encryption, but there’s a caveat: encryption is a two-way street, meaning that the encryption key can be used to decrypt the passwords back to plain text. If hackers infiltrate your database, they could potentially break into other parts of your network and discover your encryption keys. Storing encrypted passwords also makes them vulnerable to any malicious employee with privileged access to the keys. How is hashing different from encryption? Unlike encryption, hashing is a one-way street. When you run a user’s passwords against a one-way hashing algorithm, the result is a random string of text that cannot be reverse engineered or traced back to the original plain text password value. How does it work? When a user creates a password, the application runs it through a hashing algorithm and stores that random string value in their database (vs. storing a plain text password or an encrypted value). Any time a user logs in, the application runs the same hash function against the user’s submitted plain text value to check if the resulting random string is the same random string stored in its database. The irreversibility of this hashing function is what makes it such a powerful way to securely store secrets like passwords. It removes the most susceptible attack vectors. Consequently, even if your hacker discovers the keys used to generate the hash, they won’t be able to convert the hashed values back into the original passwords. However, this doesn’t mean it’s impossible to crack hashed passwords. Some cyber attacks, such as brute force attacks, dictionary attacks, and rainbow tables can help malicious individuals steal passwords. In a brute force attack, a huge number of character combinations are used in the password guesses. In the dictionary attack, only words from a long dictionary are tested. Dictionary and brute force attacks have low memory requirements but are computationally expensive because they have to hash the entire list every time. Rainbow tables are a more computationally efficient (but also more space intensive) way that hashed passwords can be cracked. In this approach, a rainbow table is created that stores a series of chained hashes for common passwords. The hacker can then use the table as a lookup, to see if the compromised database password hash exists in the table and then trace that hash chain backwards to identify the original plaintext password. Adding salt to hashing As you can see, hashing alone isn’t secure enough. To better protect passwords from attacks, you add something called a salt. A salt is a sequence of additional characters that we combine with the original password. This combination goes through the hash algorithm to create the password key, as demonstrated below: While salting is a helpful step in securing hashed passwords, it has limitations. For instance, this salt is often placed in front of each password, creating a trend that’s easy for hackers to identify. Moreover, some organizations will use the same salt for every password, which inherently undercuts the security that password salting offers. The fast hashing problem While being “fast” is almost always a desired quality in technology, fast execution is a big problem in hashing algorithms because hackers can use speed to their advantage. Some hash algorithms, including MD5 and SHA1, are quite fast. And while those algorithms have been used for hashing passwords and can be helpful for some everyday tasks, like database partitioning or computing checksums, security advisors now strongly disapprove of them — especially for password hashing. Modern hardware, such as GPUs, have hundreds of cores that enable massively parallel computing and allow hackers to compute billions of hashes per second when attacking fast hashes. You need slower hash algorithms to protect users from hackers using ultra-fast GPUs. Examples of these include Argon2, bcrypt and Scrypt. In the next sections we’ll dive deeper into the latter two, which we explored for Stytch’s Passwords solution. bcrypt bcrypt is a round-based, adaptive hash algorithm to store a one-way hash of the password. It improves on regular salting by generating a random salt for each password. With powerful hardware, a hacker can create an attack dictionary against fast hashing algorithms like md5 in a few seconds. But since bcrypt is a slow algorithm, creating this dictionary will take a long time. Additionally, you can increase the iteration count to make it even slower, which helps protect you against brute force attacks. This is a typical bcrypt hash: The default cost (rounds) of bcrypt is 10. When this algorithm was conceived, the cost of 10 was secure enough. However, depending on the hardware, this now can take milliseconds. So, you can increase the cost of rounds to 15 or more to make the hashing process take several seconds instead. Scrypt Scrypt, also known as Scrypt PBKDF2, was initially developed for Tarsnap, an online backup service with Amazon as one of its clients. Scrypt is a password-based key derivation function (PBKDF) — a memory-intensive algorithm that makes it costly to perform large-scale hardware attacks. Unlike other PBKDFs, Scrypt’s parallelization factor enables you to finetune the relative CPU cost. The desired key length (dkLen) allows you to define the output size and the CPU and memory cost, further bolstering its security profile. The first step when using Scrypt is to create a hashed message authentication code (HMAC). Then, Scrypt performs the PBKDF2 function. A memory-hard function called SMIX is executed in a loop, and finally, a PBKDF2 function is executed again. The SMIX function depends on three functions: ROMix, BlockMix, and Salsa20. Scrypt follows the steps outlined below to hash passwords: First, Scrypt generates an expensive salt using the block size factor (the r parameter in Nrp) to create “blocks.” PBKDF2 generates a large array whose size depends on the block size factor (r) and parallelization (p). Scrypt uses the cost factor (N) as the number of times that each block is mixed using a function called ROMix. Scrypt then generates a new expensive salt by concatenating all mixed blocks. Finally, PBKDF2 uses the password and the calculated salt, trimming the output to the desired number of bytes (dkLen). Stytch’s Passwords solution There are some security considerations to think through whenever you’re storing a secret value like a password. Although a hashed value can’t be directly translated into a password, its formatting is susceptible to different forms of security breaches, like brute force attacks, where bad actors can continuously generate hashes from random passwords until they find one that matches. One approach to avoid these headaches altogether is to pursue a passwordless-first approach, but we understand that not everyone is ready to drop passwords entirely. For some user demographics, passwords remain the preferred way to authenticate. That’s why in addition to our suite of passwordless authentication methods, Stytch offers customers a modern approach to securely allowing users to authenticate with Passwords. Stytch salts and hashes all passwords using Scrypt, before storing in an encrypted database that we manage. We wanted to ensure our Passwords solution is secure and built for performance — we decided on Scrypt in order to strike that balance. Stytch’s Passwords also introduces novel security features like breach detection (powered by tools like HaveIBeenPwned) and a better strength assessment called zxcvbn (pronounced lower qwerty), which makes it easy for humans to generate passwords but hard for robots to crack them. We’re committed to making secure authentication that’s as frictionless as possible, so we leverage our Email Magic Link technology to reduce the steps from a traditional password reset. Get started with Stytch Not all companies are ready to go passwordless, but when ready, they can easily migrate from password-based to passwordless with Stytch. In the meantime, they can rely on our solutions to enjoy the best of both worlds. Learn more about our Passwords solution and check out our hashing.dev microsite to easily generate or validate your own password hashes, and learn more about how this cool process works! --- # Stytch vs. Amazon Cognito Source: https://stytch.com/blog/stytch-vs-amazon-cognito/ But unlike Stytch, Amazon Cognito is limited in its flexibility, reliability and customization — critical factors when it comes to user experience and conversion rates — not to mention its pricing models and tech support. As a GTM lead at Stytch, I see many customers migrating to our platform from AWS Amazon Cognito — and many more potential customers thinking about making the switch. It’s not hard to see why. Much like Stytch, Amazon Cognito provides authentication, authorization, and user management solutions for web and mobile applications. But unlike Stytch, Amazon Cognito is limited in its flexibility, reliability and customization — critical factors when it comes to user experience and conversion rates — not to mention its pricing models and tech support. In this post, I break down each of these categories one by one to demonstrate why companies consistently choose Stytch over Amazon Cognito. How Stytch tops Amazon Cognito when it comes to flexibility, reliability, pricing, and support Customers choose Stytch over Amazon Cognito due to: Greater flexibility: Amazon Cognito imposes rigid authentication flows and limited options for customization, while Stytch lets customers choose from a range of auth solutions and tailor flows to their brand. Reliability: Amazon Cognito defaults to a single messaging service — Amazon SNS — that doesn’t support failover redundancy and impacts deliverability for email and SMS. Stytch builds redundancy into every communication-based auth product. Hands-on support: simply put, Amazon Cognito is a behemoth, and customers might spend hours on hold before they talk to an actual human and get their problems solved. Stytch’s responsive team jumps in quickly to handle any issues via support ticket or Slack. Practical pricing: Amazon Cognito charges customers per click — even for failed or duplicated requests — while Stytch extends customers a per-user pricing model that scales along with their business. Rigidity vs. flexibility The main difference between Stytch and Amazon Cognito has to do with each platform’s flexibility (or lack thereof). Amazon Cognito’s rigidity is all-encompassing, making it difficult for users to have a smooth sign-up and log in experience. Here are some of the ways that rigidity manifests across features and functions — and how Stytch offers comparatively agile, versatile solutions. Customization: Amazon Cognito can host a sign-in screen, but it doesn’t offer much in the way of front-end customization. If a developer wants anything other than the generic UI that comes out of the box, they have to build the entire flow with few resources to guide them. Take our partners at Bitcoin.com, a multi-chain crypto wallet, marketplace, and news outlet. They needed a flexible auth flow that could support a wide variety of products and services across their platform and show off their brand’s unique personality — something Amazon Cognito couldn’t do. “With a bigger company like Auth0 or Cognito, you’re one of many clients. You can’t really ask for additional or customized features — you just have to use what they give you. When we reached out to Stytch, it was a totally different experience” –Andrei Terentiev, Head of Engineering at Bitcoin.com With Stytch, Bitcoin.com gets a suite of auth products that are both secure and highly modular for end-to-end customization. Stytch also offers speedy integration options, from direct API to fully customizable SDKs that adapt to the look, feel, and flow of their platform. Amazon Cognito offers limited opportunity for branding and customization of your user login flow. In contrast, Stytch’s solutions are designed for you to be able to make them your own. Note that you can choose to use “Powered by Stytch” or remove it. MFA and sessions Amazon Cognito supports multi-factor authentication (MFA) — but they front-load friction for users, who are required to complete multi-step auth flows each time they engage with an app, regardless of the level of risk. This approach isn’t just tedious and unnecessary, it can negatively impact UX and tank conversion rates. Stytch uses smart, route-based (or “just-in-time”) authentication, which introduces additional factors only when they’re warranted for higher-risk tasks — like moving money, editing financial details, or accessing sensitive personal data. All other, read-only actions can be met with scaled-down security for a smoother experience. User management Amazon Cognito has two frustrating practices when it comes to user management. First, if you want to offer popular OAuth login options through platforms like Google or Facebook, you’re forced to use Cognito’s hosted UI — meaning you can’t use your own front end or control the UI/UX. Second, once a user pool is created in Amazon Cognito, it can’t be changed. That means developers must decide which attributes they want to collect from a user during sign-up at the outset of a project. They can’t make edits later as their app grows and evolves (and most do). With Stytch, apps can attach multiple authentication factors (like phone and email) to a user and change which options are implemented across the user life cycle. Password exports Amazon Cognito doesn’t allow password exports, making it very difficult for apps to switch auth providers. Their end users would be burdened with resetting their credentials for the new flow — which could lead to substantial dropoff. There may be some security logic to this choice, but it unfairly locks businesses into a single vendor. If Stytch doesn’t live up to an app’s expectations, we think they should be free to switch. That’s why we allow for seamless imports and exports, providing an easy API to transfer all user data at once. Fortunately, our authentication products like Email Magic Links, OAuth Logins, and streamlined password resets are well architected to make migrations simple even if you’re using Amazon Cognito’s passwords product. Documentation and time to value We’ve heard from former Amazon Cognito customers that the company's docs and guides are hard to find and even harder to follow, leading to drawn-out and painful integrations. Developer to developer, we know that no app wants to spend much time implementing their auth flow. They want to spend time focusing on their core product. That’s why Stytch provides clear, easy-to-understand docs designed to get apps up and running in minutes, whether they’re building an auth solution from scratch or migrating from another platform. Reliability / performance Beyond their rigid authentication flows and limited customization options, Amazon Cognito’s reliability and performance is also hampered by their sole reliance on Amazon’s SNS service for messaging. This single point of failure brings about increased errors, meaning more customer support issues that you and your team have to deal with. Consider Pronti, a smart wardrobe app that helps users plan their outfits and sustainably expand their closets. Pronti initially turned to Amazon Cognito for a simple passcode users could enter to log in, but they soon started seeing failed authentication attempts, mounting complaints, and rising costs. “With Cognito, we’d get so many user complaints that it would affect our ratings in the App Store. We’d also get about 200 direct messages a week reporting authentication errors that we’d have to deal with. Now, we’re not getting any at all.” –Andrea Veintimilla, Founding Designer and Marketer at Pronti With Stytch, Pronti went from 200 auth errors to zero — giving them back the time and resources they need to focus on and perfect their core product. As mentioned in my Stytch vs. Auth0 blog post, Stytch builds redundancy into every communication-based auth product, monitoring uptime and using dynamic failover logic to route across multiple providers. This ensures vendor downtime doesn’t impact your platform and that your users always have a high-quality, uninterrupted experience, with no single point of failure. Radio silence vs. an attentive team When it comes to authentication, having a reliable, expert team at your back isn’t just important during the integration process, but on an ongoing basis — should issues arise. Amazon Cognito has a notoriously bad response time, sometimes letting known bugs linger for years. This can have devastating consequences for companies, like Pronti, which have to spend valuable work hours cleaning up the mess and often suffer reputational damage as a result. With Amazon Cognito, Pronti struggled to get the tech support they needed but with Stytch, they’ve gotten hands-on-support every step of the way. “With Stytch, it was a collaborative process — zero friction. Whenever an issue arose or something didn’t make sense, their team responded right away and jumped in to fix the docs.” –Mila Banerjee, Founder and CEO at Pronti Stytch puts a priority on customer support and we have multiple channels to reach us so that you can get a quick and timely response whenever you have a question. I’m proud to say that our customer responsiveness truly stands out. Per-click vs. per-user pricing Beyond rigidity, reliability issues and lack of customer support, Cognito’s pricing is not designed to scale. For instance, Amazon Cognito charges for every SMS message sent as part of an MFA flow — which can quickly add up as users repeatedly try to access their account. “If users grew impatient, they would keep clicking the resend-code button. Since Cognito priced us on a per-code basis, we were charged for every click. As we went viral and traffic increased, our authentication costs went through the roof.” –Mila Banerjee, Founder and CEO at Pronti Stytch helped Pronti cut down their massive auth bill with a sensible, user-based pricing model that scales with their business. That means Pronti is charged only once per active user — no matter how many times they sign in. The bottom line As we’ve heard time and again from our customers, Amazon Cognito can hold applications back when it comes to UI and UX customization, reliability, support, and fair pricing. That’s why many businesses make the switch to Stytch — and use our flexible, scalable, and hands-on approach to drive better user experiences and conversion rates. Ready for a change? Learn why Stytch is the top choice for developers who value security, flexibility and reliability. Jump into our docs to check out the details behind our customizable, easy-to-integrate authentication solutions — or sign up for a free account to try them out for yourself! --- # It's a (double) Stytchiversary! Meet Aiden Forrest & Ovadia Harary Source: https://stytch.com/blog/meet-aiden-forrest-ovadia-harary/ Get the inside scoop on what it's like to work at Stytch. What do you love most about working at Stytch? Aiden (AF): As the first brand designer, I love that I helped build the brand and that I get to continue to grow and evolve it — basically I get to do what I love every day! I also love that at Stytch, we have built a company culture in which everyone has a seat at the table and all ideas are welcomed. Ovadia (OH): I'm a big fan of the team. The team comes from a range of experiences and backgrounds, and I've learned a lot from everyone at the company, and most importantly everyone is fun and enjoyable to work with. What does a typical day at Stytch look like for you? AF: I don't think a typical day really exists for me but during the week I am usually heads down on a design project, reviewing design work and providing feedback or in meetings. OH: I work on east coast hours, so while the rest of the team is snoozing, I get most of my code writing, code reviews and other heads-down work done in the morning. The afternoons are a mix of pairing with the team, writing technical specs and once in a while a meeting. What’s been the most surprising thing about Stytch? AF: The rate at which we've scaled! It's been really amazing to watch the team grow from 10 people to 50+ in little over a year. OH: The pace and progress we’re able to make as a company. Everyone is heads down working and it is impressive what we are able to achieve. Stytch has gone from 0-1 in the last year, what have been some of your biggest learnings about joining an early stage company? AF: It is rewarding and fun to be apart of an early stage company but you have to be ready for a lot of change and pivots along the way. It's been important for me to stay adaptable and flexible. OH: It's incredible what you learn from your early customers — you really can't build in a vacuum. You need to always be talking to your customers and having them use your product. What’s your favorite part of the Stytch culture? AF: Everyone is a team player and always happy to jump in and help one another out! OH:The passion everyone brings to work. What Stytch value resonates the most with you and why? AF: Fail fast. As a designer I find myself moving quickly on projects so I can iterate multiple times to get to the best solution. This should be a part of every designer's DNA. What’s the most interesting project you’ve worked on at Stytch? AF: There have been so many already, but my favorite projects have been creating brand systems for the core Stytch brand and our Web3 consumer brand Vessel. I love the branding process and find that it's my happy place. It's also very rewarding to start out with just a name on a piece of paper and turn it into a whole visual system. OH: We migrated our infrastructure we run our core services on and it reduced our deploy time by ~75%. How did you end up becoming a Brand Designer? AF: I went to school for graphic design! After graduating from college I moved to San Francisco where I started in advertising but soon pivoted to a small music tech company where I fell in love with in-house design and the impact you can have working with just one brand. When’s the last time you did something for the first time and what was it? AF: I've been working and living in Portugal for the summer! I've never been to Portugal or tried working remotely from another time zone. It's been a great experience and I'm so grateful the Stytch team has been so supportive. OH: A couple months ago I was visiting Stytch HQ and I learned how to do my first somersault (at least as an adult). It was riveting. What song, hobby, or receipe got you through COVID? AF: None of the above. It was reality TV LOL! I watched a lot of Bachelor and Love Island. What’s your ideal weekend? AF: Going on a long walk and ending up a craft brewery. OH: Beach. Eat. Sleep. Repeat. What’s something that’s not on your resume that you’re passionate about? AF: Thrift and vintage shopping! Anytime I travel I always make a point to find the best thrift stores and flea markets. Wanna work with great people like Aiden and Ovadia? We're hiring! Check out the Stytch Careers page to see what fits. --- # How the API economy can radically transform your business Source: https://stytch.com/blog/the-api-economy-can-transform-your-business/ learn about the API economy and how API companies can benefit your business. On June 22nd, 2022 Stytch co-founder Julianna Lamb presented on the API economy at Collision, one of North America’s largest tech conferences. Her presentation inspired this article — watch it here. Stytch is an API-first company. That means we build and perfect turnkey, easy-to-integrate authentication solutions — so you don’t have to. But we’re just one part of a much larger API economy that’s radically transforming the way organizations approach their digital roadmaps. When we say API economy, we’re referring to a global network of API companies, each providing the technical infrastructure to unlock a specific function or capability for growing companies and enabling them to scale faster. Today, API companies command hundreds of billions in market cap, and they’re fundamentally changing the way your company can ideate and build products. In this post, we explain what an API is, how different API companies make up the API economy, and how this new landscape can supercharge your team to ship better products and features more quickly. What is an API — and why does it matter? API stands for application programming interface. APIs essentially work as mediators or messengers that allow different applications to communicate. More specifically, APIs are responsible for exchanging data and performing actions across services. But beyond the technical, why do APIs matter for your company, for your product and for your business? Because by facilitating interactions between systems, APIs make it easier and faster for developers to integrate and innovate around essential services needed for a business to succeed (e.g. the ability to communicate, to authenticate users, and receive payments). Simply put, APIs allow you to focus on what you do best, and outsource the rest. At earlier stages of web development (pre-API), you had to build a team of experts skilled at building an SMTP server, integrating with telecoms, authenticating users, processing payments, and so on. Building each of these essential app components could easily require an engineering team of dozens, if not more. But today, you can get all of these functionalities out of the box with a simple API – now, more than ever, you don’t have to worry about building it yourself because there are best-in-breed API companies to rely on for each of these application functionalities. Understanding the different pieces of the API economy The best part of API companies is that they have one sole focus. That means they invest all their engineering and product resources in building the best-in-class solution for a specific problem. By leaning on API companies with a niche area of expertise, you’re able to embed all that knowledge directly into your product — without having to invest significant time and resources in the process. There are a myriad of different types of API companies that make up the API economy. Some major functions they can serve include: Performing a specific action: for example, Twilio helps you send an SMS; Mailchimp helps you send an email; Checkr helps you perform a background check. Providing a specific piece of a product’s functionality: for instance, Stripe helps companies facilitate and process payments for their goods and services, while Stytch authenticates users into an app or website. Enabling data connectivity (APIs for APIs): companies like Plaid and Merge are universal APIs, which help companies aggregate data from dozens of different APIs, platforms, and accounts through a single integration. Powering the API economy: companies like Postman make it easier for companies to use and manage APIs, while MuleSoft makes it easier to build APIs. A modern tech stack including functional components like an SMS verification API, a search API, and a multi factor verification API enables rapid development. So, how does all this help you achieve real results? Business benefits of the API economy APIs can yield several important and immediate benefits for a partnering business. Among other advantages, they help you: Increase efficiency: APIs abstract away the application layer, so you can focus on the unique and innovative parts of your products and rely on API companies for everything else. Improve UX: a specialized API company lives and breathes a specific solution and will be able to provide a much better user experience than the fractional attention your team can spend on a non-differential feature. Scale effortlessly: you can leverage an API to quickly test and validate your product roadmap and add additional solutions from the API platform as you grow and discover new needs. What's more, APIs will scale with you. API companies have built-in infrastructure to support your growth and handle any potential scale issues. Future-proof your business: finally, API companies are continuously investing in cutting-edge technology in their domain of expertise. As they discover and implement new technology, you get instant access through your existing partnership and integration. Embrace the API economy with Stytch The main message here? Don’t reinvent the wheel. Take full advantage of third-party API companies’ expertise to fuel and accelerate your product development. Just as it would seem outrageous to build your own data centers in 2022, it will soon feel just as outrageous to build undifferentiated pieces of your product — like login or search capabilities — when you could be investing that development time and effort in building a stellar, differentiated product. If you want to learn more about Stytch’s API — and how you can build simple, out-of-the-box authentication flows directly into your product in minutes — reach out to our team, and get your questions answered. Or — sign up, and explore our easy-to-integrate authentication solutions for yourself. --- # A founder’s guide to raising your seed round Source: https://stytch.com/blog/a-founders-guide-to-raising-your-seed-round/ Stytch co-founder and CEO Reed McGinley-Stempel shares his advice on raising your seed round I’m often asked by other founders about Stytch’s seed fundraising experience and what advice I’d give to other early-stage founders navigating the process today. While the overall fundraising environment has shifted in recent months, I think my advice for approaching a seed fundraise still fundamentally applies in the current market. I wanted to take a moment to put in writing what I’ve shared with many founders one-on-one, with the hope of ultimately being helpful to a wider audience. There are many things you can’t control when entering the fundraising process: an investor’s predisposition (or lack thereof) to your idea and space, your team’s background, the market environment, or even a VC’s relative mood on pitch day. But there are two concrete things you do have control over: How you craft your pitch deck How you structure the fundraise process and timeline These likely sound obvious, but there are some tactical learnings we had during our seed fundraise (both through the helpful advice of others and through our own initial mistakes) that I share with every early-stage founder who asks for advice on raising capital. 1. Craft a pitch that hits the right notes You likely have a pretty good idea of what a pitch deck should look like, and there are lots of other great materials out there on what to include in your deck (founding backstory, market sizing, etc.). To avoid being repetitive, I’ll focus on two very specific learnings that helped elevate the conversations we were having with VCs and ultimately led to a competitive fundraise for Stytch’s seed round. Anecdotal Data is underrated – use it to show expertise and make the problem more tangible to VCs Quantitative data is great, but at the earliest stages, you often don’t have that much of it. During your pre-seed or seed fundraise, qualitative data will play an outsized role in convincing VCs (a) whether the problem you’re tackling is worth solving, (b) how acute the pain is for potential customers, and (c) whether there is founder-market fit with your startup (i.e. are you the right person to build this idea?). Early stage VCs tend to be storytellers, so rather than dismissing anecdotal data, they actually embrace it – if you’re able to provide insightful anecdata (whether it’s user quotes, interviews, etc.), they can often be what VCs remember most vividly from the pitch. My recommendation is to find ways to weave in qualitative data throughout the presentation. This will be more effective than just dedicating one slide at the end to customer quotes. As an example, we included ten detailed quotes from interested customers on three different slides to help highlight the point we were making on each one. The other advantage of weaving the right anecdata into your pitch is that it allows you to show your expertise on the topic and the extensive research that you’ve put into the space. That, in itself, is a superpower – you should know 10 to 100 times more about your subject than everyone else in the room. Demonstrating that level of expertise is powerful, and while it can be hard to show this in a 30-minute conversation with a VC, things like prospect or customer quotes help reveal how deeply you’ve investigated the space. Lean heavily into the deep conversations you’ve had with users and customers to craft a compelling pitch that demonstrates your familiarity with the pain you’re looking to address. Here are a couple examples of how we weaved prospect quotes into our seed deck: Make sure you have 1-2 slides at the end of the deck that help answer the following question: how could this ultimately be a $50B or $100B company? As mentioned above, showing your expertise in the immediate problem to be solved is important. That said, it’s often easy to get too deep into the weeds, and it’s important to also take a step back and recognize your VC audience and their ultimate goal - returning the fund. One of the most helpful pieces of advice we received when preparing our deck was to explicitly outline how Stytch could become a $100B company. You’ll want to illustrate how your company can reach that scale in the next decade to truly excite VCs about your potential given the power law curve governing venture capital’s investment strategy. It’s helpful to understand the psychology of how VCs approach investment bets. Venture capital performance follows a power law curve rather than a normal distribution: Source Effectively, this means that a few great outlier performances will be responsible for determining whether a venture fund is successful. VCs need extremely high payouts on the few bets that perform well in order to justify the illiquidity of the asset class (without the potential of such outsized returns, LPs would be better served allocating their funds into a more liquid asset). And while VCs know they need to find a few massive winners, they also understand that most investments in the fund will be underperformers. VCs are much more worried about missing an incredible positive outlier than they are about investing in a company that returns little to none of their investment. When you consider the psychology of how VCs invest, it becomes clear why you’ll want to argue how your company could be one of the few hyper performers in their portfolio if things go well. Very rarely is it obvious how a startup could become a $50B or $100B company – it’s much safer to explicitly outline how your startup could achieve this rather than expecting a VC to craft this narrative for you. When we raised Stytch’s seed round, the most comparable company in our market (Auth0) had recently been valued at $1.9B. That’s obviously an impressive sum, but it’s not an extraordinary valuation since even surpassing Auth0 wouldn’t necessarily return the fund for many of the VCs we were pitching to. While my co-founder and I had a firm idea for what could potentially enable us to build Stytch into an eye-popping valuation if the early years went well, I initially struggled to convey this in our pitch deck. Admittedly, it can feel absurd – even arrogant – to be thinking on such a large scale when you’re still pre-revenue, but VCs want to know that you’re thinking about the 10-year+ vision. Chances are you won’t build a $100B+ company (exceptionally few people will), but given the type of founder mindset VCs want to bet on, you need to clearly articulate how this initial idea could grow into something much larger. Note: If you’d like a copy of our seed pitch deck, feel free to reach out to us at startups@stytch.com and we’ll be happy to share it and answer any questions you have about the fundraising process. 2. Run a tight fundraising process Just as important as the pitch deck is how you actually run the fundraise process itself. Being intentional and streamlined in your approach can help elicit more bids under better terms. Being unintentional often leads to fundraising rounds that drag on and suboptimal terms. One small piece of advice when starting out is to maintain a simple spreadsheet of every firm you want to meet, your potential point of introduction, and notes from your meetings with those investors. This spreadsheet is most helpful at the beginning of your process when you’ll want to kick off your introductions to each of those firms in as compressed of a timeline as possible. Make your own copy of this template Keep timing tight and maintain leverage Running a fundraising process can very quickly turn into an all-consuming effort that ends up distracting you from what you need to be focusing on, which is building your product. With that in mind, you’ll want to be intentional about keeping timelines as tight as possible, which means condensing everything into 2-4 weeks if you can. Treat it as your full-time job during this period. Moreover, as a part of this tight process, you’ll want to kick off as many VC conversations as possible simultaneously in order to keep them on similar timelines. This will reduce the likelihood of VCs sharing information amongst themselves, which means you can maintain more of an advantage in your pricing negotiations. And finally, don’t underestimate the power of FOMO – keeping the process short means competing VCs are less likely to hear about funds that may have passed on you, ultimately keeping VC interest as high as possible. There are many other important elements to a fundraise, but the above considerations for crafting your pitch deck and being intentional with your timeline are the most helpful learnings I had during Stytch’s seed raise. If you have any questions, feel free to reach out to startups@stytch.com to ask for anything – we’re happy to provide input on your seed deck and fundraising strategy! --- # What is password salting? Source: https://stytch.com/blog/what-is-password-salting/ Learn what password salting is, why it is important, best practices and how Stytch solutions create enhanced security. Passwords remain the most common method of user authentication. Yet, they’re not the most secure. One solution to certain security concerns with password authentication involves hashing, a form of one-way encryption that transforms one string of characters in a password into a completely different string using a mathematical hashing function. To improve the safety of your hashing algorithm, you can also use security techniques such as salting, where you add a “salt value,” or a set of random characters, to the password before hashing it. Using techniques like salting exponentially increase the computational cost for attackers to decipher the hash if your system is ever breached. In this article, we will discuss what salting is, how it improves the strength of a hash, and what the differences are between salting and peppering. Then, we’ll discuss some best practices for salting a hash and highlight how Stytch’s Passwords solution uses salting to enhance security and protect against hackers. What is salting? Salting is the process of modifying the password string that is to be hashed by adding a salt value to that initial string. A salt is a string of characters that could either be a legible word or, preferably, a set of random characters. For example, you might have a password like Pa$$word, with a salt value of Df)0!2. Instead of storing the hashed password as-is, the system will add the salt somewhere to the string — usually before the password, though it can also be after. The string that will be hashed will be the salt plus the password: Df)0!2Pa$$word, in this example. This new string will then get hashed and saved into the database. So, even if there were to be a data breach and the hashed passwords were to be leaked, the added salt would make even common passwords tough to crack. The value of salting in addition to hashing passwords becomes clearer when you consider how attackers will attempt to crack hashed passwords that are exposed in a data breach. While storing passwords in plaintext is the worst password storage hygiene, rainbow table attacks make the sole act of hashing passwords inadequate when it comes to securing your users. “Rainbow table attacks” leverage pre-computed lists of password hashes to infer the plaintext value of a leaked hash value. By adding a salt to your password hashing process, you remove the ability for hackers to leverage these pre-computed lists. Salting versus peppering Salting and peppering, at the core, have the same goal. Both involve altering the initial string by adding a random value to it before being hashed. The key difference between them is where they are stored. Peppering also describes the adding of a pepper (a random value) to a password during hashing, but unlike salting, the value isn’t kept with the password in the database — instead, it’s saved separately in a different location and form, like in the application code or a Hardware Security Module. One peppering technique is to randomly select a pepper from a list of strings. The pepper used isn’t saved, so each login attempt means the application needs to try each pepper in the list until it finds a matching hash. This is very effective against attacks but places a huge load on the software doing the authentication as you will essentially create multiple log-in attempts while cycling through the list of peppers. Another notable difference is that salting is usually unique per password, whereas peppering would use the same value, or one value of a list of peppers, for each password. The salt would be saved with the hashed password in the database, and the pepper would be in the codebase, in a secure key vault type of service. Unfortunately, this causes peppering to be more hardware intensive than salting, and the computational cost exponentially increases the more users you have. It also causes the login process to be much slower than salting due to the calculation processes. Salting best practices When implementing salting as part of a password storage and hashing process, there are some best practices to follow: Use unique salts: Each unique salt will exponentially increase the computational load to crack the hashed passwords because cracking one password has no bearing on the rest of the passwords. Ideally, there is a unique salt per password, so when a user changes their password, that user-password combination would receive a new salt. This means you shouldn’t: Use usernames as the salt value Use actual words as salts Instead, you use randomly generated strings that draws from upper- and lower-case characters, symbols, and numbers. Use longer salts: The more characters a hash has, the more computational cost is involved in breaking the hash. Since each hash algorithm outputs a consistent hash length, it’s wise to have a salt of the same character length as what the hash would be. Add extra security to your hashes: Add a key to the hash, which should be kept off-site on a separate server. That way, if a hacker were to access a database containing the hashed passwords, they would need to gain access to this separate server as well to get the key. You can also run the password through the hash algorithm multiple times. Salting with Stytch Instead of trying to implement salting yourself, you can turn to Stytch to ensure your salting technique is thorough, advanced, and secure. Our new Passwords solution implements all of the best practices outlined above, offering the most secure, properly salted hash available. We wanted to ensure this password solution used the most efficient and secure hashing algorithm, so we’ve used Scrypt to support our salting and hashing algorithm. Stytch also provides breach detection, helping to prevent the use of credentials that have been compromised, and password strength detection, which makes sure that each link in the chain is as strong and secure as possible. This helps dramatically reduce account takeover risk. Since new ways are constantly being developed to hack passwords, one solution is to move away from passwords entirely. Stytch offers passwordless authentication, meaning users can use things like biometrics, OAuth, Magic Links, SMS and WhatsApp Passcodes, and other passwordless forms of authentication that keep your users — and your systems — secure. But if you’re not quite ready for passwordless, that’s okay! Stytch’s password solution is the most secure option available and will help keep your sensitive information safe. Protect your passwords with Stytch Salting is a necessity when storing passwords, as it protects yourself as well as your users. It provides that extra set of uniqueness to a password and, in turn, makes the password exponentially more secure — on top of the base level of security that password hashing offers. Stytch uses best practices to ensure that the salts used are unique and that each password is properly hashed and secure. To see Stytch’s salting strengths in action for yourself, get started with Stytch today. --- # How to prevent account takeover (ATO) and improve user authentication Source: https://stytch.com/blog/improve-user-authentication-to-prevent-data-breaches/ Learn how poor user authentication can lead to account takeover, and steps you can take to ensure your security and identity are protected and not at risk. Poor user experiences are directly responsible for most instances of online fraud and account takeover (ATO). Today, 82% of all successful data breaches can be traced to the human element in online security — specifically, weak or reused passwords that can be easily used by hackers to mount credential stuffing attacks or brute-force attacks and take over a user's account. But users aren't really to blame for putting their data at risk. Instead, the fault lies in the burdensome password experiences many applications put them through whenever they want to create or safeguard a new account. In this post, we review how account takeover attacks work — and how modern auth solutions with better user experiences can help prevent them. Playing whack-a-mole with account security Weak passwords have introduced major security threats that nearly every app developer finds themselves scrambling to prevent: Credential stuffing attacks and brute-force attacks Both of these strategies involve using compromised or stolen credentials to carry out an account takeover and data breach. In a credential stuffing attack, a hacker intercepts account details — typically, username and password pairs — through a data breach. Since most users reuse the same credentials across multiple websites, the hacker can then use bot traffic to "stuff" these login details into different apps and websites on a trial-and-error basis to gain access to several of a user's accounts at once. In a brute-force attack, on the other hand, these attempts are less targeted, with hackers trying popular password combinations (think "12345") at random across different accounts to gain access. Account takeover In an account takeover, hackers execute the final step to actually take control of a user's account(s). Account takeover attacks typically have a financial motive, with the hacker using stolen accounts to directly defraud users (e.g., draining funds from their bank account) or businesses (e.g., making an e-commerce purchase that the retailer will ultimately be forced to refund). Adding friction to the user experience Today, companies spend significant resources and place multiple points of friction in front of good users to reduce the risk of credential stuffing, brute-force, and account takeover attacks. For instance, many apps integrate reCAPTCHA or hCAPTCHA technologies to detect and prevent bot activity. They may also add two-factor authentication (2FA) or multi-factor authentication (MFA) in the form of SMS one-time passcodes or TOTP to protect against account takeover once a user's password is compromised. The anatomy of a successful account takeover attack To understand how applications can optimize their account takeover prevention, it's helpful to understand how account takeover attacks work. These attacks are attractive to fraudsters because they're 1) very lucrative and 2) easily scalable. Paths to a successful account takeover For one thing, account takeover attacks are often highly coordinated operations and fueled by an entire cottage industry of fraud. Different hacker teams may each conduct one of three different steps involved in account takeover attempts. Let's explore these three steps in greater detail: 1. Hackers find a way to break into an app or website's user database to extract login credentials like emails, usernames, and passwords. The applications most frequently targeted for these types of hacks tend to share two key traits: They have a large user base. They are not a security-centric company. Of course, not being “security-centric” doesn't mean an app doesn't care about security. It simply means that security is not the primary consideration for their product or its value proposition. For example, banking apps and custodial crypto accounts are only valuable if they can safeguard a user's funds, so they typically invest heavily in security and are generally considered more difficult to breach. That said, hackers don't actually need to breach the Coinbase or Chase app to steal a user's bank account; they can just as easily get in via LinkedIn or DoorDash. More on that later. 2. Once hackers have successfully breached a database, they'll determine where else a user may have reused the same credentials, so they can gain access to multiple accounts. Hackers realize that stealing a user's LinkedIn account holds some value, but the path to monetization is much more difficult and much less rewarding than stealing that same user's financial accounts. That's why, at this point, they'll either sell the list of breached credentials to the highest bidder or invest in software that allows them to programmatically send login requests (via bots) to other apps and user accounts they're more interested in breaching. This is one of the main reasons users are often asked to confirm they're not a robot when signing in. 3. Once hackers have validated where else a user's stolen credentials can be used, they progress to exploitation, inflicting as much financial damage as possible. The exact method of fraud and monetization may differ at this stage, depending on the type of account that's been stolen. For instance, a hacker can directly drain a financial account of the money within, but they may only seek to leverage a social media account to launch phishing attacks on a user's contacts or promote specific products for a kickback. Scaling account takeover attacks What makes these attacks so common and dangerous is the sheer scalability of the attack vector. If a hacker can breach 10 million passwords, validate that 20% of them were also used at a major bank through programmatic means, and then drain those accounts without ever incurring the risk of walking into a bank branch, they've essentially found a modern, remote, and relatively low-risk way to become a bank robber. It's no surprise that account takeover and online identity theft lead to massive financial losses every year. In 2021 alone, $12 billion was lost to account takeover fraud, representing a 3x increase from 2018. For context, that amount is roughly 25x higher than the worldwide fraud loss from bank robberies when last measured in 2019. How better user experiences can prevent account takeover fraud Tools like Google's Password Checkup can be a great way to audit the security posture of a user's online accounts. But the results of these audits can reveal just how risky a poor user experience can be and how overwhelming we've made it to actually remedy cybersecurity issues. For example, the user in the screenshot above has: 15 known compromised passwords, meaning they've likely been exposed in data breaches like those suffered by Yahoo, Target, LinkedIn, and so on 107 re-used passwords across multiple accounts 109 weak passwords that can be easily guessed by hackers or bots How did we end up in a world where a normal user has 200+ insecure online accounts? And why are we putting the onus on users to fix these vulnerabilities, when they ultimately come down to suboptimal sign up and log in flows? There are two critical shortcomings apps introduce to the user experience when users attempt to create an account and/or improve their account security: 1. They make it easy for users to shoot themselves in the foot when creating passwords. Today's users are asked to manage hundreds of online accounts, and each new password they create is required to include a complex mix of letters, digits, and symbols. It's no wonder they look for shortcuts and re-use the same password across multiple sites, ultimately putting themselves at risk when one or more of those sites is hacked. Most users don't intuit the interconnectedness of online security, nor realize that an insecure password on their streaming service could actually imperil their bank account. And, given the decades of failed education on the topic, we may have to admit that they never will. 2. While tools like Password Checkup are extremely valuable, it's easy to see why users give up when presented with a multi-step process to fix their online security. Simply put, we're never going to convince the average user to undergo this much friction to prevent account takeover fraud. Instead, this issue needs to be solved at the application level, so users are not asked to be their own security experts. Currently, the user experience is broken when it comes to helping users create safer passwords and making it easy to remedy cybersecurity issues. Fortunately, there are modern authentication tools available that allow apps to protect their users (and themselves) with minimal engineering effort. Using modern authentication tools for account takeover prevention Over the past few years, the tools to prevent account takeover have dramatically improved, offering a great opportunity for apps to upgrade the UX and the security posture of their sign up and log in flows. Here are some of the key strategies app developers should consider adopting to prevent account takeover attacks and ward off popular tactics like credential stuffing: 1. Improve the security of users' passwords. There are two simple but concrete ways to do this right away. Don't allow users to enter compromised credentials in your sign up and log in flows. There are endless data breaches exposing users' passwords, but there are also great resources developers can plug into to detect compromised credentials. Apps and websites can turn to tools like HaveIBeenPwned (supported by Stytch's password check API), which prevent users from re-using credentials that are known to have been stolen in a previous hack. Or, if a user already has an existing password, apps can check whether it's been leaked when that user tries to log in again — and force a password-reset flow if it has. Doing so compels would-be hackers to also breach a user's email inbox, which is much more difficult given the prevalence of multi-factor authentication (MFA) on email accounts. Move away from friction-heavy and security-light password strength estimators, and use more modern ways to improve users' passwords. Traditional password strength estimators follow the LUDS formula, requiring users to include at least one lower-case and upper-case letter, digit, and symbol in a new password. Unfortunately, humans are predictable, and we often end up with insecure passwords that satisfy these conditions but are exceedingly easy for machines to crack — think, P@ssword1, Password1!, etc. Instead, Stytch uses Dropbox's zxcvbn password strength estimator, which offers a more flexible assessment based on how resistant a password is to the latest password-guessing techniques. This feature is designed to make strong passwords easy for humans to generate and hard for robots to guess. 2. Integrate better bot prevention technologies. Every app and website should integrate some form of bot detection and prevention. Google reCAPTCHA remains the standard option, but there are also more advanced products on the market, like hCaptcha and Arkose Labs. Any type of bot prevention is better than nothing, but if an app is still suffering from attacks on sensitive user routes, it's likely due to the increasing availability (and relatively low cost) of CAPTCHA-solving services like Anti CAPTCHA, which make it easy for bots to bypass a CAPTCHA system if the hacker is willing to pay a minimal sum. To make CAPTCHA solution un-bot-able, Stytch has developed a proprietary CAPTCHA solution that offers stronger protection against CAPTCHA-solving services. 3. Consider using passwordless auth, which is more difficult and more expensive for hackers to attack. Passwordless technologies are particularly powerful because they can either be layered on in a multi-factor authentication flow or used as the primary auth method while reducing user friction. Most passwordless methods are used as secondary factors, asking users to verify “something they have” (e.g., a specific device, access to a registered email address or phone number, a YubiKey, etc.) or “something they are” (via biometrics like facial recognition or fingerprint scans) once they've already presented "something they know" in the form of a password. The two major benefits of passwordless auth are its ease of use — which can improve conversion rates, lower customer acquisition costs, and increase lifetime value — and the higher cost of an attack. Unlike traditional passwords, passwordless methods are not well-suited for scaled attacks, because hackers cannot steal phone numbers, on-device biometrics, or email accounts in bulk. This considerably increases the cost of each individual hack, which is why fraudsters focus their efforts on password reuse today. While there are attack vectors focused on certain passwordless technologies (for instance, some users' phone numbers are targeted when attackers want to take control of their SMS inbox), these attacks are rarer, given the cost involved. They're also easily mitigated by using the appropriate authentication method. For instance, if an app protects financial assets, its developers may choose not to offer SMS-based auth as an option, instead gravitating toward biometrics or device-based methods like TOTP and WebAuthn. Another simple way to improve both security and the user experience is to take a hybrid approach to password-based and passwordless auth with a streamlined password reset flow. Adding a simple magic link login option (instead of requiring users to change their password entirely) gives them the option to avoid the friction of a reset and log back in with a single click. The bottom line There's no one silver bullet that will eliminate the risk of account takeovers and data breaches — but thanks to modern auth tools, there are simple, straightforward ways that apps can enhance their sign up and log in flows while keeping their users safe. Defend against account takeovers with Stytch Stytch offers a range of robust passwordless and password-based auth solutions as part of our flexible product suite. To learn more about how they work, reach out to a member of our team—or sign up for a free account to try them out for yourself. --- # Stytch’s guide to adding passwordless options for password-based auth flows Source: https://stytch.com/blog/adding-passwordless-to-passwords/ Learn how you can boost your app’s UX and security by adding passwordless auth options to your password-based flow. Adding passwordless options to your password-based auth flow is a quick, seamless way to boost security and user engagement. At Stytch, we’re passionate about the power of frictionless, passwordless authentication, and we believe it’s the way of the future. But we also realize that each application and user base is unique, and not everyone is ready to ditch passwords for good. For that reason, we offer a full suite of Customer and Identity Access Management (CIAM) solutions including both password-based and passwordless options to help you provide the most secure and high-converting auth flows to your customers. Luckily, adopting passwordless auth isn’t an either/or proposition. You can easily add passwordless options to your existing password-based flow — whether as one option among many or as a primary or secondary factor in a multi-factor authentication (MFA) flow — and still enjoy all of the associated UX and security benefits. As an added bonus, if or when you do decide to go fully passwordless, you’ll already have all the right pieces in place. In this guide, we navigate the first step forward on the authentication adoption curve and share how you can shift from an exclusively password-based flow to a hybrid password/passwordless flow, with a glimpse into some of the most common transitional auth models in use today. Finding the right path to passwordless No two journeys on the authentication adoption curve are alike. You may be eager to implement a passwordless solution as your primary authentication factor, or you may merely want to include one as a parallel or secondary factor. For those early in the passwordless adoption curve (or just starting to consider a change), we offer a modern Passwords product that enhances the security and UX of your current password-based flow. Among other innovations, our API scans the web for breached credentials and bakes smooth, passwordless Email Magic Links into the password reset template. If you are ready to try passwordless, there are many passwordless solutions on the market. Each comes with its own distinguishing features, and identifying which method is right for your app often depends on your specific industry, audience, and target user experience. Below, we explore some of the ways you can position a passwordless method within your flow — and which methods would be a good fit — to help you determine the best path forward. Passwordless as a parallel option In some cases, you may want to offer several primary authentication options, covering many bases at once and increasing the likelihood users will sign up for and engage with your app. For instance, you could consider presenting high-converting, passwordless auth methods side-by-side with your current password-based flow: OAuth (aka Social Logins) OAuth logins allow users with accounts on platforms like Google and Facebook to sign up for and log in to your app using those existing credentials. Spotify, for instance, gives users the choice of entering a classic username-and-password combination or using OAuth to sign in through their Facebook, Apple, or Google account. OAuth offers several UX and security benefits, including: Leveraging trust and credibility by authenticating users through popular, established platforms they’re already familiar with. Removing the friction and risk of making users create and recall another set of credentials — or, worse, re-use existing passwords. Giving users flexibility and control over their authentication experience. OAuth is a good choice for apps that want to provide maximum flexibility with minimal risk. Make sure to look for account deduplication measures, which top providers like Stytch will build into their solutions to avoid vulnerabilities arising from multiple access points. It’s worth noting that 70% of our new customers sign up for an account via OAuth versus other available flows, making it one of the highest converting methods we’ve seen. Email Magic Links While Email Magic Links work well as a primary auth factor, they’re often used as part of a password-reset flow. That’s because, in many cases, conventional password-based logins already include a user’s email address — so it’s a quick, painless process to send a link they can click to instantly verify their identity and log back in. For example, companies like Instagram still put passwords first — but they rely on Email Magic Links to remove friction from their critical reset flow. Of course, by using magic links as a reset measure, you’re embedding a passwordless auth flow into your app — so why not just offer it outright as a parallel primary option? Some of the advantages of Email Magic Links include: Higher conversion rates, since all users have to do is click on a link to log in. Stepped-up security, since the added verification layer prevents cyber attacks from bots and other bad actors. Smoother reset flows, since users don’t have to come up with (and remember) yet another convoluted password to re-engage with your app. Magic links are a good option for apps with high email penetration among their user base. Stytch even offers Embeddable Magic Links that weave the authentication process seamlessly into your marketing campaigns and other customer communications, boosting conversion and engagement rates even further. One-Time Passcodes Like Email Magic Links, One-Time Passcodes (OTPs) can be used as a primary auth factor or as part of an MFA flow. Users are sent a unique passcode via SMS, email, or WhatsApp, which they then enter in-app to access their account. ESPN, for instance, uses an email-based OTP flow as part of its password-reset process: Passcodes share many of the benefits of Email Magic Links — and, for mobile apps, they may even be faster, since they make use of a device users already have in their hands. Now, iOS and Android phones also have auto-fill capabilities for incoming passcodes, so users can onboard and log in with a single tap (and without ever leaving your platform). Passwordless as a secondary factor Including a passwordless solution as a secondary factor (2FA) means you can keep your current password-based approach as is. Adding a step to your initial login flow — or later in your user access journey to protect higher-risk actions — just means you offer an added layer of security. In addition to those listed above and below, there are several passwordless methods you can use as a secondary or supplementary factor, including: Time-based one-time passcodes (TOTP) TOTP works well as a two-factor auth option in circumstances where you need added reassurance of ironclad security — like moving large volumes of money or handling personal payroll records. It requires users to establish they’re holding a particular device, generating a passcode that’s based on the current time, as well as a shared secret between the server and an authenticator app like Google Authenticator. That means TOTP allows you to: Avoid common phishing attacks by removing users’ phone numbers from the equation, using an app on their local device instead. Limit auth windows to a narrow window of time, usually about 30 seconds. Authenticate offline, which may be significant for users in areas with poor or limited connectivity (like an airplane) who still need immediate access. Inserting a secondary, passwordless factor like TOTP into your authentication flow means you can provide extra security — without the extra friction. Passwordless as a primary factor Going passwordless-first is as simple as making any of the above passwordless flows your primary (or even your only) authentication measure. In fact, virtually all of the passwordless auth products we offer through Stytch’s platform — including Email Magic Links, SMS and Email Passcodes, and OAuth Logins — can be mobilized as your sole factor. Forward-thinking companies are also finding ways to innovate on frictionless, biometrics-based methods and make them the only auth solution apps will ever need: Biometrics Biometrics are an element of WebAuthn — a cutting-edge web standard that authenticates users through desktop and mobile browsers using built-in biometric scanners (like fingerprint, face, and iris IDs) or specialized hardware keys like YubiKeys. Historically, biometric data has been stored locally on a mobile device or laptop, making it impossible to access across platforms, relegating it to supplementary-factor status. But now, groundbreaking solutions like Apple’s new passkeys can back up the cryptographic keys that contain biometric data to the cloud — making them interoperable across devices (and viable for primary auth). Biometrics are considered next-level auth for good reason: They’re pretty much unhackable, since a user has to prove possession of an original device and a unique biometric trait. They introduce zero friction, since all a user has to do is touch or look at their device to be verified. They fit neatly into any part of your auth flow, since they don’t require users to navigate away from your platform or app. As cross-platform biometrics become increasingly available, our prediction is they will quickly become the gold standard for easy, high-converting authentication. How will you go passwordless? There are many creative ways you can add passwordless solutions to your app’s current authentication flow — and we love sharing them. Stay tuned for more content that covers the second half of the adoption curve and demonstrates how you can easily make the switch to fully passwordless auth. To learn more about the ins and outs of passwordless auth — and find the method that’s right for you — join Stytch’s Slack channel or sign up to get started! --- # Step-up versus multi-factor authentication (MFA) Source: https://stytch.com/blog/step-up-auth-vs-mfa/ Learn how businesses strive to protect user data with two primary forms of authentication, step-up and multi-factor, and the differences of each. Over the past decade, digital transformation has touched every part of our lives. Even companies that have historically provided analog services to users (e.g. shipping) have had to adjust to this digital transformation – that’s because consumers expect to be able to access and act upon information with the digital devices in their pockets and on their desks. On average, users now hold over one hundred online accounts for every type of service that you can imagine. This shift has required virtually all companies to create digital solutions to support their core business functions and store sensitive data such as customer and vendor information. Keeping confidential data secure needs to be a top priority for all organizations, and this is exactly what digital authentication tries to achieve. Digital authentication verifies identity when accessing sensitive data, applications, or other services. An entity could be a user (a human), an Internet of things device, a process, application, or service. Authentication is the backbone of IT security. Without it, no one could safely use digital technology as we do today. Various authentication methods protect digital assets and govern access to them. Some are more secure than others, and some require more than one authentication method to achieve their desired security level. This article compares two popular authentication strategies, step-up authentication and multi-factor authentication (MFA), and discusses where each fits best according to an organization’s security needs. Defining multi-factor authentication (MFA) As data breaches become common, the need to strengthen current authentication systems that still only use usernames and passwords to protect sensitive resources becomes paramount. According to the Verizon Data Breach Investigations Report, 82% of all breaches involve weak or stolen credentials. Most of these breaches would not have happened if an MFA mechanism had been in place. MFA (also often called two-factor authentication or 2FA) is a mechanism that requires users to provide two or more authentication factors to verify their identity. There are three major types of authentication factors, and each one requires different authentication methods to satisfy its conditions. The “something-you-know” authentication factor This factor is something a user knows, such as a username and a password or the answer to a secret security question. This is the most common form of authentication online today where a user must re-supply some shared secret with the application (e.g. their password) in order to prove themselves. The “something-you-have” factor This factor is something the user has possession of, such as a smartphone to receive an SMS message containing a secret code or a hardware security device to generate a one-time passcode (OTP). The “something-you-are” factor This factor is something strictly unique about the user, such as a biometrics characteristic. Biometric authentication involves verifying users’ biological or behavioral characteristics, such as voice and facial recognition, fingerprints, or DNA matching. The benefits and challenges of MFA MFA provides numerous benefits for organizations: It increases security by providing additional layers of authentication. If cybercriminals steal a user’s password, they must still give a second authentication factor. It has become mandatory for many organizations working in high-value industries to comply with the relevant data protection requirements. An MFA system that uses biometric and passwordless authentication streamlines the authentication process and makes employees and users happier by removing the need to remember traditional passwords. Despite its benefits, MFA also comes with challenges: Deploying an MFA system is costly compared with traditional password-only systems, especially in the initiation phase. Implementing MFA to secure applications, data, and systems in hybrid environments is technically challenging. For example, some applications could be local while others are cloud-based. Implementing the same authentication system across hybrid environments requires continual monitoring and maintenance to remain operational. Some users find it daunting to use MFA authentication, which makes them abandon the service in favor of the traditional username and password combination. Defining step-up authentication As mentioned above, organizations use various digital authentication methods to protect their sensitive assets. Multi-factor authentication describes the process of combining multiple authentication factors to increase the security of users’ accounts. Step-up authentication is a specific type of multi-factor authentication where the application implements an authentication strategy that requires an additional authentication level specifically when trying to perform high-risk operations on an IT system. For example, customers can use the banking applications installed on their smartphones to view their profiles and check their latest account transactions. Of course, they must log in to their account using, for example, a username and password. However, suppose the customer tries to perform a risky operation, such as transferring a large sum of money to another account. In that case, the banking app requires an additional authentication method. Another method might be providing a one-time passcode (OTP) sent through email or text messaging, an authentication app, or biometrics. As the previous example shows, step-up authentication requests additional identification information to verify a user’s identity when trying to accomplish sensitive actions. Requesting further information enables IT administrators to use different authentication levels based on the sensitivity of the resources. You can contrast step-up authentication with another type of MFA called adaptive MFA – step-up authentication is a MFA strategy where particularly sensitive routes in an application require MFA while adaptive MFA is a strategy where only certain types of user characteristics (e.g. a suspicious IP address) require MFA. Both are individually helpful, but they become even more powerful when combined together into a comprehensive authentication strategy. You can use step-up authentication to secure access to critical resources, such as updating payment information, transferring funds, and changing payment settings in an account to enable withdrawing funds to other accounts. You can also use the adaptive MFA scheme to verify users’ identities when: They fail to log into their account several times — for example, by providing an incorrect username and password. They access an online service from an unusual location, such as a foreign country, for the first time. Step-up versus multi-factor authentication In general, most authentication systems to date still use usernames and passwords as the first authentication factor. However, many organizations have strengthened their authentication systems by adding additional authentication factors like possession or biometrics. For instance, if the traditional password is the first authentication factor, the second one could be the following: Hardware tokens that mimic USB dongles and generate a temporary code. Software tokens generated by programs on computers or smartphones. Magic links sent by the system to email addresses enabling users to log in by clicking the link. See the screen capture below for a sample magic link sent using Slack: OTPs sent to a user’s registered mobile phone number by SMS that contain a temporary passcode. Push notifications sent using an authentication application installed on users’ smartphones. An example of such an application is Microsoft Authenticator. Biometric authentication using unique biological traits for verification, such as voice recognition, facial recognition, retina and iris recognition, fingerprint scanning, hand geometry, and vein recognition. You can use step-up authentication with MFA to add additional layers of authentication when accessing critical resources. The system authenticates users with MFA. However, when they want to perform risky operations, the system requests additional authentication using a different factor to confirm their real identity. In this context, step-up authentication is a system that uses MFA techniques to provide a sequence of authentication chains when users want to access critical resources. Organizations often use step-up authentication to follow their security policies and compliance requirements. This allows them to strengthen the security of their system while allowing the right amount of friction based on the different security needs of other parts of the application. It’s worth noting that route-based authentication and just-in-time authentication are other terms used synonymously with step-up authentication. Managing the burden of MFA systems and incorporating the step-up approach within them requires investing in a solution that can handle this process. Stytch provides a rich authentication solution that uses a suite of authentication factors. We believe the best approach to MFA is to introduce friction when needed, using incremental security for higher-risk actions within an app. This approach allows you to restrict specific actions within an app that require higher security and allow lower security, read-only actions to occur easily. In terms of the effort required to implement step-up versus MFA, any system that uses MFA can use step-up without much additional effort. As previously mentioned, you can consider step-up a subtype of MFA in terms of using different authentication factors when trying to access sensitive resources. Authentication in practice High-risk industries, such as finance, health care, e-commerce, and government, should use MFA to secure their digital assets. However, they should also deploy step-up authentication to protect access to the most critical areas within their IT systems. For example, in the health care sector, patients could use MFA authentication, such as a traditional password and an OTP sent by SMS, to access their medical profile held by a health institution. However, when a patient wants to access the area containing information about their diseases, medical treatment, or the type of medicine they take, they must submit an additional authentication factor, which is where step-up authentication can be used. In finance, most people already use two-factor authentication (considered a type of MFA) when withdrawing funds from ATMs. For example, customers must provide their credit card and a memorized PIN code when withdrawing money from an ATM. Developing MFA authentication that includes step-up authentication is a challenging task that most organizations can’t achieve alone. Stytch provides an authentication platform that handles the entire auth process for customers. It includes the following key features: Magic Links to send password-free links for registration and login. One-time passcode sent by SMS to registered mobile phone numbers. One-time passcode sent to registered email addresses. One-time passcode sent by WhatsApp, allowing users to sign in from any place worldwide. OAuth 2.0 and OpenID to provide a low-friction authentication option. Support for just-in-time authentication that allows for selecting the level of authentication based on the sensitivity of the accessed resources. Support for built-in biometrics authentication and hardware token authentication. Ability for crypto wallets to register and log in to any web2 or web3 app or service Various additional security measures, such as breach detection for password authentication. Bot prevention technologies. Traditional password-only authentication systems are insufficient to stop the ever-growing number of data breaches. Deploying an MFA system has become necessary to protect the most sensitive digital assets. Step-up authentication adds extra security for logged-in users attempting to access sensitive information. Despite numerous cyberattacks, organizations may still find it challenging to deploy modern authentication systems that use step-up authentication and MFA because of the technical complexity of developing and maintaining such solutions. Stytch provides a comprehensive authentication solution that includes today's most popular authentication factors to provide frictionless authentication solutions for both MFA and step-up approaches. Talk to an auth expert to learn more about the authentication options that Stytch offers. --- # Multi-factor authentication: how to choose the right approach for your business Source: https://stytch.com/blog/which-mfa-is-right-for-your-business/ Understand what multi-factor authentication is, how it enhances the security of your users’ accounts and which MFA is right for your business. Multi-factor authentication (MFA) is a key tool for companies looking to elevate users’ account security, helping to mitigate credential stuffing attacks and prevent account takeover fraud. Sometimes used interchangeably with the term two-factor authentication (or 2FA), MFA involves a layered approach to confirming a user’s identity to ensure they have permission to access a protected digital system (e.g. a website, application, network, etc.) or perform a specific protected task within that system. As its name suggests, MFA requires users to successfully present two or more identity credentials, called authentication factors, in order to gain clearance. Implementing MFA is now a critical step for any company serious about their Customer Identity and Access Management (CIAM) program. MFA often (but not always) occurs at initial login. Sometimes, however, the authentication factor prompts are dispersed throughout a user’s digital experience, only requiring 2FA when the user attempts to take a particularly sensitive action such as change their payment details. This latter implementation, where authentication friction is only introduced at the appropriate time in the user’s session, is referred to as “just-in-time” or step-up authentication. Finally, there’s also a type of step-up authentication called “adaptive MFA”, which requires users to go through a MFA step when a specific behavioral change on the account suggests a higher risk of account takeover (for instance, if it’s a new device or a suspicious IP address). Typically, the user's credentials – whether a password, username, or some other type of secret key – will serve as the "something you know" factor, while a second factor of authentication that is unique to that individual, such as a fingerprint, retina scan, or one-time passcode generated by an authentication app, will serve as the "something you have" factor. The combined use of these two factors makes it much more difficult for an unauthorized user to gain access to an account, as they would need to have both the user's credentials and the second factor of authentication. There are a number of different ways to implement MFA, and the specific method(s) used will depend on the type of system being accessed and the level of security required. For example, systems that require a high level of security, such as financial or healthcare applications, may use MFA that combines multiple factors, such as something you know, something you have, and something you are. In this case, the "something you are" factor would typically be a biometric, such as a fingerprint or iris scan. The growing importance of secure multi-factor authentication Today, supporting multi-factor authentication is necessary for most applications that safeguard even remotely sensitive data due to the prevalence of credential stuffing and account takeover attacks. Account takeover risk stems from the greatest weakness in online security: the human element. A Verizon Data Breach Report found that 82% of all data breaches can be traced back to the human element involved in online security – specifically, the weak and inadequate passwords that users often re-use across multiple sites. Weak passwords have introduced two major security threats that nearly every application finds themselves playing whack-a-mole to prevent: 1) credential stuffing attacks and 2) account takeover. Credential stuffing involves fraudsters trying to validate whether a username or email and password pair are valid for a particular site and involves sending significant bot activity to applications’ login forms. Account takeover is an attack vector where hackers execute the final step to actually take control over online accounts that belong to another user. Account takeover attacks typically have a financial motive where the attackers intend to use the stolen account to defraud the user directly (e.g. draining funds from a bank account) or the business (e.g. making an e-commerce purchase that the business will ultimately need to refund to the original user). One method for reducing account takeover risk is to require users to create passwords on your site that haven’t previously been exposed in a data breach (this is made possible by built-in breach detection in Stytch’s Passwords product), but another popular way to protect user accounts involves layering on additional security with multi-factor authentication. Fortunately, there are numerous secure options to choose from that can help you eliminate the vast majority of account takeover risk in your application. When deciding to integrate MFA into your application, there are a few questions to ask yourself: Will you make MFA optional or require it for all users? Will you offer multiple MFA options so that users can choose what best fits their needs? How many and which options will you provide? Will you layer on? What MFA is right for you? While you can theoretically use any authentication method for two-factor authentication, there are strengths and weaknesses associated with each one. Unless you require it for your application, it can be difficult to convince users to enroll in two-factor authentication after they’ve already created an account. While there are versions of multi-factor authentication (e.g. Yubikeys and biometrics) that are more secure than common methods like phone number verification, our recommendation is to pursue a MFA strategy that allows you to enroll the highest percentage possible of your user base. This typically entails offering multiple options to users when enrolling in MFA. Balancing security and user friction: step-up authentication Organizations use various digital authentication methods to protect their sensitive assets. Multi-factor authentication describes the process of combining multiple authentication factors to increase the security of users’ accounts. Step-up authentication is a specific type of multi-factor authentication where the application implements an authentication strategy that requires an additional authentication level specifically when trying to perform high-risk operations on an IT system. For example, customers can use the banking applications installed on their smartphones to view their profiles and check their latest account transactions. Of course, they must log in to their account using, for example, a username and password. However, suppose the customer tries to perform a risky operation, such as transferring a large sum of money to another account. In that case, the banking app requires an additional authentication method. Another method might be providing a one-time password (OTP) sent through email or text messaging, an authentication app, or biometrics. As the previous example shows, step-up authentication requests additional identification information to verify a user’s identity when trying to accomplish sensitive actions. Requesting further information enables IT administrators to use different authentication levels based on the sensitivity of the resources. You can contrast step-up authentication with another type of MFA called adaptive MFA – step-up authentication is a MFA strategy where particularly sensitive routes in an application require MFA while adaptive MFA is a strategy where only certain types of user characteristics (e.g. a suspicious IP address) require MFA. Both are individually helpful, but they become even more powerful when combined together into a comprehensive authentication strategy. You can use step-up authentication to secure access to critical resources, such as updating payment information, transferring funds, and changing payment settings in an account to enable withdrawing funds to other accounts. You can also use the adaptive MFA scheme to verify users’ identities when: They fail to log into their account several times — for example, by providing an incorrect username and password. They access an online service from an unusual location, such as a foreign country, for the first time. Removing the hassle of MFA with Stytch Stytch offers a suite of different MFA options that are easy to integrate, so that you can provide the right level of optionality to your user base. From SMS to TOTP to biometrics and hardware keys, we offer every conceivable 2FA option that you and your users could need. Additionally, we make it easy to minimize MFA friction by only introducing these requirements when a user is accessing sensitive information (step-up auth) or when suspicious behavior is detected (adaptive MFA). To get started, you can sign up for Stytch or request to talk to an expert to chat through your organizations’ specific needs. --- # Eliminate bot attacks from the CAPTCHA equation Source: https://stytch.com/blog/protect-against-captcha-fraud/ Understand how CAPTCHA fraud works and how you can protect against it with Stytch’s stronger CAPTCHA solutions. Today, humans only make up 38.5% of internet traffic. The other 61.5% is non-human (bots, hacking tools, etc). When you consider how pervasive non-human traffic is on the web and the potential threat this bot activity can pose to companies (brute forcing users’ passwords to steal their accounts, executing scripts to buy out concert tickets in order to profit on the secondary market, etc.), it’s not surprising that we’re often asked as users to prove our personhood when browsing the web. This incessant bot activity defrauds both users and businesses – when a user’s bank account is stolen, it’s typically the victim of a bot-powered credential stuffing attack. And all of this non-human traffic leads to both fraud losses for companies in addition to the increased compute costs it generates. To combat this bot traffic over the past two decades, companies have been relying on the use of CAPTCHAs to distinguish between humans and bots. CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Most people are familiar with the nature of these tests — having to pick things like buses and crosswalks out of a lineup of images — but they pose a problem for most bots. The narrowly-defined nature of the tasks that bots perform prevents them from being able to interpret images or replicate the human responses that CAPTCHAs are based on. And while a bot could be developed with these capabilities, it would be both incredibly time-consuming and expensive. Furthermore, a solved CAPTCHA cannot be reused. So, even if a bot does correctly decipher one, it must repeat the process thousands of times, which negatively impacts the speed that makes credential stuffing so viable. So, if we’re constantly bombarded with tests asking us to prove that we’re not bots, why are bot-based attacks (stolen accounts, spam, scalped tickets, etc.) still such familiar issues on the web? The answer is CAPTCHA fraud, a cottage industry in which humans play the role of Mechanical Turks to power the bot ecosystem. Understanding CAPTCHA fraud Bots’ ability to consistently trick CAPTCHA stems from a key design flaw in the architecture –– the public key problem. Every major CAPTCHA system exposes its public key, making it easy for bots to scrape and submit the public key to a ‘CAPTCHA-solving-as-a-service’ company. At CAPTCHA-solving companies, commonly referred to as CAPTCHA farms, people manually solve CAPTCHA tests for bots for a living. As mentioned, this involves a Mechanical Turk approach that utilizes low-cost labor to solve the challenges remotely and send the solved CAPTCHA back to the owner of the bot program. This is only possible because CAPTCHA does not require the solver of the challenge to be in the same browser used to submit the challenge’s solution. If you google how to beat CAPTCHA challenges, you’ll find that dozens of companies fall into this cottage industry of CAPTCHA fraud. You’ll find many sites like https://anti-captcha.com/. And its website has many of the hallmarks of any good SaaS company! 1. A compelling landing page and detailed value proposition. This is the landing page of one of the largest CAPTCHA solving services. Its website highlights why you should choose it over competitors: it’s cheap and reliable. 2. A detailed overview on how the service works. The steps are made clear to the customer. A bot uploads the CAPTCHA to the website, it's solved by a worker, and sent back in an average of 11.3 seconds. 3. An up-to-date status page on how they’re performing and the pricing for their different products. This is a snapshot of a live feed on a CAPTCHA farm website – it details what types and how many CAPTCHAs are being solved per minute and the price per type of CAPTCHA. CAPTCHA farms are in a position to solve every type of CAPTCHA at a mass scale. 4. A final demonstration of their expertise to drive it home. The simple nature of the task is clear. All a bot has to do is scrape the public key and the CAPTCHA farm will do the rest. 5. Support for 15+ payment methods (necessary for such a global product)! These services take a wide variety of payments. The economics make sense for attackers, it is really cheap (and easy to pay) to solve CAPTCHAs. Protect against CAPTCHA fraud with Stytch CAPTCHA solving services help bots dominate the internet today and impose real friction and cost on both users and business in the form of fraud, wasted resources and time. The exposed public key architecture has created scalable attack vectors for bots and the best solution for protecting against them is to remove this loophole altogether. With our Strong CAPTCHA solution, we've done exactly that. As an example of the lengths companies need to go to today in order to counter this weakness in the existing CAPTCHA ecosystem, certain companies like Binance are forced to build their own custom version of CAPTCHA to reduce the risk of being aggregated by a CAPTCHA farm. At Stytch, we’re on a mission to eliminate unnecessary friction on the internet, and today, CAPTCHA fraud is one of the greatest offenders. We’re excited about new methods for stopping bots without putting undue friction on good users. If you’re interested in learning more, check out our Strong CAPTCHA product page, or talk to an auth expert to learn more about how Stytch can help you stop bots on your application. --- # The definitive guide to choosing a Customer and Identity Access Management (CIAM) solution Source: https://stytch.com/blog/guide-to-choosing-ciam/ When it comes to customer identity and access management (CIAM), there are a lot of decisions to make. Learn how to think about building or buying a CIAM solution that best fits your business needs. When it comes to customer identity and access management (CIAM), there are a lot of decisions to make. What features do you need? How will you integrate the solution into your existing infrastructure? Do you want to build or buy a CIAM platform? These are all important questions, but they can be difficult to answer without first understanding the landscape of CIAM. In this blog post, we’ll introduce CIAM and provide a guide for your business on how to think about building or buying a CIAM solution that best fits your needs. What is Customer Identity and Access Management (CIAM)? Customer Identity and Access Management (CIAM) is a system that manages the identities of a company's customers and provides them with access to the company's digital resources. It includes features such as customer registration, login, password management, and single sign-on. CIAM also provides a way for companies to collect and manage customer data. Every application that needs to authenticate their customers must build or buy a CIAM system to manage their users. You can build a CIAM system in-house, but it's recommended to use a trusted provider due to the added risk and cost of rolling your own system. If you’re looking to buy a CIAM solution, there are a number of companies that offer CIAM services, including Stytch, Auth0, Okta, Ping Identity, and OneLogin. The build vs. buy decision To solve for your company's CIAM needs, there are two main approaches: build or buy. There are pros and cons to each approach, and the decision ultimately comes down to your specific situation. Building a CIAM solution from scratch can be a daunting task. Not only do you need to have the right team in place to develop the solution, but you also need to have the necessary budget and resources. Additionally, it can be difficult to keep up with the rapidly changing trends in CIAM if you're not dedicating a team specifically to this area. Outsourcing CIAM to a third-party authentication provider (like Stytch) can be a more cost-effective and time-efficient solution. With a reliable platform for CIAM, businesses can quickly and securely get all of their authentication needs handled out-of-the-box. When considering whether to build or buy a CIAM solution, there are a few key considerations to keep in mind: The size of your company: If you're a small or mid-sized company, it may not make sense to invest the time and resources into building a CIAM solution from scratch. In this case, outsourcing CIAM to a third-party provider like Stytch can be a more efficient solution. Your company's core competencies: Does your company have the necessary expertise to build a CIAM solution? If not, it may be more beneficial to outsource this function to a company that specializes in authentication. The cost: Building a CIAM solution from scratch can be a costly endeavor. Not only do you need to invest in the development of the solution, but you also need to factor in the cost of maintaining and upgrading the solution over time. Outsourcing CIAM to a third-party provider can help reduce these costs. Complexity of authentication needs: Some of the more complex authentication solutions include multi-factor authentication (MFA) and single sign-on (SSO). Both MFA and SSO are important security measures that businesses should consider when implementing a CIAM solution. However, these solutions require a much heavier lift than simply building passwords. If your company is not familiar with or does not have the resources to implement MFA or SSO, it may be more beneficial to outsource this function to a company that specializes in authentication. When considering the build versus buy decision for CIAM, we sometimes hear a hesitancy to outsource authentication to a third-party provider given the critical nature of sign-up and login plays for all applications. One thing that many tend to overlook is that, as your authentication needs grow more complex, you'll inevitably outsource at least some portion of your auth stack. For instance, whether you're building support for email verification (e.g. for password resets or sign-up), SMS two-factor authentication, or single sign-on (e.g. OneLogin), every road in your company's authentication journey eventually leads towards outsourcing some portion of your IAM needs to a programmatic email provider, or a programmatic SMS provider, or a SSO provider. Even if you have the in-house expertise to build these authentication capabilities, it's typically more efficient (both in terms of time-to-market and cost) to outsource them. Thus, when making the build versus buy decision for CIAM, we recommend that companies consider their core competencies, the costs associated with building and maintaining a CIAM solution, and the benefits of outsourcing authentication to a specialized provider. If you have the in-house expertise and the resources to build a comprehensive CIAM solution, then by all means, go for it. However, if you're like most companies, it makes more sense to outsource your CIAM needs to a specialized provider like Stytch. Purchasing a CIAM solution Once you've decided whether to build or buy a CIAM solution, the next step is to assess the competition. When evaluating CIAM providers, there are a few key factors to keep in mind: Ease of use: The platform should be easy to use for developers, administrators, and end users. Security: The platform should offer robust security features to protect your customer's data. It’s recommended to require the vendor to provide a SOC 2 Type II report showing the controls they operate to keep you and your customers safe. Integration: The platform should be able to seamlessly integrate with your existing infrastructure. Support: The provider should offer excellent customer support in case you run into any problems. Scale: The system should be able to scale to support a large number of users. Considering your CIAM provider protects the front door of your application, you’ll also want to ensure the provider has best-in-class uptime. Recommended questions to ask potential CIAM providers When determining which CIAM solution to use, here are some helpful questions to guide your investigation: How do you scale your system reliably to manage large volumes of users? What’s your track record on uptime? Can I see your SOC2 Type II compliance report to understand how you secure customer data? Are you compliant with privacy laws like GDPR and CCPA? How flexible is your offering? Can I access a direct API in my integration for full control of the UX? Is there vendor lock-in if I choose you? How would I export users if I decide to switch systems? Are there any hidden fees if I expand my use of different authentication methods (e.g. multi-factor authentication) over time? Consider using Stytch for your CIAM needs Stytch is a customer and identity access management platform that provides a single, unified view of customer identity and activity across all channels and devices. It enables organizations to quickly and securely authenticate customers, authorize access to applications and data, and track and manage customer activity. With our simple API and flexible SDKs, you get secure and high-converting authentication out-of-the-box but retain the ability to own the UX of your application. One of the key advantages of Stytch is its simplicity. Our platform is easy to use for both administrators and end users and offers a comprehensive product suite that includes MFA and SSO capabilities. --- # Making auth your growth lever Source: https://stytch.com/blog/making-auth-your-growth-lever/ Making auth your growth lever If you’re spending time figuring out why it’s costing you more to acquire new users, or why user retention rates aren’t where you’d like them to be, consider tackling your sign-up and login flows. It’s more than just a way to securely let in a user - the sign-up and login experiences can, in fact, be delightfully seamless for users, serving to both let your product stand out and increase your overall conversion and retention rates. It’s not a surprise to most that customer acquisition cost (CAC) has been going up across the board for some time now, whether it’s due to increasingly ad-weary users or major changes like Apple’s introduction of App Tracking Transparency on iOS. This makes it all the more important that you convert as many visitors as possible to keep CAC low - after all, you’ve already spent significant resources on growing your top-of-funnel through things like content, organic search, and paid ads, the worst that could happen is for it to all be in vain when a user drops off upon encountering a cumbersome sign-up flow. Below, we discuss ways to make your customer authentication experiences a core growth lever to increase immediate top-line revenue and improve the lifetime value (LTV) of your users. Even prior to Apple’s new App Tracking changes, CAC had risen sharply (~70%) in the previous 6 years. Most forecast another sharp increase with Apple’s new policy. (Source) Boosting conversion Authentication isn’t just something that your security team should care about. If you own your product’s growth metrics, auth is critically relevant to you as well. The user experience that you deliver to customers at sign-up and login directly impacts key business metrics, including top-line revenue, # of net new customers, CAC, and user retention figures like LTV. To help illustrate this more concretely, consider the fact that typical website bounce rates average around 41 to 55%, meaning these potential new users and customers are abandoning your site without ever interacting, let alone signing up. Anything you can do at the margins to recover bounced users can be meaningful. Let’s assume your website has 1M monthly visitors, 30% of whom are eligible new users, and you have a bounce rate of 50%. You can quickly see that recovering even just a small portion of bounced users can add up to material monetary impact. Many innovative companies are already waking up to this and have endeavored to reduce friction as much as possible. Consider Slack, Cash App, or Monzo, who have all adopted passwordless flows through auth methods like email magic links and SMS passcodes. Or consider Pinterest, Zapier, and Doordash, who have all adopted Google One Tap to enable what is effectively one-click signup. These companies have homed in on a few key principles around boosting signup conversion by using auth as a lever: 1. Optimizing the homepage. A common theme across these apps is a singular focus on nudging new visitors toward account creation. Consider how Monzo aims to make their call-to-action clear (front and center) and frictionless (on mobile, the CTA is deeplinked to the App Store, whereas on desktop a QR code allows the user to jump devices with minimal effort). Monzo login with QR codes And consider how Cash App removes all distractions and allows the user to focus on a single field and call-to-action (no password required). CashApp login screen – no distractions, no notes! 2. Organically nudging visitors to sign up. These apps have also realized that there’s no better way to demonstrate your value prop than to get your user in the product ASAP, so they continue to nudge new visitors toward signup throughout their site. For example, Pinterest and Doordash leverage Google One Tap to ensure visitors are always one click away from signup wherever they are. Note the sticky login modal for both Pinterest and DoorDash Boosting retention As much as customer identity and access management (CIAM) is about getting users in the door, it’s also critical to keep users returning and engaged to fully realize their potential LTV. Many of us are likely familiar with the experience of pulling up an app we’d downloaded weeks ago, only to have to go through an arduous password reset process just to get back into our account - many users give up halfway through this byzantine process and abandon the app completely. With thoughtful tooling around how you build auth, you can make it as easy as possible for your users to return and re-engage with your product. 1. Take advantage of password resets. Users don’t actually want to reset their password - they just want to get back in. This is a perfect opportunity to offer a passwordless option and ensure they never encounter a forgotten password again. For example, The Washington Post provides an “Email a sign in link” option: Alternatively, you could provide a passwordless option in the password reset flow itself: 2. Embed auth into CTAs. Imagine receiving an email from your favorite brand about an on-sale item you’ve had your eye on - you click through, ready to buy, but are prompted with a login screen instead. Companies frequently leave money on the table by throwing up these types of barriers, which you could easily avoid by embedding auth into the hyperlink itself. The user has already proven access to their email or phone, so you can quickly drop them into a logged-in state without disrupting the flow. 3. Use step up authentication to layer on extra security only when it’s needed. Lastly, it’s important to remember that not all authentication is created equal. Many apps (banking in particular) require multi-factor authentication each and every time a user opens their app, but often this is a heavy-handed experience built in the name of security at the expense of user experience. Instead, consider only stepping up users to a second factor when their action warrants it (e.g., making a financial transaction, updating personal information, etc.). This type of “just-in-time” auth ensures you only introduce friction as needed, rather than subjecting your entire user base to unnecessary re-engagement barriers. How will you boost growth? Customer identity and access management is often overlooked as something that can be optimized for growth, but some of the most innovative companies out there are already leading the way by ensuring their authentication experiences are finely tuned for maximum conversion and retention. Here at Stytch, we have a front-row seat to how companies are modernizing their auth flows, and we’d love to chat with you about how you can as well. Feel free to reach out to us to book a quick UX consultation - we’re excited to review your UX and offer our tips and best practices around where you can optimize for continued growth. --- # What is TOTP and why does it matter? Source: https://stytch.com/blog/what-is-totp/ TOTP stands for time-based one-time passcodes. Learn about why it’s an important two-factor authentication option to uplevel your app’s security. Time-based one-time passcodes (TOTP) are a type of multi-factor authentication (MFA) that leverages software authenticator apps (e.g. Google Authenticator, Authy, Microsoft Authenticator) to verify your identity. These authenticator apps supply a randomly generated code that changes every 30 seconds. Time-based One-time Passcodes are generated using a shared secret (a random string of characters) and the current time. The TOTP algorithm uses that shared secret to generate a 6-digit time-based code that expires every 30 seconds. The shared secret is used to generate the code on the user’s device as well as stored securely on the server. When a user needs to authenticate to an application, the user enters their code from their device and the server validates the code against its stored secret. If the code matches, the user is authenticated. When you want to log into a site or service that uses TOTP, you complete your first method of authentication (e.g. password, sign in with Google, magic links, etc.) as usual. Then, you open your authenticator app and enter the code that is displayed. This proves that you have possession of your device and gives the application strong evidence that you are who you say you are. SMS OTP vs. TOTP: What problems does TOTP solve? While SMS one-time passcodes (OTPs) are the most common form of multi-factor authentication today, TOTP (time-based one-time passcodes) are an important two-factor authentication option that can be used in situations where you need higher security assurance than SMS verification can provide. SMS OTP is familiar and convenient for users, but there are certain security weaknesses. SMS OTP is more vulnerable to SIM swapping attacks, where a fraudster who has stolen a user's phone number can route messages to their own device and intercept the code. TOTP is not vulnerable to this type of attack, as the authenticator app is tied to the user’s device rather than their phone number. SIM swapping attacks are relatively rare (compared to other account attacks like credential stuffing) due to the effort and cost involved in executing it successfully – it typically involves either bribing employees at a telecommunication company or fabricating identity documents to impersonate the true owner of the phone number at a live branch. TOTP authentication solutions are ideal for particularly sensitive use cases that are also highly attractive to attackers in terms of the potential payoff they offer – think money movement in fintech or cryptocurrency spaces or access to a company’s HR or payroll information. But even if a company’s use case isn’t particularly sensitive, TOTP can be a good option for organizations that prefer a higher assurance level for their MFA and 2FA. Many tech-savvy users also prefer TOTP over SMS OTP for MFA for important accounts due the heightened security. Offering flexible and secure MFA options with Stytch Ultimately, the best type of security is security that users will actually use, which is why it's important to offer multiple MFA options to increase the likelihood that a user enrolls in MFA. There are many different MFA options you can offer users with SMS, TOTP, biometrics, and hardware keys being the most popular ones. Each of these methods has its own advantages and disadvantages, which is another reason it's important to offer multiple forms of MFA to your users. You can read more about these individual authentication options in our guide to passwordless authentication. With Stytch, developers can embed MFA, including TOTP, into their authentication flows in minutes rather than months.Stytch's TOTP solution is designed to be used with any mobile authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy. Check out our TOTP integration guide to get started. --- # How compromised passwords lead to data breaches Source: https://stytch.com/blog/how-compromised-passwords-lead-to-data-breaches/ Compromised passwords can lead to data breaches and hackers accessing personal information. Here are solutions to create strong passwords and authenticate users. Data breaches have been in the headlines for several years, representing a rational fear for many organizations. A data breach is when someone — typically a hacker — gains unauthorized access to sensitive or confidential information. Hackers may do this for numerous reasons, including damaging the organization or its reputation, selling the retrieved data, or making a social or political statement. Most data breaches seek personally identifiable information (PII), such as Social Security numbers or other official identity information, bank or credit card details, and passwords that they can use to either monetize the attack directly or indirectly by compromising adjacent financial accounts that rely on those stolen credentials. Additionally, there are two significant aspects that most breaches share: Often, organizations only detect them months after they’ve occurred. Compromised passwords are the primary cause. In this post, we’ll examine how easily compromised passwords can lead to data breaches, go over some common password vulnerabilities, and ultimately review some best practices to keep your passwords and other sensitive data as secure as possible. Data breaches from compromised passwords Compromised passwords are a top contributor to many recent large-scale breaches. This is unsurprising, as a password is often all it takes to authenticate into a system, application, or data store. Once a user authenticates successfully, there is little recourse. That’s not to discount recent cybersecurity advancements that seek to improve how we protect electronic data. Traditional data center security includes some key security architecture, including network connectivity firewalls, virtual private network (VPN) connections, and encrypted tunnels for remote access. However, weak user authentication renders these measures all but useless. As such, password-based authentication methodologies become a prime target for hackers. How often are passwords compromised? So, how often do passwords become compromised? In brief, all the time. Below are just a few of the more well-known breaches whose common thread is a known password: The 2021 TicketMaster breach is a remarkable example of how substandard practices (and illegal behavior) can breach corporate security. An employee who saved credentials from their former employer — a competitor — provided access to TicketMaster executives with these credentials, enabling them to retrieve confidential financial and operational information from the rival company. The root cause of the 2021 SolarWinds breach was a weak password on their prime software tooling: solarwinds123. The New York City Law Enforcement Department was also a data breach victim. Attackers stole personal data from thousands of employees. This was possible after attackers stole one employee’s email account credentials. The above examples represent only a few of the more well-known security breaches, but there are countless undetected or unreported security incidents for each known occurrence. How do passwords become compromised? There are many ways that bad actors can steal passwords. Moreover, they often use multiple strategies simultaneously. Brute force Brute force is the technique by which an attacker uses a “guessing” approach to determine a password for a system or user account. Cybercriminals often use robust scanning or password-cracking tools that enable looping through many possible password combinations. These tools address the common tendency to include birthdays, family members’ names, and pets’ names in created passwords. Social engineering The more a hacker can find out about their target, the greater the amount of helpful information there is to attempt to gain access. Consider the security questions you must answer when setting up a new account. Usually, answering these questions can help prove your identity to reset a lost or forgotten password. Most questions relate to your likes or hobbies (favorite car brands, travel destinations, visited cities) and family or pet names. The “silly” games we play on social media are a way to obtain such data. Even games that don’t directly ask for this type of information understand what types of prompts will most efficiently garner responses. In addition to falling victim to social media schemes, people tend to reuse passwords in multiple apps and accounts. This means that if one site’s credentials leak, malicious actors can use the same credentials to access several accounts belonging to each individual. Password theft Password theft is an umbrella term that takes many forms, including some of the previously mentioned scenarios. Complex passwords are more secure but challenging to remember but saving them in a sticky note or plain text file opens the possibility of password theft. Another common type of password theft occurs through spam and junk phishing emails, which involves deceiving users into clicking a link that leads to a phony but often realistic-looking version of a legitimate website. The fake website is typically just a form to capture the user’s credentials when they believe they are logging in to the site or resetting their passwords. How to prevent compromised passwords Fortunately, there are plenty of ways to reduce the risks associated with compromised passwords. Strengthening passwords with hashing and salting In an ideal scenario, the password characters that a user enters are hashed and stored in a back-end identity database. Hashing encrypts a password into a string with a method that is extremely difficult to reverse engineer. The more complex the hashing mechanism (SHA, bcrypt), the harder it will be to break the code. While this method is relatively secure, the encryption key used to hash passwords is static. This creates a vulnerability wherein deciphering the encryption key enables an attacker to decrypt any stored password. That’s where salting is useful. This process involves adding a series of randomly chosen characters to the password before hashing. This optimizes the security for the given credentials, as the hash will never be the same. Delete inactive accounts Moreover, it’s crucial to ensure you disable or delete inactive accounts. Leftover credentials are vulnerable targets for disgruntled employees or those with whom they may overshare. These unused accounts include employees who’ve left the organization but may also extend to those on temporary leave. Additionally, integrating up-to-date security controls, such as validating security group memberships and ascribing to the principle of least privilege (PoLP), can significantly limit unauthorized access. Use multi-factor authentication Multi-factor authentication (MFA) dramatically improves the integrity of password-only logins. Whereas traditional authentication combines a username and password, MFA relies on an additional method to prove your identity. The desired combination includes factors based on: Something you have (a mobile phone) Something you know (a password) Something you are (biometrics) When you connect to an application (using a browser or a mobile app), using a powerful authentication solution typically follows this flow: You are initially prompted for a username and password. You then must validate using one or more factors, such as a one-time passcode (OTP) sent to your mobile phone or a fingerprint reader (or similar biometric method). If any of the authentication steps are unsuccessful (for example, you cannot receive or read the one-time password, authentication will be unsuccessful until you can provide additional verification. Prevent credential stuffing attacks When a user’s account is stolen, it’s often the victim of a bot-powered credential stuffing attack. CAPTCHA challenges can be used to help combat bot traffic and attacks. CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Most people are familiar with the simple nature of these tests, but they pose a problem for most bots to solve. In recent years, however, bots have become more adept at beating CAPTCHA tests in order to validate credentials and compromise accounts. Bots’ ability to consistently trick CAPTCHA stems from a key design flaw in the architecture –– the public key problem. Every major CAPTCHA system exposes its public key, making it easy for bots to scrape and submit the public key to one of these ‘CAPTCHA-solving-as-a-service’ companies. Stytch has developed a CAPTCHA solution that removes the public site key from the equation, leaving users with the exact same experience, but making it impossible for bots to scrape and mass attack your application. Visit our Strong CAPTCHA product page or talk to an auth expert to learn more about how Stytch can help you stop bots on your application. Stytch’s password solution Stytch recently launched a completely rebooted Passwords solution that innovates from the ground up to uplevel security and user experience and protect against data breach. Stytch’s Passwords solution also introduces novel security features like breach detection (powered by tools like HaveIBeenPwned) and a better strength assessment called zxcvbn (aka “lower qwerty”), which makes it easy for humans to generate passwords but hard for robots to crack them. We’re committed to making secure authentication that’s as frictionless as possible, so we leverage our Email Magic Link technology to reduce the steps from a traditional password reset. Stytch also salts and hashes all passwords using Scrypt, before storing in an encrypted database that we manage. We wanted to ensure our Passwords solution is secure and built for performance — we decided on Scrypt in order to strike that balance. Passwordless: the ultimate protection Stytch offers a variety of solutions to ensure that password-dependent credentials are optimally secure. However, the ideal strategy for reining in password-related breaches is to remove passwords from the equation. Stytch’s passwordless approach is the ultimate weapon against compromised passwords, ensuring that your confidential information stays that way. Stytch’s modular solution suite means that you can construct a passwordless approach best tailored to your product and your industry. For example, industries with stringent privacy standards such as Fintech and healthcare often benefit the most from enforcing OTPs as the primary mode of authentication and biometric validation or TOTP authenticator apps as the second factor. The OTP provides security to the users, validating their identity by sending a message to their phone or email. This creates flexibility for the device type using the app. Biometrics, as the second factor, can be viewed as an additional layer of security, where the mobile app can only be opened and used from a given device. For B2B saas applications like Slack and Microsoft Teams, it is often best to use a low-friction approach like Email Magic Links or OAuth. The email-based scenario provides an easy, low-friction authentication method, often used for full-desktop applications. Adding OAuth-based capabilities can also allow for single sign-on (SSO) integration with corporate credentials. Strengthen security with Stytch Data breaches pose a tremendous risk for any organization, with compromised passwords proving to be a prevalent issue. Luckily, numerous scenarios are available to help optimize the security of your application or system and the integrity of your users’ account credentials. But ultimately, the best way to prevent password theft is to go passwordless. No master hacker can steal what isn’t there. If you’re interested in learning more about how Stytch can help you maximize your password security or transition to a passwordless approach, discover our full suite of authentication products at Stytch.com. --- # How we (re)made Passwords for next-generation auth Source: https://stytch.com/blog/making-of-passwords/ Take a look behind the scenes at Stytch, and discover how we built our new Passwords solution to reduce friction and improve security online. I joined Stytch this past spring, just as we launched a massive out-of-home campaign with dozens of billboards, buses, and transit shelters proclaiming the benefits of passwordless authentication across San Francisco. (And, to be clear, we still believe passwordless auth offers the best security and user experience for applications today.) But as I settled into my role, I heard from many customers who were excited about the possibilities of going passwordless but concerned about how their users would handle an abrupt transition — and I wasn’t alone. It turned out Stytch’s leadership had been hearing the same thing for a while. We decided it was a left turn worth exploring. While our end goal is killing the password, our company mission is to eliminate friction on the internet. We’ve learned that, in some cases, the lowest-friction option may include password-based logins for apps that are just starting on the passwordless adoption curve. Instead of ignoring the present state, Stytch believes that the best path forward is to meet companies and people where they are and guide them along the adoption curve towards passwordless. Of course, if we were going to create a password-based flow, we were going to create one that meets all the UX and security needs of modern developers. Below, I share how we came up with an enhanced solution and upgraded the password to fit our forward-looking approach to auth. Weeding out the friction As we began building our Passwords product, it helped that we had already spent considerable time thinking (and writing) about the many reasons why conventional passwords are terrible. One of our main goals was to take a step back and think about the specific ways friction is typically introduced to an auth flow and whether the basic verification measures we take for granted actually serve their intended purpose. For example, traditional LUDS standards — which ask users to include at least one lower- and upper-case letter, digit, and symbol when generating a new password — assume that complexity is the key to security. In theory, it would take thousands of years to crack a LUDS password using common hacking techniques. But in reality, convoluted passwords are hard to remember and put too much of a burden on users, who end up taking risky steps to manage their proliferating credentials. Studies show that about 67% of users recycle the same credentials across multiple accounts so they don’t have to store and recall an average of 100 passwords. That can be a real problem given the growing number of breached data dumps and the growing sophistication of cyber attacks. We knew one way to avoid these pitfalls was to put the user first and optimize for both security and usability, which meant rethinking many of the common components of a password-based flow. Taking a human-centric approach to passwords Our biggest challenge was designing a solution that would resemble the password-based logins users are familiar with while addressing critical security and UX issues behind the scenes. We also wanted to make our product as simple as possible while giving users the flexibility to navigate auth on their terms. That meant building a flow that would work alongside other passwordless methods (like OAuth logins through Google or Facebook) that users could turn to under certain circumstances, like authenticating in a crowded space or via mobile, when they may not want to punch a password into a tiny keyboard. As always at Stytch, we took a collaborative approach to negotiate the perfect balance between development and design. As product lead, I worked closely with our engineering team to validate the APIs, test the feasibility of our goals, and minimize complexity. I also brought in our user research team to better understand our customers’ (and end users’) expectations and worked with our design team to set up easy, customizable configurations through Stytch’s dashboard. Ultimately, we revolutionized the password experience in four important ways: Strength: instead of imposing rigid LUDS requirements, we use Dropbox’s flexible zxcvbn strength estimator and offer users helpful tips on how to improve their passwords. Flexibility: we automatically deduplicate accounts by email regardless of how users log in. That means apps can offer different auth options (password-based and passwordless) without allowing users to unintentionally create multiple accounts. Simplicity: we overhauled the tired password reset flow, so users can create a new password if they want to — or skip the process altogether and just click a button to log in via an Email Magic Link. Security: we integrated with Have I Been Pwned (HIBP) so we can check a user’s credentials against a database of 623+ pwned websites and nearly 12 billion pwned accounts and ensure they haven’t been compromised. By thinking through the different ways users might encounter and navigate password-based logins — and the pain points they tend to hit along the way — we created a modern flow that actually works in the seamless way apps intend. When a user initiates a “forget password?” flow, Stytch offers them the option to skip the reset and simply log in via Email Magic Link OR to reset password and log in. A holistic approach to auth Stytch’s Passwords solution can stand on its own, but it’s also well suited as the primary or secondary factor in a multi-factor authentication (MFA) flow or side-by-side with other, passwordless methods. You can learn more about Passwords by checking out the product page or jumping into the docs. Or, for ideas on how to implement Passwords in tandem with other elements of Stytch’s passwordless product suite, reach out to one of our auth experts for a free consultation. --- # What is identity and access management (IAM)? Source: https://stytch.com/blog/identity-and-access-management/ Identity Access Management (IAM) allows organizations to assign identities to people and devices, authorize access to assets, and manage these relationships. Identity and access management (IAM) is a broad term used to describe how organizations manage individuals and devices and control access to sensitive resources. With IAM, an organization can authenticate digital identities, define which assets they can access, and manage these relationships over time. In an increasingly online world — with more users, more devices, and more threats — IAM plays a critical role in helping organizations protect their data, promote growth, comply with government regulations, and much more. What are the benefits of IAM? IAM is utilized throughout large and small organizations because it offers a wealth of proven benefits for enterprise. Greater control over users When unauthorized people have access to confidential and privileged information, an organization is at risk of costly data breaches and identity theft, among other issues. These concerns only grow as workforces remain highly distributed, and operate in fast-paced environments. The primary purpose of IAM is to control who has access to information and assets, which is especially important if you are dealing with privilege creep (when access privileges expand unnecessarily) or large numbers of users being onboarded and offboarded. With IAM, you can: Manage and track nearly every aspect of a user’s identity and permissions. Quickly and accurately see which users can access any specific asset. Grant granular permissions to ensure that users only have access to assets that are relevant to their work. Change privileges across the enterprise as groups and teams evolve and security policies are updated. Incorporate proven security-related platforms and features such as single sign-on (SSO), which promotes good password hygiene by reducing the need for users to track and manage multiple credentials. Collaborate more easily and cost-efficiently with third-party contractors, customers, and other outside groups by granting them controlled, secure access to your network. Cloud-based IAM provides additional benefits, including controlling access with browser-based SSO. Protect sensitive data, credentials, and other assets Consider all of the digital threats to your organization, including hacking, phishing, and stolen passwords. These risks are directly related to unauthorized user access. By allowing you to control, manage, and limit user access through a centralized system, IAM helps keep your information safe and mitigates your risks. An automated approach Humans make mistakes. Automating the processes that are used for IAM helps minimize (or even eliminate) the human errors typical in manual account setup, permissions, and tracking processes. In addition to improving security, automation saves your IT department time and money by reducing the number of help desk requests for password resets and related tasks. How does IAM work? IAM enables access to an asset based on the identity of the user, device, or thing (such as an application or API) that is trying to access it. The process starts with identifying individual users (e.g., employees and customers) and devices (e.g., smartphones, laptops, and servers) that could potentially access data, systems, and other assets. Each individual or device is assigned one identity. Enterprises then manage these identities through a centralized service, which may be on-premise or cloud-based. Managing identities includes adding users, modifying their information as their responsibilities change, and removing their privileges when they are no longer authorized. Every identity will be granted access to assets based on the roles associated with the individual and/or group. Authorizing identities is typically an automated process based on the user’s location, role, job title, and other information. For example, a customer will have different authorization than an employee, and a vice president will likely have more access to more systems than a manager. Customer IAM (or CIAM) involves authorizing access for customers based on their identity, while workforce IAM typically applies to an organization’s employees, partners, and vendors. An IAM system will also incorporate auditing and reporting processes, as well as ways to regulate user access. While passwords and software tokens were often good enough to regulate access in the past, in recent years organizations have adopted more advanced IAM technologies, including multi-factor authentication (MFA), privileged access management, biometrics, and machine learning. Ideally, the end result is that users can access the information they are authorized to access — and only that information — throughout their relationship with the organization. Challenges, risks, and how to address them IAM is a flexible tool that can help organizations stay ahead of ever-evolving threats and attacks. However, as with any security protocol, there are additional factors to consider both before and after implementing IAM. Ultimately, the goal is to balance ease of use with the security and compliance needs of your organization. Some of the challenges and risks of IAM include: Establishing centralized authority for an IAM system (and the resulting policies, documentation, and access approval process) may require new governance entities and cross-unit collaboration. Understanding the enterprise’s needs requires a thorough examination of each audience (including their specific access requirements and risks), how to manage access across disparate business units, and how effectiveness will be measured, among other concerns. Onboarding (including birthright access given upon joining an organization) and offboarding necessitate changes in permissions; keeping up with these adjustments may require automation, auditing systems, and other resources. Cross-platform issues between applications (including cloud-based and in-house apps) may require SAML and other tools to bridge gaps. Managing cloud architectures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform may be a challenge, as each provider can have their own unique policies, best practices, and security challenges. Evolving standards for IAM and related technologies, including open-standard platforms, requires ongoing vigilance to stay up to date. Additional systems may enhance security but also introduce risk; for example, biometrics is an advanced tool for authenticating identity, but storing biometrics data adds an additional concern. IAM’s role in a security stack The broad applications for IAM throughout an organization make it exceptionally useful. However, this enterprise-wide impact can also make it challenging to define responsibilities, establish clear guidelines, and ensure that IAM is being properly implemented—especially since it may not fit neatly within a traditional security stack. Here are some things to keep in mind: IAM is not just for IT. Numerous departments need to be involved in determining what resources will be managed through IAM and which users in the organization will have access to each specific resource. Leaders must consider how IAM will be used to authenticate people as well as APIs, application keys, and similar items. Access guidelines must also be updated, maintained, and reviewed to protect valuable assets as users and resources change. A critical part of compliance IAM is a commonly used tool to help achieve compliance, given that it can regulate access to data (including vendor access), manage inactive accounts, restrict password access, and achieve other compliance-related mandates. Many organizations are required to follow certain government regulations and guidelines, which may include: FERPA (Family Educational Rights and Privacy Act) GDPR (General Data Protection Regulation) Gramm-Leach-Bliley HIPAA (Health Insurance Portability and Accountability Act) NIST (National Institute of Standards and Technology) PCI-DSS (Payment Card Industry Data Security Standard) SOX (Sarbanes-Oxley) US state-by-state privacy laws With IAM, companies can demonstrate that data is being used appropriately (including following least privilege, in which users only have access to necessary resources), meet their compliance goals, and provide information for auditors as needed. Digital authentication methods IAM gives an organization the flexibility to choose the digital authentication methods that best serve its purposes and goals. These digital authentication systems affirm a user’s identity and authorize their access to approved resources. Unique passwords are used more than any other type of digital authentication. They are often complex by design, with long combinations of upper- and lowercase letters, as well as numbers and symbols (which is why SSO is often employed to help users remember them). Pre-shared keys (PSK) are shared passwords that allow authorization to WiFi and other common resources. While they offer convenience, they provide a lower level of security and may not be changed as often given the impact on a large group of people. Behavioral authentication is an advanced technique (often involving artificial intelligence) that analyzes how an individual user is typing on their keyboard, interacting with a tablet or smartphone, or using their mouse. If the user’s actions do not match the approved patterns, authorization can be denied or revoked. Biometrics provide a higher level of security, as they rely on unique user characteristics including (but not limited to) their fingerprints, voices, and irises. However, organizations that collect and/or store biometric data must have a thorough understanding of the privacy risks, security concerns in the event of a data breach, and ethical issues. Consider Stytch for your IAM needs As authentication remains a primary concern throughout an enterprise, the benefits of IAM are clear. Stytch is an identity access management platform that provides a single, unified view of customer identity and activity across all channels and devices. It enables organizations to quickly and securely authenticate customers, authorize access to applications and data, and track and manage customer activity. With our simple API and flexible SDKs, you get secure and high-converting authentication out-of-the-box but retain the ability to own the UX of your application. One of the key advantages of Stytch is the simplicity of our products. Our platform is easy to use for both administrators and end users and offers a comprehensive product suite that includes MFA and SSO capabilities. Sign up for a free account to get started, or contact support@stytch.com to discuss your IAM needs and learn more about how Stytch can meet them. --- # Go big or go home: why it’s never too early to think about enterprise Source: https://stytch.com/blog/building-for-enterprise-sales/ Enterprise selling requires more than adding a new tier to your pricing page. Here are 5 things you can do today to make the shift into enterprise sales. After working in B2B SaaS over the past decade-plus one of my favorite questions is, “Should we expand into enterprise sales?” I love this question because it tests the scale of a company’s ambition, the clarity of their vision and the viability of their product. Those who can successfully bridge the gap from SMB to enterprise dominance are rewarded when raising capital, getting acquired, or by the public markets (examples here, here, and here). But making the transition to enterprise has significant challenges, like longer deal cycles, greater acquisition costs, and less revenue predictability. The companies that make this transition successfully are the ones that lay the groundwork early on for the shift to enterprise. In this article, I’ll cover the five key actions companies can take today to make sure if and when the time comes to shift to enterprise, they’re ready. Because “enterprise” can be used to refer to any number of companies, for the purposes of this article we’ll define “shift to enterprise” more broadly as the shift to larger customers with more complex needs and greater revenue potential. Whether for your company that means 500+ or 500,000+, the takeaways below still hold. 5 key actions to prepare for a shift into enterprise sales 1. Mind (and fill) your product gaps This sounds like a no-brainer, but you won’t get far with your sales efforts if there are major gaps between enterprise expectations and what your product can deliver. To close those gaps, you need to continually: Assess the specific needs of your target customers Pressure test your product-market fit with buyers Shift your roadmap as needed to prioritize your target customers’ needs As an example, early on at Stytch we were laser-focused on passwordless solutions. Over time though, we discovered a critical mass of customers weren’t ready to go fully passwordless, and instead wanted to support it for only subsets of their users. This was especially true of more upmarket prospects. To make ourselves more enterprise-friendly, we shifted our priorities and built our own passwords solution to offer alongside our suite of passwordless products. We’ve since made investments in products like differentiated CAPTCHA and Single Sign-On solutions with a similar aim to close any gaps between our products and our prospective customer requirements. As a result of these roadmap changes, we’ve broadened our total addressable market and created a compelling offering that has strengthened our enterprise position. If we hadn’t listened to our enterprise customers or been agile enough to shift our product roadmap, we’d have missed out on this upmarket TAM. 2. Tailor your playbook The process of selling to the enterprise is completely different from selling to SMBs: each requires tailored sales motions. With smaller companies, the person you are selling to likely is both the end-user of your product and the economic buyer. You often have less than three people involved in an evaluation and can make a buying decision in less than 14 days. For these customers, you want your sales motion to optimize for speed, ease of evaluation, efficiency, and volume. Think freemium or “product-led” growth strategies where sales reps are managing a high volume of deals. In stark contrast, enterprise sales processes involve more stakeholders, more time, and more organizational hurdles. Companies of 100+ employees will involve on average 7 people when deciding to buy software, and often take months to close a deal. This requires a more hands-on approach: sales teams need a detailed understanding of your customers’ strategic priorities and KPIs. They should also consider leveraging partnership-selling between Account Executives and Solution Engineers to offer more tailored advice. With all the different stakeholders and stages involved, enterprise deals can get complicated quickly. Consider visually mapping out the path to close to help navigate these lengthy, complex buyer journeys. 3. Maximize the impact of your people, and automate everything else To effectively capture upmarket opportunities, it’s critical to understand where to leverage people and where to streamline with automation. This requires answering the following questions: Do prospects understand your value proposition and differentiated solution from the outset, or does this only occur when a person presents it to them? How complex is your product, and how easy is it for a customer to start using it? How quickly in an evaluation will a customer realize value? Which milestones do customers clear easily on their own, and where do we see significant dropoff? How do these friction points map to customers of different financial value? These questions will reveal the mission-critical junctures where you need people to sell your product, and the easier hurdles that you can leave to automation. In short: reserve your talented, creative, and expensive salespeople for the customers and moments where they have the greatest incremental impact, both on your customers and your business. 4. Learn to sell to strangers — invest in outbound before you think you need to In the early days of growth, your company will likely employ founder-led sales to win your first set of customers. Companies at this stage often critically mistake founder-led customers as indicative of their product-market fit at scale. Your early customers will likely be early adopters willing to take a risk on a fledgling startup, and these sales likely won’t be reproducible at scale. As such, your true ideal customer profiles or sales playbook won’t reveal themselves until you’ve learned how to sell to strangers. This is where outbound comes in. In learning to sell to strangers, early outbound sales will give you the opportunity to: Programmatically test messaging against target personas Go deeper in your understanding of your buyer and their needs Get a better signal around what does and doesn’t work with your go-to-market strategy Identify key objections and sticking points to address in your sales playbook All of this helps you refine your sales toolkit in the ways you’ll need for the longer, multi-stakeholder processes that enterprise sales require. 5. Build a strong feedback loop between EPD and GTM Your sales team should be a conduit for customer feedback early on (something I’ve written about in the past). Because enterprise has more stakeholders with unique requirements than SMBs, it’s also important to invest in frameworks and rituals to organize that feedback in a way that’s easy to draw from later on. If you cannot adequately categorize and prioritize the needs of enterprise customers, you run the risk of missing critical components or prioritizing your efforts against the wrong needs. To encourage early adoption and collaboration between your GTM and EPD teams, they should work together to: a) Decide on a framework to track and prioritize customer requests b) Agree on a regular cadence for discussing and evaluating them Whether your teams are meeting once a month or once a quarter, the key is to establish this flywheel early on so your product can evolve with you as you scale. Here’s an example framework I use with my team that can get you started. Recap So, should you move your sales team upmarket? For most companies the answer is eventually “yes," but make sure you’re prepared for the road ahead. If enterprise sales will be important to your business, make sure to: Mind (and fill) the gaps: make sure your product is ready by regularly mapping customer requests against your roadmap. Adapt and prioritize accordingly. Tailor your playbook: enterprise sales are more complex than selling to the SMB, ensuring your team has adequate coverage and understanding of their customers is key to their success. Maximize the impact of your people, and automate everything else: selling to the enterprise doesn’t mean you have to abandon product-led or freemium strategies, you simply need to choose the right approach for the right customer based on your growth ceiling. Learn to sell to strangers–invest in outbound before you think you need to: outbound selling helps you validate product-market fit, ideal customer personas, and importantly teaches you how to “sell to strangers.” Build a strong feedback loop between EPD and GTM: enterprise customers will have different needs than their SMB counterparts, ensuring you deeply understand and rigorously prioritize them is critical to your success and that of your engineering team. While this isn’t a comprehensive guide on building enterprise sales teams, these principles have served me well at past companies and guide our thinking as we expand into enterprise sales at Stytch. I hope that they are helpful to you, and would love your thoughts or feedback at pete@stytch.com. In the meantime, good luck on your enterprise journey. --- # Stytch Talks with Brian Hale: rethinking user sign-up and login to unlock growth Source: https://stytch.com/blog/stytch-talks-with-brian-hale/ Check out a recap of our latest webinar, and learn how to optimize your sign-up and login flows to improve user conversion rates, CAC, and LTV. Earlier this month, Stytch’s co-founder and CEO Reed McGinley-Stempel sat down with Brian Hale, VP of consumer product and growth at DoorDash, to discuss how companies can turn their authentication strategies into critical drivers of growth. Hale shared how his aha moment came in 2014, when he was leading a product growth team at Facebook (now Meta). They began experimenting with logins after noticing that legitimate users were being shut out from the platform due to bugs in the security flow. It occurred to them that, if auth could serve as a negative growth lever, it could also be mobilized as a positive one. McGinley-Stempel had his own aha moment while working at Plaid with Stytch co-founder Julianna Lamb. As part of the auth team, they met with both security and growth stakeholders and realized that the platform’s biggest conversion snag (the password) was also its greatest fraud vector. Their main takeaway? When product and security teams work together, they can better identify elements in their sign-up and login flows that are standing in users’ way — and move quickly to fix them with lower-friction solutions. Below, we recap the actionable tips their discussion brought to light, from merging growth and cyber-security elements in your organizational structure to taking the right authentication steps to meet your users’ needs. Uniting product and security teams toward a common goal Building an auth-as-growth strategy starts at the organizational level by aligning your product and security teams around a shared purpose. Typically, product teams are focused on expanding a platform’s customer base — letting “good” users in through simple sign-up flows — while security teams are focused on preventing cyber attacks and keeping “bad” users out with robust login verifications. That’s why these teams are usually seen as at odds: You can’t boost security, the thinking goes, without adding extra friction, compromising the user experience, and tanking conversion rates. But while their immediate interests may differ, product and protection teams’ fundamental goal is the same: attracting and retaining the right users. In an ideal scenario, they’d work in tandem to find the best possible balance between UX and security. Business leaders can make that happen by building a company culture based on trust, investing in cross-departmental relationships, and maximizing opportunities for collaboration. At the team level, product and security managers can help by holding regular one-on-ones with their counterparts and proactively sharing their roadmaps. That ensures no one is caught off-guard or derailed by a new initiative — like an SMS verification flow that interrupts the user journey or a product A/B test that interferes with the password processing system. When your product and security teams work together, you can shift your approach from putting out auth fires and addressing growth regression after the fact to developing a broader authentication strategy that supports growth across the board. Optimizing CAC and LTV through auth best practices There’s no one-size-fits-all solution when it comes to authentication. The strategy that works best for your app will all come down to your users and their unique preferences and behaviors. That said, Hale noted there are dozens of tangible, actionable auth levers that can have a big impact on your conversions at sign-up, to bring down customer acquisition costs (CAC), or at login, to boost your lifetime value (LTV). Some standout ideas he shared include: Offer both phone number and email as account identity options. This can be a generational issue, as young people are increasingly turning to SMS and other mobile communications over email addresses to set up their accounts. It can also help ease geographical and cultural divides, as email access is not universal across the globe. Hale estimates that including both phone and email options can expand an app’s reach by 5%. Tailor your passwordless path to your users and your product. Authentication isn’t black-and-white, and there are many paths along the passwordless adoption curve. If your products are multi-platform, if you use an email-based auth system that travels across devices, or if you have an older, more traditional user base, eliminating passwords abruptly may end up creating more friction and harming rather than helping your growth efforts. Luckily, it’s easy to add passwordless options to a password-based flow and ease the transition if you’re not yet ready to ditch credentials for good. If you can’t eliminate passwords, eliminate as much friction as possible. Stytch has always been passwordless-first, but we recently introduced a Password product. That’s because we recognize that different apps have different considerations, but they still need easy, low-friction waysto authenticate their users. When upgrading a password-based flow, aim for the low-hanging fruit first — like tedious, multi-step password-reset flows. There are several ways you can improve this process: Make the reset a secondary, optional flow: most users don’t actually want to create (and remember) a complicated new password; they just want to log in and access their account. Ease their pain by logging them in via an Email Magic Link — which still proves possession of an inbox — and let them be on their merry way. Don’t wait for users to click the reset button: if you see a user has tried and failed to log in several times, save them the trouble and proactively send them a login link via SMS or email to let them in. Take over the screen with an automated SMS: even better, if you can, send users an SMS that automatically populates the reset code in your app. That way, a user won’t have to navigate away from your platform to regain access to their account. Once you’ve streamlined your reset flow, you can always strengthen your security posture by adding components that don’t add extra friction. For example, Stytch integrates with HaveIBeenPwnd to check if a password has previously been compromised in a data breach — and, if so, prompts the user to reset their credentials. Stytch offers users the option to skip password reset and simply log in via Email Magic Link OR to reset their password and log in. Don’t block good users for mistakes bad actors would never make. The kinds of mistakes humans make when entering passwords are extremely predictable — and not at all the same tricks hackers and password-stuffing bots use when trying to breach accounts. That means you can account for common user errors without opening yourself up to fraud. For example: If someone submits the correct password with the caps lock on or includes an extra character that’s immediately adjacent to the enter key, that’s not the type of error that an attacker in possession of a leaked list of passwords would make. In all likelihood, this is a good user, and it’s clear they know their password, so let them in, and don’t punish them for trying. Find the right balance of auth options to meet users where they are. You want to offer multiple ways into your app — which may include passwords, OAuth Logins via Google, Apple, and Facebook, or any number of auth factors — but your goal is to reduce friction. You don’t want a “login soup” where users forget which factor they signed up with, open a new account, and are forced to repeat the onboarding process. Keep things simple with a maximum of four or five auth options, and let your specific industry and audience determine your selection. Make sure you’re also partnering with an auth provider, like Stytch, that de-duplicates accounts whenever possible. Growth-oriented auth in action Consider some visual examples that demonstrate how these levers work in practice to inspire your own growth-oriented auth strategy. For example: Companies like DoorDash use Google One Tap to optimize their sign-up flows, boost top-of-funnel growth, and reduce CAC. Typically, when you ask users to sign up for your app or website — via a homepage, blog post, or anywhere else — you ask them to complete various steps, like providing a name, email, password, password confirmation, and maybe even an email verification. If you’re looking to reduce bounce rates along this multi-step flow, Google One Tap allows you to piggyback on an active Google/Gmail session on the user’s browser and collect and verify their information with a single click. Companies that have A/B tested multiple authentication factors have found Google One Tap to be their most successful experiment by a long shot. For example, Pinterest saw a 47% jump in desktop conversion rates (and a 126% jump on Android), while Reddit doubled their new user sign-ups and returning user conversion rates. Companies like Instagram simplify their password-reset flows to optimize login processes and reduce bounce rates. Users on your login screen are typically those with the highest intent, since they’ve already signed up for your platform and are now returning to complete a specific action or to make a purchase. As noted earlier, the key to keeping those users happy is to make it easy for them to access their accounts — especially when they forget their credentials. Instagram defaults to sending users a login link via email or SMS but also offers options for creating a new password or account — so they only have to navigate a reset flow if it’s what they really want. Companies like 1-800 Contacts embed authentication tokens into their marketing materials to eliminate friction and increase LTV. If you’re sending frequent marketing communications to users via email or SMS, you can build an authentication token into your call-to-action button via an Embeddable Magic Link. When it’s clicked, simple device fingerprinting allows you to ensure it’s by the user who owns that inbox or phone. You can then send them straight to their account — rather than a logged-out state — bypassing login friction and enhancing their overall experience. We’ve found this can increase engagement and conversion rates by as much as 300%. Companies like DoorDash use “just-in-time” authentication to introduce friction only when it’s needed. Finally, instead of front-loading their apps with multi-factor authentication at every single sign-up and login (regardless of the risk posture), forward-thinking companies like DoorDash only ask users for additional authentication factors when they’re looking to carry out sensitive tasks — like changing a delivery address or updating payment details. We call it “just-in-time” authentication, because it saves the stepped-up security measures (and, with them, the extra friction) for when they matter most. As you assess and update your auth strategy, make sure you’re sizing up your platform both qualitatively and quantitatively, including metrics like bounce rates on key onboarding pages, the percentage of users completing your password-reset flows, and where exactly they drop off in their journey. You should also ensure you’re auditing your flows regularly and investing in the best tools and technologies to enhance your growth. Key takeaways Your sign-up and login flows shouldn’t be an afterthought — and they shouldn’t belong to a product or security team alone. They’re critical to your user experience and can have a substantial impact on critical business metrics like conversion rates, CAC, and LTV. Ensuring key teams and stakeholders are aligned when selecting and implementing the best flows for your app will go a long way toward creating an auth strategy that not only protects your users but fuels your growth. Ready to power your growth through frictionless auth? Visit our LinkedIn Events page to watch the full webinar — or download a copy of the slide deck here. If you have any questions, want to learn more about best practices, or are interested in walking through your security flow with an expert, reach out to the Stytch team to book a free consultation. You can also check out our Slack channel to participate in daily discussions on all things auth. --- # How to use references in your hiring process Source: https://stytch.com/blog/how-to-use-references-in-your-hiring-process/ Don't overlook using references in your hiring process. Read about how you can make the most of using references when building out your team. Hiring, especially in the early stages of your company’s journey, can be a harrowing prospect. Not only will your early hires make a foundational and long-lasting impact for years to come, but a wrong hire could be extra costly when you have little margin for error as a small team. Several months ago, I wrote up a founder’s guide to hiring engineers, and in it raised the importance of making references as a part of the hiring process. In this post, I wanted to dive a little deeper into how you can go about using hiring references when building out your team. Why references? As thorough as your interviews may be, only so much can be gleaned about a candidate through a few hours spent with a couple interview panelists. As discussed in this Harvard Business Review article, references are more than just a checkbox - they provide a unique window into what the candidate is like as a teammate. References allow you to gain valuable context about how a candidate collaborates with others and their ability to execute over long periods of time. Interviews are a small peek into a candidate’s ability to do the job, but hearing from people who’ve worked with them for years provides a more in-depth perspective. How to approach references There are two types of references: those supplied by the candidate and backchannel references. Depending on the number of backchannel references we might have access to, we’ll ask candidates to supply 2-3. Candidate-supplied references are generally extremely positive (the candidate hand-picked them after all), so any candidate-supplied references that aren’t a glowing recommendation can be illuminating, but expect most to be fairly straightforward and positive. For backchannel references, we prefer to make sure the candidate is aware that we’ll be contacting some references, so we tell them so explicitly. We typically say something like the following: We'll do a back channel reference and reach out ourselves — we know this can sound a bit unconventional because many companies aren't always upfront that they do this, but we think it's important to be transparent. We want to be particularly sensitive not to reach out to anyone where it might create issues for you if they know you're considering new roles - is there anyone (or groups of people) that we should definitely not reach out to? When reaching out to a candidate reference, your objective is to get a holistic view of your candidate’s past experience (both professionally and personally) as efficiently and concisely as possible, out of respect for the reference’s time. With that in mind, there are a few topics you’ll want to cover: 1. Context on the environment If you’ve had experience working at multiple companies, you’ll know that workplace culture can vary significantly, and it’s critical to understand this backdrop when evaluating your candidate. Whether it’s organizational and team structure or other cultural quirks, be sure to ask your reference to establish this workplace context. What was/is the workplace/organizational culture like at your company? What adjectives would you use to describe it? Next, you’ll want to gauge your candidate’s past performance, and a crucial part of this is understanding the reference’s relationship to the candidate so that you can get a sense of how their roles interacted, what projects they may have worked on together, the amount of time they’ve worked together, etc. What was your relationship with the candidate? (follow-ups: How long have you known the candidate? Did you share any projects? When did you most recently work together?) 2. Work quality and performance Now that you’ve gathered context on how the reference and candidate have worked together in the past, you can move on to the quality of your candidate’s past work and how they performed. As much as possible, look for concrete examples. What stood out most about their job performance when you worked together? Can you offer an example? Can you describe an instance where they took initiative? How would you compare them to others at the same level? Your interview process likely already evaluates candidates on their “values” fit, so you’ll want to validate that your candidate will in fact work well with your team’s operating values, and that their approach to teamwork is positive and collaborative. Take some time to dig into how the reference’s experience with your candidate resonated at a more personal level. What stood out about their character? Can you offer an example? Would you want to work with them again? 3. The most insightful question The most insightful question is one that requires the reference to put a hard number on the candidate’s performance, but the interesting part of this question is the follow-up question “what would it take for them to move up one point?” Specifically the question goes: On a scale of 1-10, how would you rate their performance? Most importantly, what would it take for them to move up one point? This question is illuminating in a few ways. It requires the reference to succinctly address any weaknesses and do so in a way that gives the reference the opportunity to frame weaknesses as growth areas while still being honest about what holds the candidate back. We find that the level of honesty we get in response to this question is on a different level than any other piece of the reference call. The score itself is generally not very meaningful but can occasionally be insightful. Usually, references answer something in the 7-9 range; and anything below a 7 tends to be a red flag, especially for a reference supplied by the candidate. 4. Ensuring success in their new role Lastly, we’re all human and everyone has areas they can improve in, so you’ll want to ensure your candidate has the best chance at succeeding once they onboard and ramp up. References are a rare opportunity to dig beneath the surface and get a more objective perspective on your candidate’s strengths and weaknesses. Try to understand what they truly excelled at in past roles, and see how you can set them up for success once they join. What advice would you give this candidate to help them excel in a new role? As a last step, consider asking the reference whether there are any other references they would recommend speaking with - so take advantage of their network if you can! Hiring is already an intensive process that you’re likely pouring significant time and resources into - be sure you’re not overlooking the last mile in the process by treating references as just a checkbox. It’s an invaluable tool that’s all the more crucial when you’re an early stage startup to ensure that you’re getting the most out of your new hires. Have more questions on hiring? Don’t hesitate to reach us at startups@stytch.com if you're looking for more advice and guidance! --- # Stytch named as top authentication provider by Cybernews Source: https://stytch.com/blog/stytch-named-top-authentication-provider-by-cybernews/ Stytch’s passwordless-first approach, easy implementation and flexible API and SDKs set it apart as a top authentication and identity management provider. Stytch has made the list of Cybernews’ top 23 best authentication providers! We are building an all-in-one platform for authentication and identity management. We offer a holistic suite of solutions that reimagine authentication, starting with out-of-the-box and customizable passwordless products that are easy for engineering teams to integrate and lead to improved user conversion, retention, and security. We’re proud to be featured in Cybernews’ list of the top 23 best authentication solutions. Here’s a recap of what set Stytch apart: Passwordless-first: a passwordless future is the main goal at Stytch. With Stytch’s modular, flexible passwordless solutions — from One-Time Passcodes to Magic Links, Biometrics and more — and enhanced password product, it's easy for your business to build towards a more secure, frictionless future. Out-of-the-box implementation: offering a fully integrated suite of authentication and authorization products, Stytch removes the headache of developing an identity and access management system from scratch. Get up and running in minutes, not months. Flexible SDKs and API: Stytch’s SDKs give you the option of using pre-built UI components or fully customizing the user authentication experience to fit your brand’s look and feel. For maximum flexibility, our direct API gives you the tools you need to build out authentication flows to fit your exact needs. Learn more about Stytch and discover our full suite of products at Stytch.com. Sign up for a free account or reach out to talk to a Stytch Auth Expert today. --- # Introducing Strong CAPTCHA, Stytch’s answer to CAPTCHA fraud Source: https://stytch.com/blog/strong-captcha-announcement/ Introducing Strong CAPTCHA, Stytch’s answer to CAPTCHA fraud Stytch is excited to announce Strong CAPTCHA, the newest addition to our product suite. Our modern take on anti-fraud protection tackles bot fraud at its root: on the backend site architecture. In this article, we'll first cover how CAPTCHA systems work and why they are vulnerable to attack. Then, we'll dive deeper into how we designed Strong Captcha to overcome these vulnerabilities and how it can fit into your auth flow. Telling bots from humans Humans are the minority on the internet today. According to a recent report, over 60% of internet traffic is bots, and over 50% of that bot traffic is malicious. This malicious traffic takes many forms, including: Fake user account creation: for purposes ranging from buying and reselling concert tickets to influencing elections. Spam: deceiving emails that get users to click on malicious links or provide security information to bad actors. Account takeovers: in which username / passwords are used to gain access and take over someone’s account, typically for financial gain. This is often enabled by credential stuffing, in which bots attempt a high volume of username/password combinations obtained from a prior data breach. With the wide variety of threats bot attacks pose to human internet users, it’s no wonder over the past two decades we’ve seen a rise in the use of CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart. We’ve all had to complete these tests at some point, whether it’s selecting images that contain a traffic light, typing in a word displayed in squiggly font, or even just checking a box that asserts we are not a robot. While the challenges appear relatively simple to end users, they are a main line of defense against bot attacks. CAPTCHA fraud Unfortunately, CAPTCHA challenges today are engineered more for scale than security. Specifically, CAPTCHAs are vulnerable to a cottage industry called CAPTCHA fraud, in which bad actors outsource solving the test to people on behalf of bots. These companies (also called “CAPTCHA farms”) exploit CAPTCHA’s public key architecture, in which each CAPTCHA instance is identified by a sitekey publicly visible in the web page’s source code. These sitekeys make it easy to get CAPTCHA services up and running with little backend infrastructure. Crucially though, they also make it possible for the person who solves the challenge to be in a different browser from the one used to submit the solution. Like other (albeit more legitimate) SaaS businesses, CAPTCHA farms operate through APIs. Typically, the process looks something like this: Get public key: to solve a challenge remotely, all a CAPTCHA farm needs to solve the challenge remotely is this public site key and the URL the CAPTCHA is protecting. So the bot simply scrapes this sitekey value and sends it and the URL as parameters to the CAPTCHA farm’s API endpoint. Solve CAPTCHA: using the public site key and the URL, a human CAPTCHA solver receives the CAPTCHA challenge in their queue, solves it, and retrieves the response, also referred to as g-captcha-response. This response code comes in the form of a string, and communicates to the client that the CAPTCHA has been solved (regardless of who solved it or from where). Return response: through a separate API call, malicious bots can then retrieve the g-captcha-response code and submit it to whatever page they’re trying to gain access to. Because they have the correct response code, the site in question registers them as a human, and grants them access. Though CAPTCHA farms employ humans, they typically boast a response time of < 60 seconds. Because of this, hackers can automate the API calls to CAPTCHA farms into their scripts, accelerating the speed and scale of their attacks. This turns CAPTCHA challenges into minor obstacles for bad actors, and opens up scalable attack vectors for bots. The result is added friction and costs on both users and business in the form of fraud, wasted resources, and time. Strong CAPTCHA: secure and scalable If CAPTCHA infrastructure is so vulnerable, why do so many people still use the public key architecture? Simply, it’s scalable. For companies who process thousands or millions of authentication attempts, public key architecture offers a fast, affordable way to get CAPTCHA up and running. Fortunately at Stytch, we believe you shouldn’t have to trade scale for security. That’s why we created Strong CAPTCHA. Strong CAPTCHA is functionally incompatible with how most image captcha solver services work today because we have removed the public site key entirely from the end user’s browser environment. With the sitekey unavailable to the end user, we’ve made it architecturally impossible for a CAPTCHA provider service to easily, and directly generate solutions for CAPTCHA-protected sites using attacker preferred, easy-to-use paid API pathways. Without direct public-key access, malicious bots can no longer use these services to easily get through CAPTCHA challenges, strengthening the line of defense between a given site and bad actors. The best part? Strong CAPTCHA introduces zero additional friction to the end user’s experience: they get the same familiar CAPTCHA challenge on the frontend, with a more secure infrastructure on the backend. Use Strong CAPTCHA with your authentication flow At Stytch, we are laser-focused on helping our customers authenticate their users and verify their identity with minimal friction. By distinguishing bots from humans, Strong CAPTCHA adds another vital solution to our arsenal, and only makes the Stytch suite a more comprehensive auth solution for our customers. While some of our customers may already have a CAPTCHA solution they’re looking to upgrade, we also recognize some companies may still be in the process of understanding where it fits into their authentication flow. You can always chat with an auth expert for more personalized guidance, but there are a couple key junctures where we generally find CAPTCHA to be helpful: Account creation: account creation is a prime target for bots because of the volume of traffic and lack of authentication. Because of this, it’s an ideal juncture for using Strong CAPTCHA. Just-in-time: many companies use CAPTCHA when they start to notice suspicious behavior, like when a high volume of login attempts come from the same IP address, or if a user’s login behavior is too fast (an indication bots are at work). They might also introduce CAPTCHA if the user is trying to do something involving sensitive or high value information, like change their payment information or account email. While you can technically introduce CAPTCHA at any point in your login flow, we believe our customers will be most successful if they only use it where it’s most needed. Authentication is a critical growth lever, and you don’t want to create any more hoops for users to jump through than you have to. At the same time, CAPTCHA is just one piece of the authentication puzzle, and it’s important to think about how it fits into your complete customer journey and authentication experience. While we offer more detailed guidance on breach prevention on our blog, it’s safe to say we strongly advise our customers not to rely exclusively on any one given gateway, especially if that gateway is passwords. (For more information on some options to consider, check out our blog on step-up and multi-factor authentication flows). As an example, your Strong CAPTCHA-enhanced authentication flow for account creation might look something like this: Provide email. Solve Strong CAPTCHA to trigger verification email. Verify email with a magic link. Account creation success! Or, you might use it in your login flow like this: Provide username and password. Strong CAPTCHA is prompted if the user is using an unusual IP or unrecognized device. Solve Strong CAPTCHA. Login success! These examples are just the tip of the iceberg for how to configure your authentication flow with Strong CAPTCHA. You can learn more about this solution or other products at stytch.com, or book time with one of our auth experts to see Strong CAPTCHA in action. Whatever your questions or needs, we’d love to help you on your auth journey. --- # The importance of investing in unphishable authentication Source: https://stytch.com/blog/investing-in-unphishable-authentication/ Learn how unphishable MFA like WebAuthn can help you prevent the data breaches like the ones that recently targeted Uber, Twilio, and Okta. If you follow business news outlets, you’ve likely heard about the data breach that infiltrated Uber’s security in mid-September. It’s only the most recent in a string of similar security incidents that have impacted companies like Twilio, Okta, Microsoft, Samsung, Cisco, and other companies just this year. The common thread in all of these attacks? The use of phishable authentication factors, or sensitive user credentials that hackers can intercept and use to break into an account. In this post, we explain how these data breaches happen and how you can rely on unphishable authentication methods — like WebAuthn — to stop them from happening to you. How phishing attacks bypass traditional MFA Now, you may be asking, didn’t Uber use multi-factor authentication (MFA) to protect its sensitive data? And the answer is probably yes. But MFA can still be vulnerable to phishing attacks, which use social engineering tactics — like an email that mimics a password-reset flow or a push notification granting access — to trick employees into divulging their credentials. While phishing attacks often target passwords (something a user knows), they can also undermine auth methods that are typically used as secondary factors in an MFA flow, like SMS one-time passcodes, push notification, or email magic links. In fact, any factor tied to a user’s phone number or email address (something a user has) can potentially be rerouted at the source and compromised by a determined hacker. What unphishable MFA does differently Unphishable MFA offers industry-leading security by relying on asymmetric or public-key cryptography. That means valuable data, like factors that grant access to a server, are encrypted using both a public and a private key. While the public key is stored on the server, the private key can only be activated by a specific user. To gain entry to an account, both keys must be triggered, with the private key sending a customized message to the public key to grant access. To break it down, this two-part MFA flow is immune to remote phishing attacks because it: Requires physical interaction with a specific device, meaning there’s no text-based secret code or password for a hacker to intercept. Generates unique keys for every exchange, so they cannot be reused across multiple platforms. Binds a user’s login to the site of origin, so they cannot be used on a fake or replica site. Does not store or send private-key data over a public network. The evolution of WebAuthn WebAuthn is one of the leading forms of unphishable MFA. It encompasses three different categories of device-based authentication factors that can be used to verify a user’s identity: Built-in biometrics like TouchID and FaceID. These auth factors fall into the something-you-are camp. They involve the unique attributes of a user’s body, including fingerprints, retinal scans, and facial features. External hardware keys like Yubikey. These auth factors fall into the something-you-have camp. They involve a physical security key that is inserted into a user’s device. Passkeys which are an adaptation of built-in biometrics combined with public key cryptography that makes them compatible across devices and even across operating systems. While WebAuthn has seen relatively low commercial adoption to date, it’s set to ramp up in the coming years, thanks to three significant advancements: Passkeys are revolutionizing the WebAuthn user experience: With passkeys, users can now leverage the advantages of WebAuthn, without any of the drawbacks or impediments that made using it so cumbersome. The WebAuthn developer experience is improving. While WebAuthn has historically been fairly complex to integrate, major auth providers (like Stytch) have worked hard to enhance its usability, resulting in WebAuthn solutions that can be implemented in under an hour. WebAuthn is becoming more affordable. One of the key barriers to entry for WebAuthn has been cost, with incumbents like Okta and Auth0 treating it as a premium feature and charging at least $30K a year for access. But the auth market is expanding, and the pricing of top security products has grown more competitive. In particular, pay-as-you-go pricing models mean developers can now tap into WebAuthn for a few pennies per active user. Businesses are waking up to the value of unphishable MFA. Specifically, security and compliance teams are seeing the increasing prevalence and consequences of phishing attacks. These are the teams that spearheaded the widespread adoption of single sign-on (SSO) technologies years ago, and they’re catching on to the weaknesses in conventional SSO that newer solutions like WebAuthn can remedy. Soon, phishing-resistant MFA may be a similar requirement for signing an enterprise deal just like Single Sign-On support is today. As the auth industry continues to advance — and with the introduction of adjacent technologies like Apple Passkeys that make the use of biometrics easier and more universal — we expect WebAuthn to become an even more popular way to neutralize the risk of remote phishing attempts. Key takeaways Adopting next-level authentication measures like WebAuthn isn’t just about keeping up with the latest security practices. It’s about protecting your users and your platform against real cyber attacks that are wreaking havoc on even some of the world’s biggest corporations. It’s as simple as investing in a comprehensive auth strategy that gives you access to a variety of robust solutions at once — and ensuring they include unphishable MFA factors that can defend your data against the worst that hackers can throw your way. Discover the benefits of unphishable authentication If you’re interested in learning how unphishable MFA factors might work on your platform, reach out to Stytch’s team to book a free consultation. You can also check out our Slack channel to join daily discussions on all things auth. --- # What is unphishable MFA? Source: https://stytch.com/blog/what-is-unphishable-mfa/ Not all MFA are created equal. Learn how unphishable MFA stops phishing scams in their tracks and keeps your app and user data secure. In the world of authentication, there are many options when it comes to verifying a user's identity — but they’re not all created equal. For instance, passwords are easily compromised through common hacking methods like brute force attacks and credential stuffing because they’re often easy to guess or reused across multiple accounts. This is one reason many security-minded organizations are adopting multi-factor authentication (MFA) — which requires additional authentication factors like email magic links or biometrics — as the standard for identity verification. Still, there are many possible forms and variations of MFA, and some offer better security than others. In this article, we explore why some MFA flows fall prey to phishing attacks, explain what unphishable MFA does differently, and break down why it’s the best option for protecting your apps and data from malicious actors. What is phishing? To understand the importance of unphishable MFA, it’s important to first understand the dangers of phishing scams. Phishing is a form of social engineering. Rather than targeting vulnerabilities in computer systems or hardware, social engineering attacks aim to exploit the human component of an organization or user. They deploy deceptive tactics that trick people into divulging personal information or granting access to a sensitive database through fraudulent messages and/or malicious links. This might look like an email from an unknown contact containing a link that promises some kind of reward or to fix a “problem” the user isn’t aware of. But not all phishing attacks are so overtly suspicious. For example, password phishing scams frequently mimic legitimate password reset emails and are a popular way to gain access to user credentials. MFA is designed to thwart these scams by employing additional layers of security to verify a user's identity. With MFA, even if a user’s credentials are compromised, a hacker would have to bypass those extra security measures to gain access to the system, making a successful breach more difficult. Is MFA phishable? The short answer is, yes. Certain forms of MFA are phishable. Any MFA factor that is tied to a user’s personal phone number or email address—like an SMS one-time passcode, email magic link, or voice authentication—can be compromised by a determined hacker. Emails are a very common vector for phishing attacks. Hackers use malicious email links that direct users to fake landing pages and proxy servers that record any credentials and one-time passcodes users enter. The hacker can then plug in that information on the back end to gain access. This is also known as a man-in-the-middle (MitM) attack. With SMS, phishing can get a little more sophisticated, but similarly involves a phisher somehow convincing a user to share a one-time passcode (OTP) or other sensitive information that the hacker can use to gain access to their account. How does unphishable MFA work? Unphishable MFA is a multi-factor authentication flow that cannot be compromised by any of the tactics mentioned above. Relying on asymmetric or public-key cryptography, this form of authentication provides the highest level of security. Asymmetric cryptography encrypts valuable data — in this case, access to a server — using a public key and a private key. The public key is stored on the server, while the private key can only be unlocked by the user. Once unlocked, the private key sends a personalized message to the public key, providing the user with access. This cryptographic foundation can be paired with different authentication factors in an MFA flow, allowing users to verify their identity securely in the following ways: Security key-based authentication (something you have) After inputting their credentials or code, a user is asked to provide a physical security key. When inserted into the user’s device, the private key is triggered, and the user is granted access to the server. Biometric authentication (something you are) After inputting their credentials or code, a user is authenticated using a physical feature like a fingerprint, retinal scan, or facial scan. The private key is then triggered, granting access to the server. How does unphishable MFA prevent the most persistent hackers? This approach offers protection against phishing attacks in four critical ways: It requires physical interaction Because users must engage physically with the device they’re requesting access from, they can’t be compromised through remote attacks by a hacker, bot, or trojan. It uses unique keys every time An important characteristic of asymmetric cryptography is that it generates unique keys for each individual service, ensuring no two keys are reused across multiple sites. And, because only the public-facing key is stored, there’s no way for hackers to know which sites or services a user is registered on. Biometrics aren’t saved on the network Similarly, unlike passwords, a user’s biometrics aren’t stored or sent over the internet. They’re only used to trigger the private key. Access is bound by origin Only the real site can authenticate the private key, helping protect users against man-in-the-middle attacks. Taken together, these factors explain why this type of MFA is referred to as “unphishable.” And they’re why incorporating unphishable MFA into your website or app is the best way to prevent cyberattacks and safeguard your and your users’ data. Fight back against phishing For Stytch, security comes first. Sign up for a free account, and discover our unphishable, easy-to-integrate solutions for passwordless authentication. Sign up today. --- # Stytch Q3 wrap-up Source: https://stytch.com/blog/q3-wrap-up/ It was a busy summer at Stytch. Here’s a recap of key new products and features we released in the identity & access management space in Q3 2022. It was a busy summer season at Stytch and as we settle into fall, we’re reflecting back on all that we shipped in Q3. Here’s a look at some highlights… Product news Passwords In July we launched a first for our company — Passwords. To help our customers make the transition to a frictionless login, we wanted to provide our own password-based auth solution. But of course, we’re Stytch, so we wanted to reimagine, not just rinse and repeat what’s been done before. Here’s how we made Passwords better: Password strength and breach detection: In the face of password overload, users default to easy-to-guess or re-used passwords. Our Passwords product automatically detects breached passwords using HaveIBeenPwned and assesses passwords for strength. Safe account de-duplication: Stytch de-duplicates accounts by email regardless of the authentication method. This allows your users to change which authentication option they are using to log in to an app without accidentally creating a new account (e.g. a password user can switch to sign in via Google OAuth) or being forced to re-authenticate with the same method originally used. A more human-centric password reset flow: When an end user triggers a password reset, most of the time they really just want to access their account, not change their password. With Stytch, customers have the option to integrate a password reset powered by Email Magic Links for a more seamless experience. To see Passwords in action, Watch Wes Doyle implement a complete password flow with Stytch Passwords in Vue.js + .NET 6. Wes walks you through the entire integration end-to-end and offers super helpful tips, like how to properly debounce your strength checking for a polished feel. You can also check out our guides for more detailed information. React Native SDKs We launched our brand new React Native SDKs! They make it easy for developers to use Stytch in their React Native projects. iOS Mobile Biometrics Native Mobile Biometric authentication lets your users leverage their devices’ built-in biometric authenticators such as FaceID and TouchID for seamless and secure login experiences. Our iOS SDK now supports Mobile Biometrics natively, check out the Docs to get started! Strong Captcha In Q3, we soft launched Strong Captcha, our latest product to prevent fraud in authentication. CAPTCHAs are a great way to mitigate bad actors from being able to attack your application, but they can be compromised at scale by bot farms. Strong CAPTCHA tackles this problem at the root by removing the primary vulnerability that attackers exploit. We’re super excited to ship more products in this space to help you make your login safer. B2B Auth — coming soon! Some big changes are coming to the Stytch platform! We're excited to share that we've started work on enterprise Single Sign On (SSO) to better serve our B2B customers. B2B authentication is an exciting space and we'd love for you to join us in building the next generation of SSO. Join our early access program here. Other Q3 Stytch News Website relaunched We relaunched Stytch.com! In Q1, we kicked off a partnership with Together, a UK-based creative agency, to re-imagine our website and enhance discoverability of our growing portfolio of solutions. We were proud to release our new site into the world in Q3. Docs rebooted To improve our developer experience, we spent time re-organizing our Docs to make them more clear and accessible. One update that we are especially proud of is a new navbar featuring each of our products. It makes it easy to find all the resources you need, like guides and example apps, all in one place. Stytch Talks with Brian Hale Stytch hosted a live webinar (aka Stytch Talks) with Brian Hale, DoorDash's Head of Growth, to discuss in-depth why auth is such a critical lever for driving conversion and growth. Watch the full Talk and walk away with tips and best practices for optimizing your sign-up and login flows to drive key metrics like conversion rates, lower acquisition costs, and lifetime value. Get started with Stytch That’s a wrap on Q3. To try out Stytch for yourself, Sign up for a free account. Reach out to talk to an Auth Expert if you’d like to discuss how our API and SDPs can support your auth needs with easy, flexible solutions. --- # Do passkeys live up to the hype? Source: https://stytch.com/blog/passkeys-hype/ Do passkeys live up to the hype? The dream that propels most people working in identity and access management (IAM) is the search for a frictionless yet secure way for users to authenticate themselves online. Legacy forms of authentication like passwords are friction-heavy and contain major security holes. Passwords specifically create significant negative externalities on both businesses and consumers, ranging from account takeovers to lower conversion at sign-up and login. Given the significant UX and security issues that legacy authentication methods pose for both companies and their customers, it’s no surprise that many in the IAM space believe that passwordless authentication will play a key role in the future of identity and access management. But passwordless authentication can mean many things — passwordless technologies include one-time passcodes (SMS/Email), email magic links, social logins (e.g. Google/Facebook/Apple/etc.), and biometrics like facial and fingerprint verification. To date, all of these authentication methods have gained considerable adoption, yet many apps continue to offer passwords as an authentication option to users. These technologies have reduced our reliance on passwords and many users prefer them, but they still haven’t managed to kill the password. Of the above technologies, studies continue to find that biometrics are the most enticing to both consumers and businesses — they’re fast, simple, secure, and familiar given the reliance of Apple, Microsoft, and Android devices on biometric-based authentication. In a recent PYMNTS and Mitek study, 55% of consumers trust biometric authentication methods more than passwords and PINs (31% remain undecided and only 14% prefer traditional methods like passwords). Source: PYMENTS Users are highly supportive of biometric authentication, but it’s still not a ubiquitous experience. While many consumers use facial recognition on their mobile banking app or their fingerprint to log into their laptop, these biometric forms of authentication are still not supported by most applications. The technology exists and is familiar to users, so the question remains why it isn’t the primary option when we sign up for and log in to the hundreds of other online accounts that we manage. The answer has to do with some existing limitations to how biometric-based authentication works today. Fortunately, solutions aimed at fixing those current shortcomings are on the horizon. In May 2022, the Fast ID Online Alliance (FIDO Alliance) announced a major development in passwordless technology that would make biometric authentication significantly better suited for consumer use cases: passkeys. Passkeys aren’t necessarily a new technology, but they solve some of the major UX obstacles with existing biometric authentication technology and have support from the major tech platforms (Apple, Google, Microsoft) to drive widespread biometric adoption. So, are passkeys worth the hype? And if so, what might the path to passkey adoption look like for business and consumers? Working in this space requires a blend of eternal optimism and severe skepticism. We know the future holds better authentication experiences, but we’ve also been repeatedly subjected to hyped authentication technologies that ultimately failed to move us beyond passwords. Fortunately, passkeys appear to be the real deal. It will take time for businesses and consumers to adopt them, but the architecture provides a significant leap forward in the feasibility of wide-scale biometric authentication adoption. Current gaps in WebAuthn and the case for passkeys Passkeys are a new evolution built upon an existing passwordless technology called Web Authentication API or “WebAuthn.” To understand the promise of passkeys, it’s important to understand where the initial capabilities of WebAuthn technology have fallen short of consumer expectations. In March 2019, WebAuthn was declared a W3C web standard. At the time, WebAuthn received its own fair share of hype and was a critical stepping stone on the path to passkeys. It promised to smooth the user experience of biometrics by making user enrollment more intuitive and supporting cross-device and cross-platform biometrics. However, +3 years later, it’s fair to say that WebAuthn’s adoption has been minimal, particularly in B2C use cases where there’s a higher emphasis on user experience. A major reason for WebAuthn’s limited adoption is that the technology has been sidelined into a secondary authentication method rather than being offered as a true primary method to users signing up for or logging into an account. There have been two main problems with WebAuthn as a primary authentication factor: UX: UX experience of WebAuthn as a primary factor - either for "passwordless" or "usernameless" scenarios - has been pretty rough. The WebAuthn W3C group has put together a document that goes into far more detail. One of the items out of that discussion was a standards change that was merged in a few months ago. Now it's up to browser vendors to implement that change over the coming months and years. Lock-out risk: The second problem with WebAuthn is that device-based authentication has been historically risky for consumer users long-term. It's unreasonable to expect an individual to have access to their phone, YubiKey, or laptop over a period of years. In the B2B space, this isn't as big of a deal. Getting an IT admin that works for your company to reset your access and issue a new credential is not a complex problem. However, this is a major hurdle in the B2C space. Devices get lost or stolen, and then the service operator needs to build out an alternative recovery method that needs to be as secure as WebAuthn (ideally, without infringing on the user's privacy, as regulated by Know Your Customer (KYC) mandates). To make this tangible, imagine you’re a user signing up for an account with HomeDepot in order to buy paint: You start your search for paint on your mobile device and find a few colors you’re excited about. You create a HomeDepot account in order to complete the order. You see a FaceID icon and think “Great! No password needed — I can just use a biometric to sign up. A day later, you see the shipping confirmation while checking email on your laptop, and you realize you’re out of paint brushes. You go to HomeDepot.com to order a few brushes as well. When it asks you to log in, you click on the same biometric icon you saw in the mobile app However, laptops do not support FaceID, so HomeDepot asks you to go through the TouchID flow on your Mac. You enroll your fingerprint and you receive an error telling you an account doesn’t exist. You know that’s not right, but you’re not sure what’s gone wrong, and you’re in a hurry. You decide to create a password, enter all of the same information you provided yesterday (address, credit card info, etc.) and make the purchase with this same account. You’ve now experienced the biggest shortcoming with WebAuthn today — it doesn’t handle cross-device or cross-platform authentication well. Instead of it saving you time, it actually led to confusion and required you to duplicate work while also creating multiple accounts for HomeDepot to manage on their side. In short, WebAuthn isn’t a great replacement for passwords for most applications today, unless their users are tech savvy and OK with the lock-out risk. Luckily, passkeys build on over a decade of learnings like these to overcome these user challenges and become a major contender for preferred primary authentication factor. By enabling biometric authentication to work across all major devices and browsers, passkeys are likely to be a game changer for B2C WebAuthn adoption. What are passkeys and how do they work? Though passkeys are built upon WebAuthn, they improve on the older auth method in a few key ways. While WebAuthn pioneered the concept of a single-device passkey (i.e. a single hardware key or a biometric validation tied to your mobile device or laptop), “passkeys” as we’re discussing here refer to multi-device passkeys and introduce a few major UX and developer improvements: They are a drop-in replacement for passwords. They are cross-device, cross-platform, and cross-ecosystem. Enrollment and login credentials with a passkey leverages UX patterns made familiar by password managers. For higher security contexts, passkeys can discern between existing and new devices attempting to access an account. Definitionally, there are a few different ways to describe passkeys depending on the audience you’re talking to: For consumers, passkeys provide a simple and secure way to sign up and log in to sites and apps without the need for a password. For the tech savvy, a passkey is a phishing-resistant, password replacement FIDO credential, usable across all of your devices. For the tech-and-authentication savvy, a passkey is a FIDO2 discoverable credential which requires user verification and is backed up to survive device loss. If you’ve ever used a password manager like LastPass or 1Password, you’ll understand the value proposition of passkeys. Password managers provide a much better user experience than fumbling around to remember a unique password for each different online account. Passkeys work similar to this, but they don’t require consumers to pay to use them or remember a master password. Instead, passkeys work by storing a key pair consisting of a public and private key in a user's primary device account (e.g. your iCloud account on your iPhone or Mac or your Google account on your Android or Chrome book). This key pair can then be used to sign up or sign in to applications without creating or remembering an additional password. The public key cryptography underpinning this technology isn’t new, but the way that multi-device passkeys leverage your logged in account across devices (e.g. iCloud, Google, Microsoft) to perform these cryptographic checks is novel. Whereas prior uses of public key cryptography have typically only allowed for device-bound keys, multi-device passkeys allow for these keys to be synced across cloud accounts to enable use on different devices. What’s more, passkeys also incorporate bluetooth and QR codes to enable login via biometric passkeys on different operating ecosystems. So hypothetically, users could use an iCloud passkey on their tablet to log into an app on their Android phone, and vice versa. Source: FIDO Alliance If we return to our Home Depot example, we can see how multi-device passkeys with biometrics make the user’s experience much more streamlined than WebAuthn: When a user is checking out on HomeDepot’s mobile app, they can choose to create an account in one click with their face ID on iOS or Android. At this point, their device generates a passkey and stores it on their device’s account. If that user needs to access the account again from their laptop, their credential will already be synced with their iCloud or Google account. All they need to do is use whatever biometric credential their laptop uses, and the same passkey from their phone will be used to log them in on their laptop. The user now has a fully biometric-only account that’s easy to navigate across different devices. What will the path to passkey adoption look like for businesses and consumers? In our opinion, passkeys offer the best chance to move us beyond passwords and into a more simple and secure biometric-based future. They’re fast, secure, familiar, and privacy-preserving (no biometric data is ever actually transmitted to the application verifying the user). While we believe the adoption curve for passkeys will be significantly steeper than WebAuthn, it won’t happen overnight. There are still some headwinds for universal passkey adoption, including: Device and operating system support: While Apple, Microsoft, and Android have announced support for the latest versions of their respective operating systems, it will likely take years to get all users to update to the latest OS. Application uptake: The UX and security benefits of integrating passkey support are clear, but it still requires an application to make the updates to integrate it into their sign-up and login forms. This also requires applications to think about how it changes their user model and any relevant account recovery flows to ensure their passkey rollout is frictionless. User uptake: While passkeys fix the remaining shortcomings in WebAuthn, users will continue to value multiple options when it comes to choosing an authentication method, and some will be hesitant to adopt a new biometric method. In the same PYMNTS and Mitek study cited earlier, researchers found that 73% of consumers reported being able to choose their preferred authentication method in an application increases their trust in the app. Moreover, 14% of users still explicitly prefer legacy authentication methods like passwords and PINs. While it will take time and effort to weather these headwinds, passkeys present a major leap forward for passwordless technologies. Companies should incorporate passkeys into their identity and access management strategies and figure out where it fits on their roadmap. In the long-term, their customers and their IT/security teams will be grateful. At Stytch, we’re building a modern identity and access management platform, which includes support for passkeys. If you’re considering adopting passkeys, we’d love to share our learnings and help you create a strategy to roll out passkey support — get in touch to get started with Stytch today. --- # Introducing B2B Auth School Source: https://stytch.com/blog/intro-b2b-auth-school/ Introducing B2B Auth School, Stytch’s crash-course designed to help B2B companies’ uplevel their auth game and upmarket growth. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on? Lesson four | SSO protocols: SAML vs. OIDC Lesson five | What is OpenID Connect (OIDC)? Lesson six | What is SAML and how does it work? Lesson seven | Choosing a B2B auth provider Entering the world of identity and authentication for B2B companies can feel a bit like taking a big slurp of acronym soup: IAM, CIAM, SSO, SAML, RBAC, ABAC, SCIM…the list goes on. To help our customers and developer community make sense of this world, Stytch is excited to launch B2B Auth School, our in-house crash-course designed to help B2B companies’ uplevel their understanding and implementation of authentication. In this school, we’ll cover the technologies, processes, stakeholders, regulations, and external pressures on identity and authentication, and how they inform key decisions every B2B company must face when buying (or building) the authentication stack for their product. For our first series, we’ll focus on B2B auth technologies, specifically the world of Single Sign On or SSO. Why start with SSO? Many B2B decision-makers know they should care about or even invest in SSO without totally understanding what it is, and what building it entails. This is obviously not because they lack smarts or industry knowledge, but rather because SSO is highly complex, and does in fact encompass several different processes, code bases, and tools. They know their customers are asking for it, but they don’t have the time or resources to dive deep into why. So, to help our B2B customer base, we want to devote our first installment of B2B Auth School to SSO, in the hopes we can make it easy for B2B developers and decision-makers to figure out what they need for their product, and how best to meet their customers’ demands. But first, we want to go over the bigger picture of B2B auth, including: Defining identity and B2B auth Why B2B auth is different from B2C Opportunities & challenges in B2B auth today A sneak peak at our first topic: SSO Let’s dive in! Identity and B2B auth In the digital realm, identity refers to the set of traits that uniquely identify a person, machine, group, or organization. As a B2B company, to manage all these identities for your customers, you must decide: What defines it? How and how often do we authenticate it? What resources does it have access to, and when? Identities are crucial in cybersecurity because they are the bedrock of how software companies make sure the right people have access to the right resources. For B2B companies, defining and authenticating those identities looks a little different from B2C companies, specifically around who owns the identities and resources. B2C customers are individual users, sole proprietors of their identity. But B2B SaaS customers are companies, which means their end users are not the sole proprietors of their identity, merely stewards; they are employees, consultants, or contractors – defined members within the enterprise. What different people and devices have access to at any given moment is subject to larger business imperatives, compliance requirements, and changing roles, departments and responsibilities within a company’s (i.e. your customer’s) workforce. In short, the stakes and the complexity are higher. To help distinguish the unique auth challenges that face B2B companies, we at Stytch have defined B2B as its own category, namely: the authentication of members and their organizations, and all the technical, regulatory, and business challenges and opportunities that go along with that. B2B auth vs. B2C: why it’s different While the difference between a member and a user may seem like semantics, it actually has huge implications that make the challenge of authentication for B2B companies unique from B2C. Even if on the surface some of the auth solutions appear similar, B2B auth is distinct in its… Scale and risk If someone gains access to the credentials of an individual customer, the results can be devastating on a personal level, but are generally limited to the scale of that single person’s account. But if someone gains access to the credentials of an employee, the scale of damage is much bigger. This is why so many of the major cybersecurity incidents over the past few years have involved employee credentials (SolarWinds, T-Mobile, Uber). In the B2B world, a breached identity could affect millions of people. Stakeholders In B2B auth, there are really two levels of stakeholders that are important to keep in mind when choosing or building your solution: stakeholders within the B2B SaaS company, and stakeholders within the customer companies of the B2B SaaS company. To work well, a B2B auth solution should satisfy the requirements of a B2B customer’s IT, compliance, risk, engineering teams, and anyone else who will be using that auth flow. Those requirements exist in conjunction with the requirements B2B decision-makers have for their application, as dictated by roles like CTO, VP of Engineering, Head of Product, etc. Provisioning, roles, & controls According to a recent study, the average business uses upwards of +88 applications, while for large firms the number can climb as high as 200. At the enterprise level, you can imagine 50,000 employees x two devices each x 150 applications…and you get millions of vectors for attack, not to mention a lot of administrative overhead. IT admins have to manage all of these vectors, and all of the rules that determine access. Certain resources are gated by department, others by role, others by seniority or geography, and some by a combination of all these and more. As people join or leave a company, get promoted, or change teams, their access must be kept up-to-date. Priorities Historically, CIAM and SSO providers have not had to prioritize user experience (do a quick search for product reviews for Auth0 or Okta, and you’ll find a rather vibrant array of responses). This is because the people buying B2B auth solutions are typically not the same as the people who have to use them every day. A typical end user for B2B auth solutions (ie your average individual contributor) has very little power over what authentication solution their company uses. As a result, their UX comes after a long list of other priorities for providers. Fortunately, with newer auth providers in the space this is starting to change. Challenges & opportunities: B2B auth today In recent years, B2B auth has become even more critical to the overall success of B2B SaaS companies, due to five main broader trends in the technology market. Rather than thinking of these sequentially, it’s more accurate to think of these as parallel transformations that have mutually accelerated each other: Cloud migration Moving away from on-premise solutions and towards cloud based solutions like AWS or Azure, has accentuated the need for more sophisticated IAM. Employees need to be able to access their resources from anywhere, and on any device, all while keeping everyone else out. SaaS economy The increasing adoption of cloud computing has come with the rise of Software as a Service (SaaS) and API-driven services, exploding the number of providers in the B2B space. As the number of services or apps a company’s workforce uses balloons, so do the number of potential attack vectors for fraud and account takeovers. Dispersed workforce Long gone are the days of ID badges and on-prem computers. The COVID-19 pandemic accelerated a widespread workplace transformation. While some companies have required workers to return to the office, the overall shift feels decisive: workers increasingly have the choice to work wherever and whenever they choose. This kind of flexibility puts additional onus on IAM systems to be able to protect those identities and company resources wherever and whenever employees need them. Regulation ramp-up With the migration to the cloud and proliferation of services has come increased concern and lively debate over privacy, data, and access that’s manifested in a slew of increased regulation. Depending on geography and industry, this can be quite an extensive nexus of requirements, including things like SOC2 (Service Organization Control 2), ISO (International Organization for Standardization) 27001, HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation)…the list goes on. We’ll cover some of these in more detail later in the school, but suffice it to say B2B companies have a lot of regulatory hurdles to clear, and how they handle identity and authentication is a big part of that. Fraud & attack vectors With each of these developments, hackers and bad actors have adapted their approach to take advantage of emerging vulnerabilities in workforce identity. Over 80% of cyberattacks exploit weak or insecure passwords. As employees’ identities are linked with an increasing number of devices and services, the potential risk increases as well (think Solar Winds). If your company works with 100 different apps and services and each of those vendors works with 100 different apps and services, the vulnerabilities multiply without strong, centralized IAM systems in place. All of these factors have transformed B2B auth from a box that needs to be checked into a key product differentiator. At Stytch, we talk a lot about B2C auth as a growth lever: the easier companies make it for their customers to access their service, the more they can drive conversion. A similar, but perhaps more overlooked logic, holds for B2B companies: The easier you make it for your customers to manage their employees' accounts and onboarding to your application, the more likely you are to land upmarket sales and see widespread adoption. SSO: the beating heart of B2B auth While B2B auth includes several different technologies and protocols, in Stytch’s conversation with B2B customers no other feature comes up more than SSO. We think there are a few reasons for this: Reduced friction: Managing the identity and auth flows for members of multiple organizations involves a near endless number of decisions and variables. SSO helps simplify both by centralizing, bundling, and automating a lot of those decisions into a single service. Security and compliance: For many B2B decision-makers, SSO becomes shorthand for meeting a number of security and compliance requirements. You don’t have to understand them in depth to know they’re covered, so checking that box takes a chunk of those concerns off their plate. Your customers are asking for it: As B2B companies start to sell upmarket, SSO becomes table stakes. For many B2B customers, they won’t move forward with a given SaaS product without it. If you’re serious about scale, then you need to get serious about SSO. This last driver is the main reason we want to start with SSO: because it’s important to you, our B2B customers. It’s a complex space, and involves a lot of different decisions, so it’s worth taking the time to unpack it piece by piece, so you feel empowered when it comes to choosing your B2B auth solution. For the next several articles, we’re going to go deep on SSO: its protocols, stakeholders, benefits, risks, footguns, and even fun features. Next up: organization tenancy! --- # Anatomy of a strong password Source: https://stytch.com/blog/strong-passwords/ A breakdown of what does and doesn’t make a strong password, and how you can protect your users with some simple, modern tooling. If you’ve heard of Stytch already, you likely know how we feel about passwords. But we recognize that the journey to passwordless can be long and varied. And while we do hope one day to usher the world into a passwordless future, first and foremost we want to make it easy and safe for our customers to protect their users. One of the easiest ways to reduce friction and improve user security is through password strength requirements. Unfortunately, to date these requirements have been poorly designed so that both users and security teams take on unnecessary stress and work. In this article, we’ll go over the drawbacks of the de-facto legacy password strength method. Then, we’ll look at two specific tools developers can use today to protect their users, and the basics of how to set them up. LUDS: an ineffective and frustrating legacy If you’ve created an account recently, chances are you saw something like what this user saw when trying to order a late night pizza: Source The intention here is good. Allowing users to submit low-entropy passwords that can easily be cracked (such as “qwerty” or “abc123”) would expose both the application and user to risk of account takeover. To avoid this scenario, applications will often require users’ passwords meet certain characteristics to ensure the user sets a sufficiently secure password during account creation. As part of this step, the application will inform the user whether their chosen password is insufficient – and if so, it will often provide helpful suggestions on how to fix it (e.g. add a special symbol, a digit, etc.). As we can see, though, the experience is…bad. Users who are trying to accomplish a simple, non-data-sensitive task, have to randomly insert a couple of exclamation marks or extra letters that they will likely forget as soon as the za arrives at their door. What happens the next time they want a late night pizza after a few beers with friends? Likely a labyrinthine password reset flow, in which they will add different random symbols just to get that midnight pie. So how did we get here? Typically, the legacy approach of password strength estimation follows the LUDS formula (lower case, upper case, digit, symbol). When implementing the LUDS method of password strength estimation, developers may think they are doing the right thing by checking to see if the password contains all of these characteristics. Unfortunately, humans are very predictable, and we often end up with insecure passwords that satisfy these conditions but are exceedingly easy for machines to crack. There are three main flaws in the LUDS approach: The system may allow the user to submit a password that contains all of the required characteristics, but still uses a simple pattern that can be easily cracked, such as “A1b2C3d4”. The system may allow the user to submit a password that contains all of the required characteristics, but also contains common substitutions that are weak – such as “p@ssword.” From a user perspective, it’s very hard to remember. Did you choose “Sp0tisagoodboy,” “sPotisag00dboy!,” or “$pOt!s@goodboy”? Who the heck can keep track!? While password managers may help with the last issue, adoption of these tools remains low. In short, though it’s a rather easy logic for engineers to set up on the backend, the LUDS approach to checking password strength is flawed, frustrating to use, and ineffective. Entropy: accounting for human behavior There is a better way to assess password strength that involves using a method known as “entropy.” Entropy is the measure of randomness in an information system. When applied to passwords, entropy is a measure of the length of the password and the randomness of the characters within the password. The higher the entropy, the higher the strength, because it becomes more difficult for someone to crack the password, even when using tactics like credential stuffing. Perhaps nothing explains password entropy better than this well-known XKCD comic: Source As this comic shows so well, even though "Tr0ub4dor&3" looks like a strong password, it’s actually pretty easy to guess if you have some pretty simple resources most hackers have, ie., basic computing power, a database of common passwords, and knowledge of common character substitutions. On the other hand, a password such as "correct horse battery staple" is much harder for computers to guess (and much easier for people to remember!). LUDS actually has a lower entropy score because it doesn’t factor in common human behaviors and patterns. LUDS assumes that all strings have equal entropy, and therefore password strength is viewed entirely as a function of the total search space. But because humans are rather predictable, this actually isn’t true. In theory it would take ~92 billion years to brute force a 16 character LUDS password, but modern password cracking approaches don’t just randomly brute force — they leverage common patterns of human behavior, which can cut that ~92 billion years crack time down to mere seconds for something like “P@ssword12345678.” Rather than randomly swapping letters with symbols or numbers, entropy shows that length actually makes for pretty strong passwords (all other things being equal). You can confirm this yourself with something like rumkin.com's password strength checker. Even if the individual characters are all limited to [a-z], adding just one extra letter has an exponential effect on the password’s difficulty (and the time it would take a computer to guess it). As a bonus, long strings of lowercase characters are also easier to type on smartphones and soft keyboards, making them even more user-friendly. If you don’t feel like doing logarithmic calculations every time your users (or you!) need to create a username and password, or you dread a potential future of 62-character passwords, don’t worry: you’re in luck! There are two great public tools that we highly recommend for helping generate strong passwords: zxcvbn and HaveIBeenPwned. Zxcvbn Developed in-house by Dropbox’s engineering team, zxcvbn provides a flexible strength assessment based on how resistant a password is to modern password guessing techniques. Named after the same keyboard area as “qwerty” (just two rows down), it’s designed to make picking a strong password easy for humans to generate and hard for robots to guess. How it works Zxcvbn works by first searching for matches to your user’s password in a list of common passwords, common names, common words, etc. If a match is found, it returns a score based on the match’s dictionary and pattern rank. If a match is not found, the library uses a set of rules to generate possible patterns, and it uses pattern recognition to score the submission. This includes things like repeating characters, sequential keyboard patterns, dates, common numbers, and so on. Because zxcvbn focuses on estimating the actual crack time of a given password, it’s a much more accurate assessment of strength than LUDS. How to use it If you’re looking to improve password strength estimation in your application, or if you’re simply looking to get started with zxcvbn, there are many different ways to do it. The zxcvbn library is available in a variety of programming languages, including JavaScript, Python, Go, PHP, Ruby, and more (you can also use an API like Stytch, which incorporates the zxcvbn method into our Passwords product.) Once zxcvbn-async is installed in your application, you can simply call into the zxcvbn function, passing in the password and an array of user input fields (e.g. username, email, etc.) that are being used in the application. The function will then return an object with a score attribute, which is a numeric representation of the password’s strength. This score will range between 0 and 4, with 0 being weakest and 4 benign strongest. While it’s most common to set the rejection level to < 1, some services like Stytch will reject anything < 3 for the sake of avoiding even moderately guessable passwords. HaveIBeenPwned Zxcvbn is a major upgrade to the LUDS system for determining password strength, but it still doesn’t fully solve for the human tendency to reuse passwords across different applications. That’s where a tool like HaveIBeenPwned comes in handy. How it works HaveIBeenPwned offers both an individual-friendly website and a developer-targeted API that both monitor the web for stolen credentials in order to alert users and companies of those credentials’ insecurity. You can search for compromised emails, phone numbers, domains, passwords, and websites, and can even sign up for email notifications to notify you if one of your accounts has been compromised. While you can use HaveIBeenPwned as an individual user, you can also integrate it into your product via their API, which checks whether a user’s email address or password has been exposed in a data breach. If it has, the API will return a list of the data breaches in which the user’s information was compromised. How to use it To use the API, you would first need to sign up for a free API key. Once you have your key, you can then make a GET request to the API, passing in the user’s email address or password as a query parameter. If the user’s information has been compromised in a data breach, the API will return a list of the data breaches in which the user’s information was compromised. At Stytch, we integrate directly with HaveIBeenPwned’s API, so that your users can also benefit from built-in breach detection in our Passwords product. Secure doesn’t have to mean frustrating Just because passwords will one day be a thing of the past doesn’t mean they have to be such a pain in the present. Tools like zxcvbn and HaveIBeenPwned offer developers some lower-lift options that won’t make their users tear their hair out when trying to sign up. If you’re interested in additional ways to eliminate friction from you signup or login, we’d always love to chat about how we can help simplify and streamline your auth flow. --- # The remote dev decision: part one Source: https://stytch.com/blog/remote-dev-1/ A look at how Stytch decided to migrate to a remote development environment: pros, cons, and the longtail payoff. Here at Stytch, we’re focused on building great developer experiences — for our customers and our coworkers. Engineers’ time is a precious resource, and we want to do everything we can to make sure it’s spent efficiently and effectively.  For customers, we’ve created a suite of developer-friendly auth solutions with our API and SDKs, which allow developers to experiment and compare authentication solutions easily, and get up in running in a matter of hours. In house, we need an equally strong developer experience to deliver on continuous improvements and features. We owe a lot of our agility, responsiveness, and speed to working in a remote development environment. But it wasn’t always that way! In this series, we’ll go over some initial challenges our engineering team faced with local development, why we moved to the cloud, and some of our favorite fixes and tools for making remote dev work as efficiently as possible. In this first installment, we’ll go over: What remote dev is, its pros and cons Stytch’s challenges with local dev The reasons we ultimately went remote Overview: remote dev pros and cons What is remote development? Remote development requires moving your team’s development environment outside of your local machine. Typically, this means moving the development process into a container or virtual machine (VM) in the cloud, and having a tool to sync the code from a developer’s machine to that remote environment. From there, a developer can build and run their service without being bogged down by the limits of their local machine.  Pros and cons The biggest benefits of remote dev are centralization, scale, and efficiency. Remote dev centralizes tooling versioning and updates, as well as idempotent resources, so there are no surprise edge cases in individual devs’ machines. Remote dev also helps maximize developer productivity by no longer limiting engineers to RAM or CPU of their individual machines, by minimizing differences between development and production, and by creating consistent and repeatable steps for developers.  But migrating to remote dev is not without its challenges. Many companies delay their migration to remote dev because doing so creates a lot of initial friction to the development flow and requires a lot of time and person-power to get set up. This is why it’s more common for large enterprises like Google and GitHub to operate in a remote environment, but less common for startups like Stytch. For many, the up front costs are too great to justify when a company is getting off the ground.  We can think of the tradeoff between local dev and remote dev as a function of two variables: the size of your team and the size of your software services. As both of those sizes increase, the scale tips towards remote dev as the more productive way to develop. Early days: local and friction-filled In the first few months of Stytch’s life, we had one goal and one goal only: ship. A couple months after we launched our first product Email Magic Links, we took a step back to evaluate our development cycle. We wanted to take a strategic stance on what kind of developer experience we wanted to build in-house, and what we needed to meet our goals of becoming a preferred auth provider on the market. Some things were apparent from the outset, just from roadblocks we’d hit in our day-to-day flow. For example, doing something as simple as editing our email template in our dashboard required running every service. This turned what would optimally be small tasks into time and resource intensive undertakings. And when we did ship features, we couldn’t guarantee that the development process was consistent. We even shipped a bug very early on because an engineer was writing a feature in the API with Redis disabled on their local machine. Local development was starting to slow us down.  Before we took on our first customers, we wanted to minimize delays and mishaps like this as much as possible. As we looked at the bigger picture, we identified five main productivity drags in our dev environment we wanted to address: Too many services: We had to run six different terminal windows and two databases to develop our dashboard and any example applications.  Extra context, wasted time: The frontend team needed to understand how to run our backend code, and the backend team to understand the frontend code. That meant a lot of extra work on both sides.  Time- and people-intensive: There was a fifteen-step process to set up the dashboard, and any changes to the process required coordinating with the other team members. The process would take over an hour to set up and required insider knowledge. New engineers needed context on code bases that they didn’t need to edit.  Local configs vs. production configs: Some features were developed with different configuration than production, often causing issues even when they worked locally. Hard to actually test: Testing across services was challenging as the team would need to make sure all the versions of the different services were aligned.  With these five factors in mind, we set to work defining our ideal development environment. What we needed To meet our goals of scale and deployment speed, we had clear specifications for what we needed from our development environment. It needed to: Allow engineers to update, upgrade, or experiment without disrupting other engineers or workflows or requiring extra work or syncing to avoid shipping bugs.  Centralize tool versioning and updates: No more worrying about or managing weird edge cases in a lone engineer’s machine.  Seamless transition between development and production: Because most local development is done with http (but we use https in production), any feature work related to domains like cookie and local storage was needlessly challenging. We wanted to minimize that challenge so we could get to production as easily as possible.  Offer robust processing power: Stytch quickly grew from requiring six microservices to run to eight, in addition to two databases. To run and make changes to all of those and test end-to-end, we needed more raw computing power than we could milk from our local machines.  Easy to test: “Fail fast” is one of our core values at Stytch, but to fail fast you need to be able to test end-to-end rapidly. We never wanted to hear the phrase “Well it worked on my machine” ever again With these requirements, we first considered improving our local development environment, to defer the leap to the cloud. We saw three options: Run all the services in Docker on our developer’s machines. This reduced the work to run the services, but didn’t solve for load or keeping all our engineers’ work in sync. Have the service in development hit our staging environment for other environments. This simplified development, but complicated our staging environment’s data and made it difficult to test a service connected to a local machine.  Mock out the endpoints for other services. While this is a common approach, we ran into problems where the system worked for a mock, but the real service returned different data. In the end, we realized we needed to move ALL development into the cloud to meet our full requirements. Whatever initial set-up or resourcing might be required up front, we felt it was well worth it. Especially when we saw other startups who had deferred the decision and paid for it, we wanted to save ourselves those kinds of headaches down the road. Today, we couldn’t be happier with our decision. But there were some fun challenges along the way we needed to solve in order to make sure remote dev at Stytch could reach its full potential. Namely: Scheduling all the different microservices and making them easily discoverable Replacing a remote service with a local version for development Load balancing and routing traffic through DNS records Enabling consistency in developer tools and configs Creating valid certificates for HTTPS Automating the provisioning and syncing of new environments Provisioning external cloud resources from AWS to use during development Fostering a culture that rewards developer productivity and innovation In the rest of this series, we’ll tackle each of these challenges one by one, breaking down each challenge and the steps required to fix them. If tackling problems like this interests you, check out our career page! --- # What is CAPTCHA, and how does it work? Source: https://stytch.com/blog/what-is-captcha/ Learn how CAPTCHAs differentiate between real web users and bots — and how you can optimize them to protect your app. CAPTCHA flows have long provided an essential security tool for developers as they work to protect their platforms and users from cyber attacks. Specifically, modern CAPTCHAs can help apps and websites tell the difference between the good, human users they want to let in and the bad, non-human users (namely, bots) they want to keep out. In this guide, we explain exactly what CAPTCHA is, how it works, and how modern authentication providers are adapting the CAPTCHA system to keep up with evolving cyber threats — and stop malevolent bots in their tracks. What is a CAPTCHA? CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. At the most basic level, a CAPTCHA is a computer-generated security flow meant to distinguish real users from automated web traffic like bots. It’s a form of challenge-response authentication, where a user must answer a question or solve a puzzle in order to be verified and gain access to an online account. The “Turing” in CAPTCHA refers to Alan Turing, a renowned computer scientist and mathematician who, among other achievements, devised tests that could differentiate between the behavior of human beings and that of artificial intelligence (AI). CAPTCHA challenges are based on this work. They’re designed to elicit the kinds of sensory and cognitive responses that non-human bots could never reproduce. How does CAPTCHA technology work? Bots are programmed to carry out specific, repetitive tasks within a narrowly defined scope. For example, they might be set up to identify common customer questions and provide automated answers in an ecommerce chatbox or to comb the internet for the lowest price on a given product. Simply put, bots cannot “think” or “feel” in any human sense. While AI has come a long way, resulting in sophisticated bots that can process complex images and sounds, those crawling the internet with malicious intent generally aren’t built with these abilities. Their pre-programmed nature prevents them from being able to spontaneously react to or reason through the sorts of challenges presented in a CAPTCHA flow. In short, a CAPTCHA works by presenting these bots with a test or challenge that human users can solve, but bots cannot. Let’s take a closer look at what such challenges involve. Types of CAPTCHAs CAPTCHA tests can take many different forms. Some of the most common challenges include: Text-based CAPTCHAs: Users are asked to type a word or a series of letters presented to them as distorted text. This distorted text may and numbers written in a squiggly or strikethrough font or displayed against a grainy background. The idea is that web-crawling bots cannot “read” or recognize these figures among the visual noise. Image-recognition CAPTCHAs: Users are presented with an array of images and asked to pick out familiar objects like fire hydrants, crosswalks, or trains. Since automated bots cannot understand the concept of a crosswalk or train or what it references in the real world, they are unable to match the prompt to related pictures. Audio-based CAPTCHAs: Users type in a word, sequence, or phrase spoken by a muddled or distorted voice. The idea is that crawler bots cannot “listen” to distinguish between and interpret competing sounds. This can also be a good alternative CAPTCHA test for visually impaired users. Question-based CAPTCHAs: Users must solve a simple math or word problem that is intended to test comprehension, rather than outright intelligence. Why these challenges work While an automated, web-crawling bot could theoretically be engineered to exhibit or mimic these capabilities, it would be an incredibly difficult, time-consuming, and expensive undertaking for a hacker. What’s more, a CAPTCHA test cannot be reused once it’s solved. That means, even if a bot does correctly decipher a CAPTCHA puzzle, it has to repeat the process thousands of times to be effective, neutralizing the speed and automation that makes bots so attractive in the first place. CAPTCHAs have been around for a while, first used and distributed commercially in the early 2000s. Since then, they’ve undergone a few adjustments and advancements — most notably, in the form of reCAPTCHAs. What is a reCAPTCHA (or Google reCAPTCHA)? Computer scientist Luis von Ahn, part of the original team that invented the CAPTCHA system, grew increasingly concerned with how much time internet users were spending on CAPTCHA puzzles. In response, he developed reCAPTCHA, which was ultimately sold to Google in 2009. At first, reCAPTCHA tests were intended to make CAPTCHA efforts more productive — for example, to assist with the digitization of books and other printed texts. To that end, instead of the random words and characters used in text-based traditional CAPTCHAs, reCAPTCHAs use actual printed words and phrases that book-scanning computers are having trouble recognizing. In a reCAPTCHA, a user types in these words just as they would in a CAPTCHA challenge, simultaneously verifying their humanity and identifying the letters in an unidentified word. Typically, a reCAPTCHA features two words side by side, one known and one unknown to the system. The known word serves as a screen to ensure accuracy, while the unknown word is passed to many different users to be solved — so they’re ultimately working together to confirm its identity. Over time, however, and with advances in optical character recognition (OCR) technology, reCAPTCHAs have become more focused on limiting levels of friction in the user experience. For instance, Google rolled out what they call “noCAPTCHA reCAPTCHAs,” where users can prove they’re human without having to solve a CAPTCHA puzzle at all. The most common version involves a checkbox that allows users to confirm they’re not a robot with a single click. Behind the scenes, the checkbox flow is actually analyzing the user’s IP address, plugins, browser history, behaviors (including actions like type rates, mouse clicks, and scrolls), and more to confirm that they’re not a bot. More recently, Google further streamlined the verification process by removing challenges and checkboxes altogether. With invisible reCAPTCHAs, legitimate users are able to access their accounts without any disruption, while suspicious users and bots will still face a CAPTCHA or reCAPTCHA test. Why are CAPTCHAs important? Today, humans make up less than 40% of all internet traffic. The remaining 60%+ is bots. And while bots can be used benevolently — as in the ecommerce examples above — there are also malicious bots used by hackers to automate and amplify their cyber attacks. In fact, some studies estimate that more than half of the bots currently working online (representing about 39% of all web activity) are employed maliciously. This can have disastrous consequences for individuals and businesses alike. For example, hackers can use bots to crawl the web, intercept users’ passwords, and take over their bank accounts in credential stuffing attacks. Hackers can also mobilize bots to, say, buy out concert tickets and resell them at inflated prices on the secondary market. Given the prevalence of bots and the risks they can pose to legitimate users and organizations, it’s not surprising that users are often asked to prove their personhood when they want to access sensitive online accounts. The problems with CAPTCHA On the surface, CAPTCHA tools have a lot going for them. They’re relatively simple for users to solve, and they’re easily scalable. For sites and apps that are processing thousands (if not millions) of authentication attempts, computer-generated CAPTCHA tests offer a quick and affordable way for developers to weed out bots from user traffic. But the CAPTCHA system also has its downsides. First of all, since it requires users to complete a specific action, it introduces substantial friction to sign up and login flows, potentially driving heightened rates of dropoff and churn. More concerningly, CAPTCHA and reCAPTCHA challenges aren’t foolproof from a security standpoint. For one thing, it seems AI has been able to solve basic CAPTCHA tests for years. What’s more, an entire cottage industry of human-based fraud has emerged that enables hackers (and their bots) to clear CAPTCHA puzzles and breach users’ accounts. We’ll cover that next. Understanding CAPTCHA fraud Unfortunately, hackers have found a convenient and reliable loophole in the CAPTCHA system. It stems from a critical design flaw in the public key architecture, or the code used to encrypt backend data. Basically, every major CAPTCHA system exposes its public key in the webpage source code. That means bots (and the hackers behind them) can easily scrape the site key value and submit it to a third party to be solved. Dozens, if not hundreds or thousands, of CAPTCHA-solving-as-a-service companies — also known as CAPTCHA farms — employ low-paid workers around the world to manually solve CAPTCHA challenges one by one. Ultimately, they supply bots and hackers (their clients) with all the information they need to bypass the CAPTCHA system and gain access to users’ accounts. These fraudulent tactics work because CAPTCHAs can be solved remotely. In other words, a CAPTCHA flow doesn’t require whoever is solving the puzzle to be working in the same browser that’s used to submit the solution. Worst of all, CAPTCHA farm sites look and feel a lot like legitimate SaaS platforms, so it can be tough to tell the difference. In fact, they operate similarly to SaaS platforms using specialized APIs. Let’s dive deeper into how CAPTCHA fraud typically plays out: 1. A bot scrapes the public site key from a CAPTCHA challenge and sends it to a CAPTCHA farm. A CAPTCHA farm really only needs two parameters to solve a CAPTCHA challenge: the related web page’s URL and its public site key value. Since CAPTCHA systems publicly expose their site keys in the source code, it’s easy for bots to scrape the value and submit it along with the URL to a CAPTCHA farm’s API to kick off an account breach. 2. A human worker at the CAPTCHA farm solves the CAPTCHA challenge. Any worker at the CAPTCHA farm can then use the URL and site key value sent by the bot to load and solve the CAPTCHA puzzle. From there, they receive a response code (also known as a g-captcha-response), which appears as a string of code. This lets their bot/hacker client know that the CAPTCHA challenge has been solved. 3. The bot uses the CAPTCHA response code to solve the puzzle and breach the user’s account. Finally, the CAPTCHA farm sends the g-captcha-response to the bot, which uses it to solve the CAPTCHA challenge. Since the bot has a code representing the correct solution, the CAPTCHA system recognizes it as human and grants it access. How can developers fight CAPTCHA fraud? With such vulnerable public-key architecture at its core, many developers wonder how they can improve on the CAPTCHA system to outsmart hackers, bots, and CAPTCHA farms and bolster their app’s security. Some companies — like the crypto exchange platform Binance — have taken on substantial costs and workloads to avoid traditional CAPTCHA design flaws by building their own, customized CAPTCHA flows in-house. But thanks to modern authentication strategies, development teams don’t have to invest nearly that amount of time, effort, and resources to fortify their flow and strike an effective balance between security, efficiency, and scalability. In fact, the best auth providers on the market today remove CAPTCHA security loopholes through easy-to-use, turnkey products. Introducing Strong CAPTCHA Solutions like Stytch’s Strong CAPTCHA puzzles eliminate the public-key problem by removing the public key altogether from client-side browser environments — leaving bots with nothing to scrape and send to a CAPTCHA farm. Strong CAPTCHA is image-based and can be added via API or SDK to any auth flow in a matter of hours, and they work with any web-based or native mobile platform. Meanwhile, the end user’s journey and experience remains the same. Users encounter the same simple CAPTCHA puzzles they’re already familiar with, just without the standard-issue risks and vulnerabilities. The bottom line Conventional CAPTCHA flows can play a fundamental role in app security and form part of a robust authentication strategy — but they’re far from bulletproof. Not only have bots learned to solve basic CAPTCHA challenges outright, but proliferating CAPTCHA farms have also established viable, human-based fraud vectors that can outmaneuver the CAPTCHA system. That’s where innovative solutions like Stytch’s Strong CAPTCHA come in. With such tech-forward auth tools, developers can avoid the design and security flaws that have historically put CAPTCHAs at risk — and cut hackers and fraudsters off at the roots. --- # Organization tenancy: the foundation of SSO and B2B data models Source: https://stytch.com/blog/organization-tenancy/ In lesson two of B2B Auth School we dive deep into organization tenancy: the foundation of single sign-on and B2B SaaS data models. Welcome back to B2B Auth School. Our mission is to help B2B companies’ uplevel their understanding and implementation of authentication technologies. Our first series of posts is dedicated to Single Sign On (SSO). This article is lesson two in that series. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on? Lesson four | SSO protocols: SAML vs. OIDC Lesson five | What is OpenID Connect (OIDC)? Lesson six | What is SAML and how does it work? Lesson seven | Choosing a B2B auth provider In our previous lesson, we introduced you to the wide world of B2B auth. We established the big picture: B2B auth’s challenges, its value adds, and its key differences from B2C auth. Most importantly, we explained why SSO is B2B auth’s most requested feature and thus the topic of this series. If you recall, we defined the term B2B auth as the authentication of members and their organizations. Members, instead of individual users, change the whole paradigm of authentication because they come in groups. This change requires a new way of designing and building auth flows in applications. But to talk about SSO, we have to start with the foundation and building blocks upon which B2B SaaS technologies are built. Specifically, we need to talk about organization tenancy – or org tenancy for short. In this post we’ll go over: Defining org tenancy The features of org tenancy Building org tenancy and authentication How org tenancy unlocks SSO Is org tenancy the same as multi-tenancy? Multi-tenancy is the architecture characterized by multiple parties sharing the same resources. The tenants in multi-tenancy can be a wide variety of entities: customers, groups, applications, databases, containers, microservices, or workers. Nearly all SaaS applications implement multi-tenancy in some shape or form. Org tenancy is a type of multi-tenancy. The tenants are organizations stored in a shared data model as top level entities. Org tenancy focuses and zooms in on the B2B aspect of representing complex organizations like companies as individual customers. Org tenancy and its elements Org tenancy is the software architecture that governs multiple organizations within a single application. In other words, org tenancy is the design system that lets organizations coexist together within an application. It helps separate and coordinate resources. Like tenants or residents of a building, each organization uses the application without having to worry about its neighbors because org tenancy provides the walls, hallways, doors, and locks to achieve orderly separation. You may have noticed: the word “organization” is always brought up and emphasized. By name and design, org tenancy considers organizations as the primary unit of business data; the organization is a first-class entity. In an org tenancy model, the application will always scope an end user’s data and functions to their organization. In more practical B2B terms, we can say: the organization is the customer. Let’s break down the org tenancy model into its elements: An organization is a grouping or collection of members, resources, settings, and other attributes that can be changed and updated. An organization could have thousands of members or just a few. In B2B auth, an organization (i.e. your customer) is typically a company. A member is an end user with membership in an organization. Memberships resemble user profiles with attributes like email, username, phone number, role, title, etc. In B2B auth, a member is typically an employee of a company. It is a sub-entity of an organization. The relationship between members and their organizations is fundamental to the org tenancy model. It dictates the logic and boundaries of the system. For example, like separate apartments, one organization should not be able to access the data of another organization. The application’s structure and features determine how complex or simple these rules and relationships will be. B2B customers think, speak, and operate in terms of organizations. Org tenancy architecture equips B2B SaaS applications to codify that ideology into the data structure itself. Features of org tenancy If you’re a B2B company, you’re dealing with organizations all the time. Your customers are other companies – which are complex organizations by definition. So if you want more than one customer, you need an org tenancy model that will enable your customers to… Represent the whole enterprise: The entire company should be treated as a single customer. Imagine how impractical it would be if you have to bill every single employee of a company separately for using your application. By grouping everyone into an organization, there’s one invoice for one customer. Remember, the organization is a first-class data entity. In org tenancy, we think primarily at the organizational level. Manage memberships: A large company could have tens of thousands of employees. To take it further, they might also have a fleet of contractors and consultants that multiply the scale of their workforce. To avoid a huge operational headache, organizations need to be able to control access. An application with org tenancy needs to expose strong tools and definitions for granting and revoking memberships. Customize and configure settings: A company should have their own preferred settings when using a B2B SaaS application. These settings need to be defined at the organizational level, so all their members will inherit and adhere to them. For example, many companies require that members are only able to invite end users with a specific email domain (@myfakecompany.com) to join the organization. Structure teams and roles: Companies are composed of several departments (IT, engineering, product, analysts, sales, support, etc.) and several types of members (admins, editors, readers, etc.). Every organization will have a unique team structure and set of roles that compose its internal business-specific operations, and need to be stored somewhere in the application’s data model. This leads to more advanced topics like role-based access control (RBAC) which we’ll cover in future posts. These requirements are considered table stakes by most B2B customers. If a B2B company doesn’t offer org tenancy, the customer has to deal with the fallout; the customer will need to use their own internal systems and tools to create ad-hoc solutions that can group together all of their employees’ user accounts – essentially replicating org tenancy logic on their end. A B2B company not supporting org tenancy puts a huge onus on customers they won’t be interested in taking on. It's a must-have when companies are purchasing B2B SaaS applications. Building org tenancy and authentication Now that we understand org tenancy’s importance, let’s talk about the build process. By itself, org tenancy architecture is a lot to construct. When adding authentication on top of that, the challenges start to stack. Here are the key considerations when building org tenancy: Security and isolation One of the worst possible things that could happen to a B2B company is data leaking between customers. To prevent this, you need really strong controls to guarantee that the data is scoped to the individual tenant. In SaaS applications, shared resources like databases, microservices, and memory need to be thoroughly tested and vetted for isolation. This is arguably org tenancy’s greatest responsibility and requirement. It’s a matter of security. Data modeling and design Unfortunately, there is no exact recipe to define the data model for org tenancy. Every B2B SaaS application must define their own schema to support its features and auth flows. The data model can change drastically depending on what use cases the application supports. When defining the data entities and their relationships, consider these questions: Can end users be members of multiple organizations? Are membership records tied to user records? What structure does the metadata need to be stored in? Can organizations have sub-organizations? And so on. Org discovery When an end user logs in to your B2B SaaS application, how do you know which organization they’re authenticating to? It’s a problem of discovery: how to find and identify the right organization based on a login. There are multiple strategies that sit on a spectrum of user friendliness. For a more seamless experience, a B2B SaaS application could attempt to automatically discover the organization from an end user’s membership attributes like email or username. On the other hand, they could require the end user to specify the organization before they can even attempt to log in (this is more thorough, but puts a bigger burden on the end user). Auth settings Authentication has many different features and behaviors. Each company may require their own unique combination of these properties for their auth flows. To support that variety, you’ll need to build controls that enable organizations to customize or configure their auth settings. You’ll then need to scope those auth settings to either the organization or member level. The common and fundamental authentication features you should consider supporting are: Just-in-Time (JIT) provisioning: the immediate creation and hydration of user accounts upon a successful login. Allowed domains: an approved list of domains that end users must have in order to be a member. Auth methods: an approved list of authentication methods (Email Magic Links, Passwords, OTP, etc.) that members can use for login. Invites: the ability to allow members to invite non-members to join the organization. MFA: the enforcement of multi-factor authentication for login. The foundation of SSO The biggest benefit to building org tenancy is that it lays the foundation for SSO. But how? Well, they are inherently linked; SSO is also directly tied to the concept of an organization as a first-class entity. In fact, its authentication scheme relies on the org tenancy data model (organizations, members, and their relationships) to function. Org tenancy is a prerequisite because it unlocks the ability for: Companies to securely manage their whole organization through a single interface. Employees to have their accounts conveniently linked together. SSO auth flows to have a single point of access for the organization. To build SSO, the standard B2B auth experience for your customers, you first need org tenancy to coordinate organizations, members, and their relationships to all work together in concert within your application. For our next lesson, we’ll cover SSO! See you then. --- # What is single sign on (SSO) and how does it work? Source: https://stytch.com/blog/single-sign-on-sso/ Single sign on (SSO) allows members of an organization to access all their apps and services with one set of auth credentials. Previously in B2B Auth School, we went over org tenancy, and why it’s a must-have for any B2B SaaS company. In this lesson, we’ll look at the main feature driving demand for B2B auth: single sign on. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on (SSO), and how does it work? Lesson four | SSO protocols: SAML vs. OIDC Lesson five | What is OpenID Connect (OIDC)? Lesson six | What is SAML and how does it work? Lesson seven | Choosing a B2B auth provider In this blog post, we’ll go over: What is single sign on? The benefits of single sign on How it works Why it’s so important for B2B companies Common mistakes to avoid when implementing What is SSO? Single sign on (SSO) is the process of allowing end users to securely authenticate to multiple applications based on their authenticated identity on another application. In other words, SSO allows login to your app by proxy – the user signs in to a different app, that you trust to vouch for the user’s identity. You never store login credentials, but they can still securely login. Magic! Security benefits of SSO The main security benefit of leveraging an SSO solution for both you and your end users is that it eliminates the need for a distinct set of user credentials on each application. For end users, SSO means security with ease. Because single sign on protects access to multiple cloud applications without the need to remember multiple passwords, it helps reduce password fatigue (and subsequent password reuse). Instead, user identities are proven through another application – ideally one where they actually use a unique, strong password and additional security measures like multi-factor authentication. For you the app developer, it helps mitigate security risks by storing fewer potentially reused user passwords that could be exploited on your application via a credential stuffing attack. How does single sign on work? There are several different flavors of SSO solutions, depending on both the protocol chosen and the use case involved – but before we get into the details of the different protocol options, let’s review the basic commonalities of how all single sign on transactions work. Every SSO process involves two parties: Service Provider (SP): the application the user is trying to access Identity Provider (IdP): the application that manages the user’s identity and is responsible for authenticating them Prior to being able to enable single sign on, the Service Provider will need to register with the Identity Provider – establishing a way for both parties to securely identify one another, and ensure that the requests aren’t coming from a malicious actor. Once the registration is complete, a basic Single Sign-On flow involves the following steps: 1. End user opts for SSO For SSO to happen, the end user needs to be on the SP and indicate in some way that they wish to authenticate via a specific IdP 2. The SP redirects the user’s browser to the IdP This redirect contains specific authentication request content that tells the Identity Provider what SP you came from, what information to send the SP, and where to redirect you back to upon success. 3. Enter user credentials If the user is not already in an authenticated state, they will be prompted to provide their login credentials for the IdP. 4. The IdP redirects the user’s browser back to the SP Once the user logs in and the IdP has validated the user credentials, the IdP will redirect the user back to the SP, typically with an authentication token. This redirect will contain some sort of information that the SP can then use to validate the response from the IdP, according to some set of trusted rules that are pre-configured. 5. Access = granted Once redirected, the end user is now in an authenticated state on the SP. The core basics of this flow remain largely the same regardless of the protocol chosen – but depending on protocol there are some differences in data type, format, and authentication mechanisms that allow the parties to securely identify one another and ensure this is a valid request. The primary protocols used in SSO solutions today are OpenID Connect (OIDC) or SAML (Security Assertion Markup Language). SSO vs. OAuth The SSO flow described above probably seems pretty familiar to you if you’ve ever done (or implemented) ‘Sign-in with Google.’ And for good reason: it’s a form of single sign-on facilitated via the OAuth/OIDC protocol, and most commonly referred to as ‘OAuth.’ OAuth is a type of SSO, but not all SSO is OAuth So yes, the OAuth flows you’re familiar with count as single sign-on, and it’s an excellent login option to add to your B2B application. It improves security by eliminating the risk of reused user credentials, and reduces the support burden associated with forgotten passwords and password resets. In particular, email provider OAuth (such as Google or Microsoft) has the added benefit of providing a strong guarantee that the user has real time access to their corporate email account, which offers a stronger signal that the end user is still a part of the organization they are trying to access than password based login. However, OAuth isn’t what your enterprise customers are talking about when they ask if you offer SSO authentication. How SSO solutions are different in B2B Relieving IT admin Imagine you have 500 employees, who each need access to ~20 different applications to do their jobs. That’s 10k different accounts. When you onboard even five people, that’s 100 new app-specific invites you need to send. Every time an employee leaves, you need to frantically identify all the apps they used, and revoke the user’s access as quickly as possible. As you can see, this is an absolute nightmare from both a security and time perspective. Instead, enterprise companies use a “workforce Identity Provider” which is a company-specific IdP instance that serves as a centralized source of truth on all employees’ identities and the applications they can access. Their employees will authenticate to these applications via a custom Single Sign-On setup (often referred to as an Enterprise Connection, or SSO Connection) that directs to the company’s specific workforce IdP instance. A successful response from the workforce IdP confirms both the user’s identity, and that they have been granted access to the SP. This centralized source of truth on employee identity information and access, makes it possible for your customer’s IT Admin to quickly and efficiently make changes to profile information, user access and easily do user access auditing through this workforce IdP. Most Identity Providers also offer ways for IT Admins to group employees based on department or seniority to make application assignment, or Role assignment within those applications, even easier. Element of Authorization The main distinction between SSO done through GitHub or Google OAuth and enterprise SSO comes down to whether or not the Identity Provider provides some element of authorization. Normal Google OAuth will verify my identity – but it doesn’t have any concept of whether it’s the right email to use, or if I should be able to access the SP. On the other hand, if my company sets up an Enterprise SSO Connection via Google Workspace (a workforce IdP), then the SP will redirect to my company’s specific Google Workspace instance where I must prove that I have credentials to access an @stytch.com account. Once I have successfully authenticated, the IdP will verify that I have been granted permission to access that specific application, before deciding whether or not to redirect me back to the SP to successfully complete the SSO flow. Mistakes to avoid when implementing single sign-on Before you start digging into the weeds of how to implement a SAML or OIDC SSO solution, there’s a few gotchas that you’ll want to be aware of before starting on solution design. “Smart” detections of the redirect URL The first step in an SSO flow is that the SP redirects the end user to the IdP. In OAuth, the redirect URL for the IdP is the same for all users – but in “enterprise SSO” this URL is different for each individual SSO connection, and your application needs a way to determine what redirect URL to use. One common solution to this problem is to create a mapping between email domain and tenant/organization or SSO Connection, and then have your initial login form just be an email input. If the end user enters an email that is tied to an SSO Connection, you automatically redirect them to the appropriate SSO URL. If the email domain isn’t mapped to an SSO Connection, you show them the standard login options such as OAuth or email and password. This flow has two issues: 1. Automatic redirect assumes that a given corporate email domain will only ever need to access a single organization or SSO Connection. This assumption is not correct at scale – as large companies often need to subdivide their employees into different tenants – either within the SP (your app) or the IdP – for a range of reasons: access management, corporate structure, moving IdP providers, etc. 2. Surfacing information about the user’s membership without first authenticating opens up an account enumeration vector. If you do this discovery based exclusively on the email address, without first requiring authentication, malicious actors can exploit this flow to learn information about your end users and customers To ensure your SSO implementation is future proof you should make sure to: Design your data model to account for tenants having multiple SSO connections, and email domains (and specific email addresses) to belong to multiple tenants. Offer tenant-specific login pages (e.g. megacorp.your-app.com or your-app.com/megacorp) so that you can identify on page load which tenant the end user is trying to login to and surface all available SSO connections for that specific tenant. No Backdoor Access Once a customer has set up an SSO Connection to their workforce IdP, they will want to enforce that all users login via SSO. However, SSO Connections can be brittle, and require maintenance – such as adjusting Attribute Value mapping or rotating the shared secret used to do verification. If your application makes the assumption that this login method enforcement is all or nothing, it will be impossible for your customer to make necessary updates to the SSO configuration without suddenly allowing all of their employees to authenticate through less secure login methods. Instead, you should make sure to introduce the concept of a “breakglass” role or permission to bypass the login method requirement, allowing companies to grant to specific users the ability to login through other non-SSO methods if needed. Not accounting for different IdPs or protocols Most companies build an SSO solution when they land their first enterprise customer who requires it – and that customer will already have their workforce IdP and their preferred authentication protocol of choice (unfortunately it is almost always SAML). But the more B2B customers you take on, the more variation you will find in their SSO requirements. SAML is the more common protocol, but OIDC is gaining traction with younger companies every day. And there is a wide range of IdPs to choose from – your best bet is to set yourself up in a way that you’re ready to work with at least the major IdPs. Trusting the IdP too much If your application allows a single email to have a membership to multiple organizations (which it should, but that’s another topic) you might assume that a successful authentication via a specific SSO connection is sufficient to log the user into all of the organizations they belong to under the returned email address. After all, your enterprise customers are adamant that SSO login is the most secure option! Not so fast. Workforce IdPs might offer strong guarantees of the user’s identity within their own system – but there’s no guarantees around whether or not the returned email address was verified. There’s no reason your other customers should trust the identity information coming from the black box that is another company’s IdP, and as such SSO authentication should only ever issue a session for the specific Organization that the SSO Connection is scoped to. Building it yourself Sorry, shameless plug – but if you want to avoid all of this, just use Stytch and we take care of the headaches for you. Our B2B auth solution is built to flex with you as you scale and take on customers with more complex enterprise requirements – without requiring extra build time on your part. If you want to read more about the details of implementing SSO before making your decision, check out our blogs covering the implementation details of SAML and OIDC. --- # Engineering the engineering team Source: https://stytch.com/blog/engineering-the-engineering-team/ On stage at Slush with Otto Hilska, Julianna Lamb, Stytch co-founder and CTO, unpacks the toolbox for building and leading engineering teams. In November 2022, Stytch co-founder and CTO Julianna Lamb joined Otto Hilska, co-founder and CEO of Swarmia on stage at Slush in Helsinki to discuss Engineering the Engineering Team and how to effectively build and lead engineering teams, from startup to scale. Below is the transcript of their conversation, edited for clarity and readability. Watch the full conversation on YouTube, or read the transcript. Otto: Welcome, welcome to the founders stage. My name is Otto, co-founder and CEO of Swarmia and for the next 25 minutes we're going to be talking about “Engineering the Engineering Team.” Our guest, Julianna Lamb, is a very impressive first time founder of Stytch who's recently raised money, became a unicorn and scaled into the CTO role while the company is growing. So glad to have you here! Julianna: Awesome, I'm excited to be here. To kick things off I just want to give a little bit on my background and how we ended up starting Stytch: My co-founder and I both worked together at Plaid – I was on the engineering team there and he was on the product team. We both worked on a lot of problems related to fraud and authentication when we were building out Plaid's features. But when we went to the market to look at vendors that we might be able to use to help solve some of these problems, we didn't find anything that we really liked. We were frustrated that we were having to build authentication ourselves, because it’s not a super differentiated feature – every company out there with login needs authentication. After building all of these things in-house, we thought it was crazy that nobody had built a really developer-friendly product that makes it easy to embed different authentication experiences, from passwordless authentication all the way to passwords and more traditional forms of authentication, and do so in a flexible, customizable way that enables great user experience. So that was the genesis of Stytch: that conversation happened about three years ago and it's pretty wild to see how far we've come in that time. Otto: Thanks for that context. Can you give people a little bit more context at what stage you are at, in terms of people, products, customers at the moment? Julianna: We’re a Series B company. We’ve raised about $125 million to date. Our team is about 70 people and a little over half of that is still on the engineering, product and design side of the house. We've supported thousands of developers building on the platform and have about a dozen different authentication methods that you can pick and choose from to build the experience that works for your use case, your users, etc. Otto: That's great. We're going to be talking about the journey of a CTO as a startup and how it is evolving, as well as building a team, onboarding them and managing them. Being a founding CTO is a pretty special role because in the beginning you have nothing, and then the role shifts very rapidly as the team grows and the business grows. But really the first job usually is to build the first product that gets to some kind of a product market fit. What did that journey look like for you? Julianna: At first, we were just exploring the idea of starting this company. I spent some time building what I would call a very rough proof of concept of what this product could look like. I designed some of the API endpoints and spun that up pretty quickly. But after we raised our seed round, it became clear that what we were doing here was building a company, not just hacking on a side project. From there, my focus shifted pretty quickly to recruiting and building the engineering team, and enabling them to go and build the product. I think there's still some of my code that runs in production but not very much of it anymore. Otto: Right. You mentioned your co-founder and you worked together previously – how did you work together and start leading the company together? How did you divide the responsibilities, and do you have any tips for working with a co-founder? That's another important aspect of an early stage startup. Julianna: My co-founder and I have pretty complementary backgrounds and skill sets. Where we do have overlap is product. But my background is all in software engineering, and then I was a product manager for a little bit before we started Stytch. My co-founder worked on the go-to-market team at Plaid before joining the product team there so it was it was a pretty clean split in terms of how we thought about dividing up responsibilities. He oversees all of Go-to-Market and Ops, and I oversee engineering, product, and design. I would say we spend the bulk of our time together talking about product and product strategy – that's where we really enjoy getting into the weeds, brainstorming. etc. I think it's been really beneficial to have fairly clear roles and responsibilities in terms of the teams that we manage and what we oversee. And as a very product-driven company, the fact that product is what gets us both excited I think is a really good unifying factor that helps us build together. Otto: The main topic here is the “engineering engineering team” – building a team. Do you have some kind of philosophy behind your team building, something that you're specifically looking for? How do you approach the whole thing? Julianna: The way that we articulate what we look for in people we bring onto the team is by two hiring values.The reason that we think it's important to have hiring values as you're interviewing candidates and evaluating their fit is that we want people to be able to have a lot of freedom when they join to go and tackle the problems in front of them. We want them to be able to think creatively and have a lot of ownership over the work that they're doing, and that requires a really high degree of trust in the people on your team. For that reason, we're pretty rigorous with our interview process, both from the technical side but also from the motivational side –we want to know what it is that gets this person going, what excites them and what kind of problems they like to work on. Our two hiring values are that we look for people who are ambitious and empathetic. We think that's a really fun combination to work with – they're excited to think about the big lofty goals that we have here at Stytch and how we can achieve them but they're also really good teammates that are going to help make everyone better throughout the process. It’s a nice way to find a balance in the type of personalities. Otto: Hiring at the very early days is maybe a bit different than it is at a later stage of a company. What's your guidance on the very early hires for your engineering teams – what makes a great hire? Julianna: In the early days my co-founder and I did all the interviews. I would do coding interviews and then architecture interviews and then he would do some of the more soft skills interviews. Beyond establishing clear roles for each of us during the process, in the early days we also leaned pretty hard into using references as part of the hiring process, which I think is sometimes not super common, especially with engineers in the Bay Area. We got really good advice early on that references help you visualize what it will be like to work with someone, which can be hard if you’re just starting to build your team. Hearing directly from people who have worked with candidates is super effective to that end. We spent a lot of time on those reference calls, to really understand what kind of a teammate they are, where they spike, and what are their specific strengths that we should really get excited about. I think the number one thing in early employees is just a really high degree of ownership and ability to deal with ambiguity. At that point, candidates were joining two of us and an idea, basically, and there was a lot to figure out. When there's kind of limitless possibilities – it’s a pretty tough challenge, so looking for people that have that high degree of ownership and are going to be effective at sort of navigating the ambiguity –– that's very important. Otto: I feel that's part of the recipe of the Silicon Valley startups. You have people who are very outcome-oriented who prioritize their own work and think about the customer. I feel that's maybe a little bit different in Europe where we don't have as strong of a background with great product companies but it's definitely changing and there's a lot of companies who are here doing that now. How do you test for this kind of ownership and "outcome-orientedness," and how do you build a culture that supports that in practice? Julianna: There are a few questions that we like to ask in the interview process to better understand how people think about the work that they're doing and the impact that it has. In particular, we really look for people who are business impact oriented – engineers who are excited to think about what they're building, not just how to build it. Especially as a developer company, a lot of our best product ideas come from our engineering team and so we’re looking for people who are excited to think creatively about the products that they're building. We tend to test for this by digging into past projects that they've worked on and how they articulate the impact of those projects. I think you can see pretty clearly people who tie the projects that they're working on back to team and company-level KPIs or metrics or other goals that were impacting the business at large, versus tying them to something that's maybe a little bit more sort of siloed within the team. Maybe they made some piece of the code base a lot cleaner, for example, for the sake of doing it, which is not necessarily the most impactful, versus doing it to accelerate the speed at which developers could contribute code, which is very impact oriented. Little nuances in how people talk about the impact of the work that they've done is how we evaluate for that throughout the interview process. In terms of building a culture that supports ownership and outcome orientedness – I think a lot of it comes from setting really clear company-level goals, and then giving people a lot of freedom within those goals to define the work that they're doing and what they're prioritizing. I think a lot of excitement comes from getting to explore creatively like that and so we think people's best work gets done when they have a lot of freedom to explore and can figure out how to make the most impact for the company as a whole. Otto: That's great, but what about all of this in practice? How do you run your recruiting? Who does it, how much time do you need to spend on building the team? Do you have ideas about the seniority mix or how do you evaluate people in practice? Julianna: It's definitely evolved a lot in the past two and a half years. In the beginning, I spent a very significant portion of my time doing everything from sourcing people on LinkedIn, trying to find good candidates, trying to get them engaged, to actually running the interview process. I spun up our first applicant tracking system and I was kind of our recruiting team zero. We prioritized hiring recruiters pretty early on – I think we added our first technical recruiter when we were still under 10 employees. I think that was really helpful in terms of giving me a lot of time back to focus on the interviews themselves and closing candidates instead of some of that more top of funnel aspect of recruiting, building the pipeline, etc. Today, it's mostly hiring managers at Stytch that run the recruiting process, and they partner really closely with our recruiting team. Our philosophy is that the teams hire for their team and recruiting is there to be a partner to help them with that process but the job of hiring really falls on the engineering team itself. A big part of a manager’s responsibilities is hiring. I still run some hiring processes myself – I'm hiring for an engineering manager right now, for example, and I still interview every single engineer that we make an offer to. I'm still heavily involved and while I don't think my time spent on recruiting has changed drastically, where I'm spending that time has changed quite a bit – from spending many many hours scraping LinkedIn to now mostly focusing on final round interviews for candidates. Otto: That makes sense – the work doesn't end with recruiting though, so when you have identified a great candidate, made an offer, got them to accept it, you need to get them to be a productive member of your team. Any thoughts on onboarding and how you're thinking about that? Julianna: Our philosophy is that onboarding starts when you first come in contact with Stytch, so the onboarding process actually begins during your interviews. That's how you're meeting some of the team for the first time and getting introduced to how we work in some ways. We're pretty intentional throughout the interview process that it's as much about selling the candidate and giving them the information they need to make a decision about whether they want to join as it is about evaluating their skills and their fit for our team. We really think of it as sort of that mutual process. There's also one thing we do when we give offers to candidates that I think really kicks off the more formal onboarding process and integration within the Stytch team. What we do is surprise candidates with a “Zoom bomb” – everyone from the interview panel joins that Zoom call and goes around and tells the candidate why they're so excited about them potentially joining the team. We really love doing that because it gives candidates a really clear picture of who they might work with and why those people are so excited about having them on the team. It lets them picture what it might be like to be on that team. Once they’ve started, on day one at Stytch, we also have a really structured onboarding process and we've actually had that since our first engineer joined. It probably felt very comical at the time because my co-founder and I basically ran a series of onboarding sessions. We would talk about things like the competitive landscape or what we think makes great developer products. We talked a little bit about recruiting and marketing and all these different aspects of the company that barely existed at that point. Now the function leads run all of those onboarding sessions, my co-founder and I just lead the company mission and value session. So while who leads what has changed, the philosophy is still the same: there is a really structured first week for anyone joining the team, where they learn about every single function at the company, directly from the people who run those functions. We also put a lot of thought and structure into what the first tasks are for engineers, to give them the ability to ship code within the first week. We’re really thoughtful about picking things for them to work on that give them good exposure to the code base, to help introduce them to what it's going to be like to contribute code at Stytch. I think the overarching philosophy from all of this is just being really intentional about how you integrate people to the team so that you can let them run with whatever it is that they're going to be doing. That means giving them the foundation of information that they need to be able to succeed. Otto: I love that, especially the kind of way to empower the teams really is to give them all the tools so that they can be successful and you need a certain level of knowledge to be able to successfully prioritize your own work. So, the sooner you get people on board, the faster they'll get to really own their own stuff. How quickly do you know if it was a “right hire,” if you succeeded in the hiring process? Julianna: I think you tend to know pretty quickly, maybe within the first couple of weeks. I think there's people that sometimes interview extremely well and then they join and maybe they're great but maybe they're not quite as exceptional as you thought they were during the interview process. On the other hand, I think sometimes you're really pleasantly surprised by just how impactful someone can be and I think you start to see that early on. Part of the responsibility lies with us, to make sure that we are setting people up for success. That starts with being really disciplined in that hiring process and making sure that we are getting really good signals, so that we hopefully aren't surprised by someone’s performance when they join the team. The onboarding is also supercritical to make sure that people are sort of set up for success, have the resources that they need and we don't leave them there wondering what to be doing on that first day. Otto: Makes sense. So you have any red flags or common things that might go wrong with building the team and hiring engineers? Julianna: We tend to look for in people who have grit and the ability to tackle whatever is necessary for the company to succeed. I think there's a really big difference between motivated by impact and being motivated by solving hard technical challenges for their own sake. I think for people who are motivated solely when they get to tackle a hard problems, a startup might not be the right fit, because they're going to get to do some of that but there's also a lot of other random stuff you have to do as you're building a startup. That's why we really look for that business impact-orientation – because if that's what motivates you then you're gonna be okay dealing with some of the more annoying tasks that you have to do that might have a really big impact but you know might not be the most technically challenging problem that you could work on. That's something that we really try and evaluate – that ability to go after those hard problems but not necessarily being solely motivated by those types of challenges, but by how solving them will have a larger impact on the company. Otto: Makes sense. What about dealing with growth? In the early days when you're just a small team, you as CTO are still a part of' that team. But as you grow, the org changes from being a single team to a team of many teams. How does your role change and how have you handled that? Julianna: I started out by managing all of the engineers. Then a little under a year and a half ago, we split into two teams, each managed by people other than me: one engineering manager join us who had previous management experience and in parallel, one of our early engineers stepped up and started managing one of the teams. At that point, I was no longer managing any of the IC engineers, which was a really big shift for me. I think there's been a series of these shifts – the first one is going from being in the weeds with people actually writing code and reviewing PRs, to then being more fully about managing people, and then it became about managing the managers. And it’s still changing! In about a week we have a Head of Engineering joining, so I won't even be managing managers any more. That's going to be a whole new sort of evolution of the role. I think it's something that you really have to be aware of – how your job is changing as a founder as the team is growing. The things that I was doing two years ago would be so ineffective today. I should not be in code reviews, leaving comments – that would not be productive for anyone. I think it can be really hard to leave some of that behind. The way that I've tried to deal with that and make sure that I am evolving at the pace that the company needs is by taking a lot of time to reflect on where I'm maybe still trying to get my hands on something that I should be delegating to someone else. I try to be cognizant of that and to talk to our managers as well and ask them, “Hey, is it helpful that I'm doing this thing or is that something that you think you should take on or someone on your team?” I think that self-awareness really helps with letting go of a lot of things that you used to do yourself. Otto: For the final question, I'm really impressed by founders who are able to scale with their companies. As a normal employee, you're kind of always learning and so on but as a founder, if the company is growing 10x, you have to grow with that company or otherwise you're not really able to scale the company anymore. How do you keep learning, how do you seek mentorship? How do you learn new stuff that you need to be prepared for next? Julianna: The way I think about it is: if I'm doing the same job that I was a month ago then I'm probably doing the wrong job today. One piece of it is just being aware that your job should be changing and then as you start to go and try to figure out what you need to delegate or hire for, look for experts in different areas. I wouldn't say there's necessarily one person that I go to but it kind of depends on the problem at hand. At Stytch, we’re fortunate to have a really fantastic board, and we'll go to them for a lot of things. They're really helpful about things like thinking through when to sequence various hires, etc. If I'm trying to figure out something like an engineering management problem, then I'll go to my engineering managers that I know and respect. If it's a design problem, I’ll connect with people with that expertise. When we were trying to hire our first designer in-house, I’ve never been a designer, I don't know what good looks like in that role. We talked to a ton of people that we really respected and that really helped. I think it's a lot about just going and seeking out experts. You have to identify the problem that you're trying to solve – I think that's the hardest part. There's definitely a steep learning curve, and making sure that you are continuously evolving and identifying new problems as you grow I think is the most effective way to scale. Otto: Thank you, Julianna. It was a very insightful discussion. Great having you, thank you, and thank you everyone who joined. --- # Designing Passwords in the Stytch SDKs Source: https://stytch.com/blog/designing-passwords-in-the-sdks/ We’ve built on our Passwords API by designing the corresponding UI in our SDKs, taking care of the end-to-end authentication flow so you don’t have to. A few months ago, we wrote about how our Passwords API improved the password-based authentication experience and was a huge step forward in removing friction from a classically frustrating process. But our work wasn’t done with launching our API – to offer a complete product, we needed to build Passwords into our SDKs and UI components. By designing Passwords into Stytch’s SDKs, we added another route for building a secure, frictionless password authentication experience that uses our own API. Our SDKs serve as a template that can be built upon, rather than starting from scratch and building the UI from the ground up. You get to customize the SDKs to fit your own branding, but we’ll provide all the pieces so you can focus on building your core product, not on how a user signs up and logs in. As a Product Designer at Stytch, I worked closely with our PMs and engineers to design and launch passwords in the Stytch SDKs. Our team spent a lot of time thinking through how to create a product that would meet all of the UX and security needs of modern developers with the launch of our Passwords API. We were now ready to build on our API by designing the corresponding UI in our SDKs, taking care of the end-to-end authentication flow so you don’t have to. Our design challenge: creating a frictionless hybrid flow in the SDKs Part of the benefit of using our SDKs is that you get to choose from a menu of authentication methods without restrictions (i.e. we allow any of our available products to be enabled together). By introducing Passwords in our SDKs, we now had to think through a “hybrid” scenario we hadn’t faced before: the experience of our Passwords product being enabled in tandem with other passwordless methods. This was particularly challenging because we have multiple email-based authentication methods: email + Passwords, One-Time Passcodes (OTP) sent by email or SMS, and Email Magic Links. All three methods require the user to enter an email address (i.e. have the same “entry point”), and in the case that more than one of these methods is enabled in the SDKs, require us to determine the best way to avoid having multiple separate email input fields within a single flow. Knowing that we needed to build an experience in which a user would only have to enter an email address and we would figure out whether to send them a link, code, or ask for a password, we were faced with one key design question. How do we know if a user will choose Passwords or passwordless if presented with both? We didn’t, and that made designing this product challenging. It was hard to know how we should surface the Passwords option because we didn’t initially have a strong sense of what end users would want and how developers might now use the SDKs. Our initial assumption was that going passwordless is typically easier than setting a password, and therefore, it makes sense to surface a passwordless option first. One recent survey found that 75% of users feel overwhelmed trying to keep track of their proliferating passwords. A separate survey found that the majority of respondents would prefer authentication methods for their personal and professional accounts that don’t involve a password. Rather than solely relying on our assumptions, we decided to test two different options with user research. User research: leaning on evidence, not guesswork Taking a human-centric approach to product design, and building user research into the process early, is something we pride ourselves on at Stytch. To help us determine which hybrid flow in the SDKs would be the most frictionless for users, we tested two different options: Option 1: prioritize passwordless User enters email address If Passwords and a passwordless email method are both enabled, always take the user through the email OTP of magic link flow. Include a secondary link to “Use a password instead.” Option 2: allow users to choose User enters email address If Passwords and a passwordless email method are both enabled, take the user to a screen that presents both methods – i.e. a button to choose “Email me a login link/code” presented side by side with an email and password input. After connecting with users, we learned that many actually prefer being presented with choices rather than deferring to us to remove a “click.” For example, when it comes to receiving One-Time Passcodes, users want the option to choose the delivery method so they know exactly where to look for their code. "I just prefer to use the cell phone. Because usually on my iPhone when I'm on a website and see that I got sent a code, it will automatically type in the code for me. Microsoft teams, they always text my personal cell phone, but it's my work computer, they're not related." — Anonymous user It makes sense — users want to know what to expect, rather than having us assume their preferred behavior through our UI/UX. Our solution: present password and passwordless options side by side throughout the UI Based on our research, we decided it was better to present users with the ability to choose their authentication method. Offering Passwords and passwordless options side by side would help reduce friction, even if it meant adding one more “click.” Knowing which direction we were going to pursue, the next task was to figure out the best way to design our UI to offer this. For new users without an account, this meant assuming that setting a Password and using a passwordless method were equally likely, and should be given equal emphasis. When a new user enters their email address, we direct them to a screen that presents the option to receive a login link/code side by side with email and Password input fields. The user gets to decide which option they want to proceed with. For returning users, who had already logged in with an email, it was a little trickier. Because we only offered Email OTP and Email Magic Links previously (developers could only enable one of these two options), the user was always presented with a passwordless option. For these users, we decided to still give the option to choose which method to use. But to help reduce the number of screens and steps, we skip to the passwordless option right away with a link to “Use a password instead.” We send an OTP or Email Magic Link right away since we know this is a method the user has previously used successfully, but still make sure they have a touchpoint to easily access Passwords – still keeping Passwords and passwordless options on equal footing. Apply the same “equal footing” logic to password reset emails Even though we offer users the option to choose their authentication method, and touchpoints for passwordless options in tandem with Passwords, we also know that people are constantly forgetting passwords! It’s even a fact reported on by Mastercard and the University of Oxford: “According to a recent study, over 20% of users report forgetting a newly created password within two weeks. That number climbs to over 70% after just a few months.” This data, on top of our own research, helped us decide to apply the same logic we used in designing our SDK UIs – presenting password and passwordless options with equal weight – to the password reset flow. Even if we know a user has specifically requested a password reset (i.e. has chosen to use Passwords), we know that setting and remembering a password can be difficult. In the SDK UIs themselves, we include a link to continue passwordless with the password reset request and in the actual “Reset password” screens in case a user decides they’d rather skip another new password. We also added a “Login without password” in the password reset email to add the ability to log back into your account even faster. Try Stytch’s Passwords in the SDKs product for yourself! You can play around with our SDKs Passwords product through our integration builder on authkit.dev and see the ready-to-go product in action. Enable “Passwords” along with a few other passwordless products to see how the design decisions came to life. When you’re ready to start building, sign up for a free account to start integrating Stytch into your own product! --- # SSO protocols: SAML vs. OIDC Source: https://stytch.com/blog/sso-saml-vs-oidc/ SAML and OIDC are the two most common protocols for single sign on. It's important to understand their differences when building auth for B2B. Welcome back to B2B Auth School. Our mission is to help B2B companies’ uplevel their understanding and implementation of authentication technologies. Our first series of posts is dedicated to single sign on (SSO). This article is lesson four in that series. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on? Lesson four | SSO protocols: SAML vs. OIDC Lesson five | What is OpenID Connect (OIDC)? Lesson six | What is SAML and how does it work? Lesson seven | Choosing a B2B auth provider In the previous lesson we explained what single sign on is, and how it works between its essential components – service provider (SP), identity provider (IdP), auth provider, and the customer. We also diagramed full SSO auth sequences, like SP-initiated vs IdP-initiated, to demonstrate the number of actions and steps involved. The key takeaway? For SSO to function, all of its components must be able to communicate with each other efficiently and securely. This exchange of auth information between services occurs over something called protocols. In this blog post, we’ll go over: What is SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) How SAML-SSO and OIDC-SSO works The key SAML-SSO and OIDC-SSO flows The key differences between SAML and OIDC Why B2B SaaS vendors need to support both identity protocols Let’s dive in As a developer, you’ve probably had to build some form of user authentication functionality at work or in your side projects. Whether you’re building an enterprise solution or a consumer-facing app, Single Sign-On (SSO) has become a key feature for implementing authentication without compromising security and UX. However, when it comes to choosing between SAML and OIDC, things can get confusing really fast, especially if you’re looking at the official specs. SAML and OIDC are open SSO protocols that enable end users to access multiple applications without providing unique login credentials across these disparate systems. SAML is typically used by large enterprise organizations, B2B SaaS providers, government agencies, and high-grade security systems, while OIDC is commonly used in mobile and single-page applications (SPAs). This article aims to clarify the core concepts, auth flows, and use cases of SAML (Security Assertion Markup Language) and OIDC (OpenID Connect). We’ll explore how each protocol works, their key differences, and when to use one over the other. By the end of this guide, you'll have a clear understanding of both protocols and be able to make informed decisions for your SSO implementation. We'll start by diving into SAML, the XML-based protocol that has been a staple in enterprise environments for over two decades. Then, we'll explore OIDC, a more modern protocol built on top of OAuth 2.0 that’s gaining popularity in B2C and even B2B applications. We'll compare the structure of their assertions and scopes, discuss their interoperability, and highlight specific requirements for each. What is SAML (Security Assertion Markup Language)? SAML is an open identity protocol primarily used to implement SSO functionality within enterprise use cases. At its core, SAML SSO eliminates the need for employees to maintain unique credentials across all the intranet systems and SaaS applications they use for work. SAML achieves this by facilitating the exchange of authentication data between Identity Providers (IdPs) and Service Providers (SPs), according to SAML terminology. Identity providers are the directories or data stores that organizations use to store and manage user profiles and identities within their companies, such as Entra ID, Okta, and Google Workspace. On the other hand, service providers are the internal systems or SaaS applications that employees use for their day-to-day work, such as GitHub, Linear, and Slack. The basic SAML SSO flow is straightforward: When an employee needs to access an SP, they must first authenticate their IdP-provisioned credentials with the IdP used within their company. If their credentials are valid, the IdP sends an assertion to the SP, which then grants access to the employee without requesting additional credentials. SAML uses XML (Extensible Markup Language) to structure user identity data and relies on HTTP or SOAP bindings to communicate this information between IdPs and SAML-enabled SPs. This user identity data is structured as attributes such as email, name, or department, and is enclosed in XML documents known as SAML assertions. In terms of security, SAML uses XML digital signatures and encryption to prevent tampering and unauthorized access to the SAML messages sent between IdPs and SPs via the protocol. Here’s a sample structure of a SAML AuthnRequest in XML: How does SAML SSO work? Before a service provider can successfully communicate with an identity provider in a SAML authentication flow, both parties must first establish a trusted relationship. This process requires the SP and IdP to exchange preliminary configuration details with each other using XML-based metadata. This metadata typically contains details such as endpoint URLs where each party can post SAML messages—whether SAML requests in the case of the SP or SAML responses and assertions in the case of the IdP as the sending party. It also includes the formats in which user attributes should be structured, signing and encryption certificates, supported connection methods, encryption algorithms, and other relevant details. Each party, both the IdP and SP, must use each other’s metadata file to configure their respective systems before trust can be established. In addition to the SAML metadata, the SAML specification relies on four other key elements that make SAML SSO authentication possible. We have covered these core elements of the SAML protocol in a separate article, which you can find here. SAML SSO flows Once trust has been established between an IdP and SP, there are two major ways in which SAML SSO can successfully happen—the SP-initiated SSO flow and the IdP-initiated SSO flow. In the SP-initiated SSO flow, the user must visit the SP’s login page, select the “Login with SAML SSO” option, and provide their work email for which pre-configuration must have been set. The SP would then send a signed SAML authentication request (AuthnRequest) to the IdP, and redirect the user to the IdP’s login page. After the user authenticates their IdP-provisioned credentials, the IdP would have to generate a signed/encrypted SAML response containing assertions about the user and redirect them back to the SP’s endpoint. The SP would then verify the response, parse the assertions, and grant access if valid. On the other hand, the IdP-initiated SSO flow offers a slightly different user experience. In this flow, there's no need for the SP to make an initial SAML AuthnRequest because the process begins at the IdP, not at the SP's login page. In the IdP-initiated SSO flow, the user would begin at the IdP and select the SP from a list of SAML-enabled applications provided by the IdP. The IdP would then generate a SAML response and assertion and redirect the user to the SP’s URL endpoint. The SP would have to then validate the response and grant or deny access based on the assertions. For a more detailed explanation of these SAML SSO flows, please refer to our comprehensive article here. What is OIDC (OpenID Connect)? OIDC is an open identity protocol that extends the core tenets of the OAuth 2.0 authorization framework by enabling OIDC-compliant systems to authenticate users in a simple but standardized and interoperable manner, without directly managing user credentials. Unlike SAML, which is primarily tailored to enterprise environments, OpenID Connect (OIDC) can be used to implement SSO in both B2C and B2B scenarios. OIDC offers a more lightweight and flexible approach that's particularly well-suited for modern web and mobile applications. The protocol facilitates single sign-on (SSO) by allowing end users to access multiple applications or websites (known as Clients or Relying Parties in OIDC terminology) using a single set of credentials managed by an OpenID Provider (OP). These relying parties (RPs) can be any application or system that supports OIDC SSO, while Open ID providers (OPs) can be OIDC-enabled identity providers such as Okta, Google, Microsoft, or social media providers such as LinkedIn, Facebook, Twitter, or even other large platform applications like Slack or Discord. Open ID providers can also include security token services such as AWS STS or a typical OAuth 2.0 authorization server capable of issuing identity tokens, not just access tokens. While OIDC is built on top of OAuth, it's important to note that OAuth 2.0 is an authorization protocol, not an authentication protocol. OAuth 2.0 is a framework for implementing delegated access/authorization, which enables clients to gain access to resources via an authorization/resource server on behalf of a resource owner. For example, if you've ever granted permission to a third-party add-on to help take notes on your Google Meet or Zoom calls, or allowed an application like Buffer or TweetDeck to access your Twitter/X account and schedule tweets on your behalf, you've seen OAuth 2.0 in action. This differs from the standard OIDC authentication flow we've discussed so far. How does the OIDC protocol and OIDC SSO work? When a user attempts to log into an application (OIDC client) using an OIDC-SSO option, the client/RP has to redirect the user to the respective OpenID provider (OP) with an authentication request. The user then has to authenticate their OP-provisioned credentials with the OP. If the credentials are valid, the OP typically sends an identity token back to the client application in the form of a JSON Web Token (JWT). This ID token contains authentication scopes similar to SAML assertions and includes claims/attributes about the authentication event and the user’s identity. These claims typically include the user’s unique identifier (sub), the time of authentication (iat), the issuer of the token (iss), and other relevant details needed by the OIDC client to make an authentication decision. The use of JSON web tokens (JWTs) in OIDC is what makes the protocol easier to implement than SAML, especially in RESTful architectures. Here’s a sample structure of a JSON object: There are five key elements (URLs) that collectively and securely work together to make OIDC SSO possible. These include the Discovery Endpoint, Authorization Endpoint, Token Endpoint, JWKS Endpoint, and UserInfo Endpoint. The Discovery Endpoint provides metadata about the OpenID provider's configuration, allowing clients (Relying Parties) to access the necessary endpoints and capabilities of the OP. The Authorization Endpoint handles the user authentication request and returns an authorization code to the client. The Token Endpoint then exchanges this authorization code for access and ID tokens, with the ID token specifically carrying user identity information. On the other hand, the JWKS Endpoint provides public keys for verifying token signatures, ensuring the integrity and authenticity of these tokens. Lastly, the UserInfo Endpoint supplies additional profile data about an authenticated user using the already-issued access token. Just like is obtainable in SAML, the OIDC client (relying party) and the OpenID Provider (OP) must exchange some form of pre-configuration data before SSO communication can successfully take place. Typically, the RP must register with the OP to be issued client credentials (such as a client ID and client secret) that it will use to authenticate itself when making requests to the OP’s endpoints. The RP also has to provide information about itself to the OP, such as redirect URIs and other necessary metadata. In addition, the RP must request the OP’s Discovery Endpoint (usually at .well-known/openid-configuration) to access the OP’s JSON-based discovery document which contains relevant configuration details such as supported endpoints, scopes, and public keys. OIDC SSO flows At its core, OIDC supports three key authentication flows that define how RPs and OPs should communicate across different types of applications, including mobile apps, single-page applications (SPAs), and web-based apps. These flows include the Implicit Flow, Authorization Code Flow, and Hybrid Flow, which are tailored to meet unique UX and security requirements across these apps. The Implicit Flow is suited for client-side applications like SPAs where tokens are returned directly to the RP in the redirect URI. The Authorization Code Flow is more secure than the Implicit Flow and is best for server-side applications, as it securely exchanges authorization codes for tokens—tokens aren’t returned directly. The Hybrid Flow combines elements from both the Authorization Code Flow and Implicit Flow. It allows the RP to receive an ID token directly in the initial response, alongside an authorization code that can be exchanged for access tokens. SAML vs. OIDC: What are the major differences? As we’ve established so far, SAML and OIDC are both widely used authentication protocols, but they cater to different needs and have distinct features. Here are four key differences between SAML and OIDC: Authentication source: SAML relies strictly on IdP-based authentication, but OIDC relies on any OIDC-enabled authorization server (whether traditional IdPs, social media providers such as Facebook or LinkedIn, Security Token Services (STSs), etc.) to authenticate user identity. Data format: SAML uses XML to structure identity data, making it inherently verbose and more complex to process. In contrast, OIDC relies on JSON which is a more lightweight and readable format widely used in modern RESTful architectures. Security and message integrity: SAML relies on XML-based signatures and X.509 certificates to ensure message integrity and authenticity. Specifically, SAML uses XML Digital Signatures (XML-DSig) with signing algorithms such as RSA-SHA1 or RSA-SHA256 to sign SAML messages. OIDC, on the other hand, uses RSA or ECDSA algorithms with JSON Web Signatures (JWS) and JSON Web Keys (JWKS) for signing and verifying tokens. Application use cases: SAML is primarily used for implementing SSO in browser-based applications across enterprise environments. However, OIDC extends beyond browser-based SSO to support authentication for APIs, microservices, mobile apps, web apps, single-page apps (SPAs), and even IOT devices. Authentication vs. authorization: While both protocols handle authentication, their approaches to authorization differ. SAML can inherently handle both authentication and authorization by embedding access control data within SAML assertions. OIDC, on the other hand, primarily focuses on user authentication. However, it can be used in tandem with OAuth 2.0 to support authorization use cases. Can SAML and OIDC be used interchangeably? Most IdPs support both SAML-based and OIDC-based SSO protocols. As such, the choice between SAML and OIDC depends on your particular use case (whether B2B or B2C or B2B2C), the regulatory requirements in your industry, and your company’s internal security policies. If you’re a consumer-facing application (B2C) you’re just fine supporting OIDC alone. However, if you’re an enterprise-facing application (B2B), you may need to support both SAML and OIDC to accommodate varying customer needs. Auth providers like Stytch offer support for both OIDC and SAML, and SaaS providers who intend to implement SSO can use our SDKs and APIs to implement both protocols in weeks or even days. This flexibility is particularly useful for SaaS applications that serve both startup customers that have less stringent security needs, and large enterprises, which may have robust access management requirements. In such cases, you can use Stytch to support social login via OIDC for these startups, while implementing SAML for enterprise organizations that may have higher security standards. On the other hand, it’s important to note that many SaaS vendors may not allow their customers to use both protocols simultaneously. Most providers offer support for OIDC-SSO on their free and basic plans. As such, if you want to leverage SAML, these providers may force your organization to upgrade to their enterprise plan and migrate to using SAML alone, instead of using both protocols simultaneously. Get started with SAML-SSO and OIDC-SSO using Stytch Ready to implement single sign-on (SSO) using Stytch? Check out our backend integration guide and our frontend integration guide for SAML and OIDC-SSO. Want to learn more about our APIs and SDKs? You can check our docs and sign up for a free developer account to start building today. If you want to learn more about our Enterprise features and pricing, feel free to schedule a call with a member of our Solutions Engineering team. --- # Stytch + Cerbos + FastAPI: Flexible authentication meets decoupled role and access management Source: https://stytch.com/blog/stytch-cerbos-demo/ Excited to share this demo by SCerbos that shows how to combine Stytch's authentication solutions with their stateless authorization. We love finding innovative, like-minded partners in the market we can work with to build even stronger solutions for our customers. That’s why we’re so excited by Cerbos’ latest demo, which walks you through integrating Stytch Email Magic Links and Sessions with Cerbos' decoupled authorization for dialed-in, secure role and access management. In this demo, you’ll learn how to: Easily serialize, deserialize and validate payloads Add roles as a top-level key in user metadata Configure Email Magic Links in the way that works best for your company Use Cerbos’ stateless authorization for fine-tuned roles and permissions Check out the full post and demo on Cerbos’ blog! About Cerbos Cerbos is an open source access control system that can handle complicated business logic through simple configuration. It allows customers to plug it into their existing stack as a decoupled service. --- # What is device fingerprinting, and how does it work? Source: https://stytch.com/blog/what-is-device-fingerprinting/ Device fingerprinting is an increasingly popular way to prevent fraud by identifying devices that are accessing a website or application. Hackers have any number of methods they draw upon to take over user accounts and access sensitive information. Whether they’re stuffing credentials, using brute force attacks, phishing, or sending spam, they’re almost always making use of bots at some point in their process. The sophistication and potential scale of their techniques evolve every day. While certain authentication flows help drastically reduce the chance that someone is impersonating a user – think passwordless methods like TOTPs or passkeys, along with multi-factor authentication flows – there are still ways around these techniques. One of the best ways companies can protect against fraud is by reinforcing secure auth methods with equally strong fraud protection tools. One of the most effective and user-friendly of those tools is device fingerprinting. In this article, we’ll cover: What is device fingerprinting? How does device fingerprinting work? What are the different kinds of device fingerprinting? How does device fingerprinting prevent fraud? How does device fingerprinting affect user privacy? What should I look out for when implementing device fingerprinting? Device fingerprinting best practices Device fingerprinting with Stytch What is device fingerprinting? Device fingerprinting is a way of identifying and tracking devices that are accessing a website or application. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID. Unlike cookies, which are stored client-side, device IDs are stored in a server-side database. This database of device fingerprints can then be used to verify whether or not a user is accessing the app from the same device or not. If they use multiple devices or a new device and fraud is suspected, the application can block them or give additional authentication prompts to verify their identity. How does device fingerprinting work? When a user accesses a website or app, certain kinds of information about a user’s device have to be available in order for the website to load and display properly. Once a site or app has collected those attributes, it turns them into a device hash that can then be parsed by their fraud manager.  With this hash safely stored, the next time someone logs on claiming to be that user, the app can compare the device fingerprints to see if the user is logging on from the same device, or a new one. If it’s a new one, depending on how suspicious it is, the application can either block the user or ask for further verification. What kind of device data does device fingerprinting collect? Attributes included in a device fingerprint include the IP address, browser brand and version, HTTP request headers, the user_agent string, operating system (OS), browser or operating system language, installed browser fonts, time zone, screen resolution, and many others. What are different kinds of device fingerprinting? While products like Stytch collect several different types of information in a single device fingerprint, you may hear or read a few different terms on the web that all refer to a kind of device fingerprinting. To avoid confusion, we’ve broken down a few different ways you might hear a device fingerprint described: Browser fingerprinting Browser fingerprinting refers specifically to information gathered about a users’ web browser. It’s worth noting though that though the information comprising a browser fingerprint is gathered via the browser, much of the information that can be gathered via the browser can still be about the user’s device and their web browser configurations. Desktop device fingerprinting Whereas “browser fingerprinting” generally refers to information that is gathered via a browser, “desktop device fingerprinting” simply refers to a device fingerprint comprised of information about a user’s desktop device (typically gathered because of information exposed to the application or service while the person is accessing it from that desktop device). Mobile device fingerprinting Similar to desktop device fingerprinting, “mobile device fingerprinting” refers to a device fingerprint comprised of information about someone’s mobile device while they are accessing an application or service from that mobile device. How does device fingerprinting help prevent fraud? By allowing websites to affiliate device data with their users, device fingerprinting helps companies monitor for irregularities or suspicious activity, and intervene sooner if they detect a risk of fraud or account takeover. For example, if a user who usually logs in from IP addresses exclusively in one time zone and one browser language suddenly logs in from a brand new IP with a different default browser language, companies can take additional steps to verify the user and/or protect their account. This action can mean something as unobtrusive as requesting additional authentication methods, or more robust responses like revoking access tokens or invalidating session cookies. Device fingerprinting also helps prevent what’s known as “first-party fraud,” in which bots create net new accounts in order to abuse a website using spam, purchasing scarce assets (think of Nike shoe drops or Taylor Swift’s recent Ticketmaster fiasco), etc. By giving companies a better sense of which traffic is a genuine user and which is fraudulent / bot-created, they’re better able to protect their users from bot-driven experiences like automated ticket scalping and spammy advertisements / emails. It’s important to note that a “device fingerprint” is only as unique as the information they collect. Obviously, there’s more than one person in the world on a MacBook Pro using Firefox! So the more data sources and more unique data points a device fingerprint is based on, the more unique that device fingerprint is. This is why Stytch uses device, network, and browser data points to make sure our device fingerprints are as unique as possible. This is also why the power of device fingerprinting to prevent fraud is not just about what information is collected, but how that information matches or doesn’t match contextually with a given user, and the different notification and classification systems a given app sets up to monitor device behavior patterns within their platform. How does device fingerprinting affect user privacy? While Stytch is laser-focused on device fingerprinting for fraud prevention, companies may also use device fingerprinting for other purposes like marketing (to better target online advertisements or personalize consumer experiences). Privacy regulations vary widely by geography, but more stringent legislation like Europe’s General Data Protection Regulation (GDPR) consider techniques like device fingerprinting that process personal data for the sake of preventing fraud as a legitimate interest. GDPR is much more strict with techniques like device fingerprinting when it comes to marketing or ecommerce use cases. Whatever your app or site’s use case or geography, you must gain consent from users whenever collecting their information, including when using device fingerprinting. We find the best way to do this is to: Explain to users exactly what an app is collecting and why Explain how that information is being used, and how it will not be used Explain all the additional steps and investments your company is making to actively protect your server-side databases and user information The end goal with disclosures like these isn’t about checking a box: it’s about engendering trust. The whole reason we recommend fraud prevention tools like device fingerprinting is to make it easier for our customers to earn and keep their users’ trust with their information. A transparent, clear disclosure about precisely how you go about that is as important as the tool itself. What should I look out for when implementing device fingerprinting? As mentioned above, there are many different attributes an app or site could collect about a user, and different ways to configure the categories of risk and action a given website or app might take in case of suspicious behavior. Generally there are three main things to look out for when configuring device fingerprinting for your site or app: Insufficient data As we mentioned earlier, the more data a device fingerprint tracker collects, the more unique that device ID will be. So while it may seem easiest when implementing device fingerprinting to just track a few core attributes, insufficient data will render your device fingerprints easier to imitate and thus ineffective. Easily alterable or reverse-engineered data In addition to the amount of data you collect, you want to consider how easy it might be for a hacker to alter the data you do collect. For instance, it can be very easy to alter an IP address with a VPN, or change a browser or OS language. But other kinds of data are harder to alter: touch hardware, video and audio capabilities, and other kinds of device data cannot be changed so easily. An example of a vulnerable device fingerprint To see how this might work in practice, let’s take a look at the following example: In this code snippet, we use the user’s device information, including their userAgent, screen resolution, and time zone to create a unique device hash that can be used to identify and track the user’s device. While these attributes may suffice for some basic device fingerprinting applications, they’re fairly easy to alter or obfuscate. Hackers can easily change their userAgent to a virtual machine (VM), or use a VPN or private browsing mode to elide giving an IP address, time zone, etc. Relatively simple factors like these are also fairly easy for hackers to “spoof” or imitate, by analyzing the fingerprint of other devices and then contriving or faking those data points on their machines. Device fingerprinting best practices So if we want to avoid falling prey to hackers, what are some best practices for implementing device fingerprinting we can keep in mind? There are a few things developers can do to improve on these potential vulnerabilities: Collect a wider variety of stable data points One of the surest ways to make your device hashes more unique and harder to hack is simply by collecting a larger variety of data points – in particular, you should focus on stable data points that don’t change when a user changes WiFi networks or upgrades their browser. Unlike IP addresses or time zones, hardware data like the make and model of a device are more challenging for hackers to alter or hide from detection. You can also detect more detailed information about a device’s browser, like the installed plugins and fonts. Prevent access for VPNs or private browsing modes If certain kinds of user data are important to your device fingerprinting solution, you can also deny access to users logging in through a VPN or incognito browsers. Note though that this can introduce friction for users who prefer navigating online this way, so make sure you know your user base before doing anything that will make it harder for people to use your product. Use machine learning to better understand user patterns Machine learning algorithms can leverage the scale of traffic to your app or website to better understand user and device behavior, identifying patterns and suspicious devices based on a combination of factors or correlations. This kind of computing can augment your device fingerprinting and keep it agile and responsive as hacking methods and behaviors change. Especially as device fingerprinting becomes more prevalent, fraudsters will invent new ways to spoof or fake their device fingerprint. Machine learning and data science can be a powerful tool to detect how fraudulent behaviors are evolving, so that device fingerprinting can keep pace. Incorporate more contemporary cryptographic techniques to protect device fingerprints It’s a lot more challenging for fraudsters to reverse engineer legitimate device fingerprints if those fingerprints are more securely stored. Cryptographic techniques help reinforce device fingerprints’ integrity by making them much harder to access, and to fake. Device Fingerprinting with Stytch As a comprehensive auth platform, Stytch’s Device Fingerprinting goes the extra mile for customizability and security: we collect device data from multiple sources and use advanced techniques to create a unique, cryptographically-secured fingerprint for each user’s device. This allows us to provide a higher level of security than other solutions, while still offering the same flexibility and developer-first experience that comes with any of our products. If any of this sounds like it might be useful for your company, you get started for free, check out our docs, or book a demo today. --- # What is OpenID Connect (OIDC)? Source: https://stytch.com/blog/what-is-openid-connect-oidc/ OIDC is an authentication layer built on top of the OAuth protocol used to power B2B auth solutions like SSO. Here's a full breakdown. Welcome back to B2B Auth School. Our mission is to help B2B companies’ uplevel their understanding and implementation of user authentication technologies. Our first series of posts is dedicated to single sign on (SSO). This article is lesson five in that series. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on? Lesson four | SSO protocols: SAML vs OIDC Lesson five | What is OIDC? Lesson six | What is SAML and how does it work? Lesson seven | Choosing a B2B auth provider In the previous lesson we looked at the importance of single sign on protocols – what they are, how they’re created, and why they’re important for B2B Auth. We then went over the two most common protocols in single sign on: Secure Assertion Markup Language (SAML) and OpenID Connect (OIDC). In this post, we’re going to look more closely at OpenID Connect to understand how it works, and get a more nuanced understanding of its benefits, drawbacks, and most common use cases. We’ll cover: What are OAuth and OpenID Connect The components of OpenID Connect How OIDC works in three phases What OIDC means for B2B auth Now that we’ve got that straightened out, let’s dive in! What are OAuth and OpenID Connect? As we mentioned in our last post, OpenID Connect is an authentication layer built on top of an authorization protocol called OAuth. Because of their symbiotic relationship, the two protocols are often used interchangeably by developers; but to be precise, OAuth is for authorization and OpenID Connect is for user authentication. Authorization verifies what a user is allowed to access. Authentication verifies who a user is and their identity. The two protocols are, so to speak, two sides of the same coin. To understand how OIDC functions as an SSO protocol, we need to cover the fundamental aspects of OAuth’s design because it was created first. OAuth was jointly developed in 2006 by Twitter and Google. With near universal adoption of social media sites, developers realized that their applications would greatly benefit from letting users bring in their data from accounts like Facebook, Twitter, or Google. This linking of accounts has proven to be a powerful integration pattern. Users bring their data over to an application for convenience while developers build features on top of it. You’re probably most familiar with OAuth with social accounts. If you’ve ever authorized an app to access the resources in your Gmail or Facebook account, you’ve used OAuth. Examples of these authorization prompts look like: “Allow this app to add all your Facebook friends as contacts?” “Allow this app to post links on your Twitter feed?” “Allow this app to sync events with your Google Calendar?” “Allow this app to use your profile picture from Gmail?” If the user consents, the application can then access the user’s data and resources as if acting on the user’s behalf. This pattern of granting permissions is known as delegated access or delegated authority. In order to do this safely, OAuth lets users provide access to their accounts without exposing their login credentials. It’s a protocol that delegates access and permissions between APIs and applications in a safe and reliable exchange. We’ll cover how this all works under the hood in a later section. So why do we need OpenID Connect? The short answer is OAuth only really cares about access to resources. Once a user grants permissions, the OAuth protocol interprets that as a green light for data access but stops short of actually verifying the identity of the user. OAuth confirms the user’s ownership of an account and its data, but omits the details about who the user is. It’s a subtle but important distinction. OAuth simply doesn’t provide enough assurance that the right resources are only accessible by the right people. Because these gaps limit OAuth’s ability to serve some of the most crucial needs in B2B auth, OpenID Connect was added and launched in 2014 to treat federated identity as a first-class concept within the OAuth protocol. OpenID Connect introduces a standardized implementation, set of scopes, and data format for exchanging information about the user’s identity. In this way, OAuth is a bit like sharing the key to your apartment. The key does not provide any assurance or verification of who is using it: anyone with the key can get in. This may work great for your dog walker or a neighbor you trust, but there are other kinds of assets you want to make sure only you can see. OIDC is more like the reception desk: in order to get in the building, one must prove who they are first by providing something like an ID, passport, or a list of personal details like name, birthday, and phone number. OIDC administers the identity logic necessary for proper authentication. It generates a proof of an identity for the user that applications can store and verify. And by piggybacking off the OAuth architecture, OIDC utilizes the same secure mechanisms to transport that identity data between applications, which means OIDC is a form of delegated authentication. OAuth and OIDC work great together because they are so interwoven. But most crucially, their design of delegated access and authentication creates interoperable interfaces necessary for organization-based authentication flows like SSO to function. In the world of B2B Auth, both the authorization and authentication process are critical, as B2B customers want fairly granular control over who can access what. The OIDC components It’s helpful to lay the groundwork with some key terms and flows. There are hundreds of terms listed in the OAuth spec and OIDC spec, and we encourage anyone interested in a deeper dive to take a look at those resources. In this article, we’ll just focus on the main terms developers need to know in order to evaluate different SSO solutions for their application. Like SSO, OAuth and OIDC can be broken down into a few main components. These are similar and mostly analogous to the components involved in single sign on. How does OIDC work? OAuth is a deep and complex protocol if you explore every facet of it. To best understand its most important functions, and how it matters to SSO, it helps to analyze the protocol in three phases of action. Phase one: a secure connection A user initiates the OpenID Connect flow by choosing a third-party platform, such as Google or Facebook, to login with on a client application. The first phase involves the client application and the authorization server establishing a secure connection to prevent man-in-the-middle attacks and other security threats. The client application can select several grant types to prove to the authorization server their connection is secure. The most secure is proof keys for code exchange (PKCE). You’ll also hear some OAuth literature discuss implicit and password grant types, but these are considered legacy practices and not recommended today because of various security concerns. Using PKCE with OIDC adds an extra layer of security to the OAuth 2.0 authorization process by ensuring that any sensitive data is only sent to the original server that initiated the authentication request, and not to any other servers that may try to impersonate that server. The client application generates a secret code, the code_verifier, and a hashed version of that code, the code_challenge. The client application sends the code_challenge to the authorization server along with the authorization request. The authorization server stores the code_challenge for a later phase. Phase two: user login and consent The authorization server prompts the user to log in to their third-party platform and to give consent to grant the client application access to their data. These actions are completely done in the UI by the user. Once the authorization server confirms the user has logged in successfully, it resumes the PKCE code flow from phase one and generates an authorization code. The client application then sends both the authorization code and the original code_verifier back to the authorization server to verify against the code_challenge, thus proving the client application’s authorization request hasn’t been intercepted. With the PKCE code flow completed, the client application can finally request what it needs most: tokens. Phase three: bearer tokens The OAuth and OIDC protocols use bearer tokens to transport access controls and data between the components. The name bearer token can be understood as “give access to the bearer of this token.” These tokens are encrypted pieces of data, like a JSON Web Token (JWT), that act as the main mechanism for delegated access and user authentication. The main difference between OAuth and OIDC is the type of bearer token the client application requests from the authorization server. The types of tokens are: An access token (OAuth) is used by the client application to access a given resource from the resource server. An access token is primarily used for authorization. An ID token (OIDC) is used by the client application as a proof of identity for the user. Unlike an access token, an ID token is primarily used for authentication. A refresh token is used by the client application to request either a new access token or ID token after they expire. Once the authorization issues an access token or ID token, the client application has everything it needs for delegated access and authentication. The ID token confirms the user’s identity is genuine and the client application can consider the user fully authenticated via OIDC. The full OIDC flow OIDC for B2B auth The OpenID Connect protocol is a deep and still evolving authentication framework boosted by OAuth’s architecture. Not only does the OIDC protocol fulfill the requirements for SSO login, but it is also designed for modern API support, mobile applications, and to handle the scale of social media platforms. It is a protocol well suited to support the diversity of both B2C and B2B auth models. If you’re building SSO, OIDC is a future-forward path to create a robust and complex B2B auth solution. There is a lot more to the OIDC spec, but what we covered should give you a strong foundation of how the delegated authentication pattern works for SSO. For our next lesson, we’ll be doing a tour of the SAML protocol. See you then. --- # Securing AI against bot attacks Source: https://stytch.com/blog/securing-ai-against-bot-attacks/ AI apps like ChatGPT open a world of possibilities – and a world of potential fraud. Luckily, there some tools available today that can help. ChatGPT and the acceleration of AI adoption Since its release last week, ChatGPT has quickly captured the internet’s attention for its uncanny ability to generate human-like responses to a wide array of complex questions. While it’s far from perfect, ChatGPT is the first large-scale deployment of GPT-3.5, the latest AI advancement from OpenAI. For those familiar with OpenAI’s previous model, GPT-3, the improvement is startling. GPT-3 (short for “Generative Pre-Trained Transformer 3”) was already an impressive feat, but it feels like a toy compared to the surprisingly lucid experience of interacting with GPT-3.5. In many ways, ChatGPT feels like a watershed moment for artificial intelligence. And while we’re only able to speculate on many of the impacts that AI tech advancements may have, one thing is already clear – developers are eager to incorporate the APIs (Application Programming Interfaces) behind ChatGPT into existing and new applications in order to improve current workflows and introduce new, previously unimaginable user experiences. In just 5 days, ChatGPT amassed over 1 million users. Many of these early adopters are developers who are tinkering with the technology and exploring how it could be incorporated into various B2C and B2B use cases. The developer excitement behind these new capabilities is no surprise. In the 2010s, companies like Stripe, Twilio, and Plaid introduced new superpowers to developers through APIs that simplified embedded payments, telecommunications, and third-party data access into applications, and these building blocks unleashed a wave of application innovation. Similarly, in the 2020s, APIs providing access to underlying artificial intelligence models like GPT-3, ChatGPT and (soon) GPT-4 will unleash unprecedented innovation. When AI meets API: security implications While the opportunities are limitless, as more applications integrate these AI APIs, it will introduce new application security concerns for developers. In particular, applications building with these APIs should expect significant and sophisticated bot traffic directed at their sites. It’s a matter of simple game theory and what the last two decades of commercial APIs have shown us – anytime you expose a resource on the internet (e.g., compute) that offers significant monetization potential to an attacker, fraudsters will search for ways to exploit that resource. In the case of Stripe and Plaid, these companies provide API endpoints for validating credit card numbers and bank account credentials, which attackers exploit to perform account validation attacks to steal valuable financial accounts. In the case of Twilio, attackers commit SMS toll fraud in order to pump expensive SMS traffic through partner mobile network operators (MNO) and share the profits with the MNO. The value behind artificial intelligence APIs could prove similarly alluring to fraudsters now, just as Stripe, Twilio, or Plaid did when they emerged. Not only are artificial intelligence APIs expensive to use, their API responses are also relatively fungible and public-facing, making them particularly ripe for abuse. Cloud services and other tools that, by design, expose valuable compute resources (e.g. companies like Replit, Github, and Heroku) provide a glimpse into the attack vector that applications exposing AI APIs will need to anticipate. In attacks against open compute resources, fraudsters commit first-party fraud by creating fake accounts for the sole purpose of running commands that can be monetized – with cloud services, cryptomining has been the most reliable way for attackers to make money through this vector. For applications leveraging expensive AI APIs, we can expect a similar attack vector where fraudsters create numerous fake accounts to initiate valuable queries while purposefully evading rate limits. A couple of the most likely monetization paths behind this attack include: API skimming attacks: This is an attack where the bots are effectively piggybacking on the the application’s AI resources as a sort of man-in-the-middle approach: the attacker sells access to the API outputs to another party, but they piggyback on a legitimate application’s API routes in order to avoid paying for the costly resource. Because the outputs are fungible and exposed to the end user in most cases, this is an API attack route that does not currently exist with services like Stripe or Twilio. Model stealing: B2B AI companies often invest significant time and resources into developing their AI models. If these models are not properly protected, they can be stolen and used by competitors or malicious actors. In the case of theft, an attacker could attempt to reverse engineer the model by analyzing its behavior and trying to infer its structure and algorithms. This could be done by feeding the model a large number of inputs and analyzing the outputs, or by using machine learning techniques to try and recreate the model. This can be a difficult and time-consuming process, but a sophisticated botnet could potentially automate some of the steps involved. Adversarial attacks: AI systems are vulnerable to adversarial attacks, where an attacker deliberately manipulates the input data to cause the AI model to make incorrect predictions or decisions. This could lead to serious consequences, such as financial losses or safety risks depending on the application use case. How to protect AI from bot attacks As a result of these threats, AI companies have unique bot detection needs, as they need to ensure that the APIs they expose are only accessed by authorized users and not by unauthorized bots or other malicious actors. Some of the unique bot detection needs that AI companies might implement include: Detecting and blocking bots that are attempting to access the API without proper authorization. This could include bots that are attempting to scrape data from the API, or bots that are trying to use the API to carry out malicious activities, such as spamming or fraud. To defend against this, it’s critical to protect against common bot detection evasion techniques, which include reverse engineering APIs and using methods like headless browsing alongside proxies or residential IP addresses to appear like a human rather than a bot. Monitoring the usage of the API to identify and block any suspicious or unusual patterns of behavior. This could include looking for anomalies in the frequency or volume of API requests, or for patterns of behavior that are indicative of bot activity, such as rapid and repeated requests from the same IP address. Overall, AI companies have unique bot detection needs because of the valuable APIs they expose. To protect these APIs, AI companies need to implement effective bot detection and blocking mechanisms, and they need to monitor and protect against bot detection evasion techniques as well. At Stytch, we help companies tackle Fraud and Risk Prevention with products like Device Fingerprinting and Strong CAPTCHA, both of which make it easier for developers to build in bot-protection without adding any friction for the user. By combining these tools with our user-friendly, ironclad authentication products, companies can rest easy knowing their data and resources are protected from malicious bot traffic. If you want to learn more about how to protect your product from bot traffic, talk to an auth expert today! --- # What is Security Assertion Markup Language (SAML) and how does it work? Source: https://stytch.com/blog/what-is-saml/ Learn all about Security Assertion Markup Language (SAML) – its history, its benefits, basic code anatomy, and how it actually works. Welcome back to B2B Auth School. Our mission is to help B2B companies’ uplevel their understanding and implementation of user authentication technologies. Our first series of posts is dedicated to single sign on (SSO). This article is lesson six in that series. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on? Lesson four | SSO protocols: SAML vs OIDC Lesson five | What is OpenID Connect (OIDC)? Lesson six | What is Security Assertion Markup Language (SAML) and how does it work? Lesson seven | Choosing a B2B auth provider In the previous lesson, we took a close look at OpenID Connect or OIDC – one of the two most popular protocols for handling single sign on (SSO). We looked at the origin of OIDC, its close relation to OAuth, and how that authorization protocol was built upon to create what is now quickly becoming a preferred standard for identity claims for federated, enterprise SSO. Today we’re going to look at the other most popular SSO protocol, Secure Assertion Markup Language, or SAML protocol. We’ll look at: The legacy of this standard from SAML 1.1 to SAML 2.0 The key components of the SAML protocol SAML-based single sign-on (SSO) How SAML SSO authentication works The key SAML SSO flows The structure of SAML messages (requests and responses) Why you should support SAML as an enterprise-focused B2B SaaS vendor Let’s get started! It’s quite common for employees within large enterprise organizations to use a shedload of internal and external systems for work. In a company that doesn’t leverage SAML or Single-Sign-On (SSO), employees would typically have to manage unique login credentials for each of these systems they need to access. While it’s obvious how much of a poor user experience this is, it also poses significant security risks that can have costly consequences for employees and the organization. This is where SAML (Security Assertion Markup Language) comes into play. Within organizations that leverage SAML, both intranet systems and SaaS applications don’t need to manage employee identity credentials directly. Instead, an identity provider (IdP) can assume this responsibility. The IdP maintains up-to-date profiles and attributes for every user or employee and is responsible for exchanging these profiles with the applications employees need to authenticate into at any given time. This approach eliminates the need for employees to manage multiple sets of credentials and redundant login processes across several work applications. It minimizes the burden of password memorization and mitigates the security risks associated with employees reusing the same password across multiple apps, or setting up weak and pattern-based passwords that can be easily compromised. What is SAML (Security Assertion Markup Language)? SAML is a federated identity standard that allows identity providers (IdPs) to exchange authentication and authorization details about a user with applications that require this information to grant or deny access to their systems. It’s also referred to as an XML-based protocol because it uses the Extensible Markup Language (XML) to facilitate this communication between IdPs and SaaS applications (also known as Service Providers in SAML terminology). Here’s how this communication works: Before an end-user can access a SaaS application via SAML, the service provider (SaaS application) must send an authentication request to the IdP, and the IdP must issue a valid SAML assertion to the application in the form of a digitally signed XML response. This assertion contains essential information about the user, such as their identity and access privileges, represented as attributes, alongside conditions that specify the validity period and constraints of the assertion. In this article, you’ll learn about the SAML protocol according to the latest version of the OASIS SAML technical overview document. We’ll explore the key roles and components of the SAML 2.0 specification, and demonstrate how IdP-initiated and SP-initiated SAML SSO flows work. We’ll also discuss the top alternatives to the SAML protocol and show you when to choose one over the other. SAML 1.1 vs SAML 2.0 There are two main versions of the SAML standard—the SAML 2.0 version which is now widely implemented in B2B and B2E use cases, and the SAML 1.1 version which is largely deprecated. SAML 1.1 was adopted in 2003 as an improvement to SAML 1.0, which was introduced in 2002. But in 2005, SAML 2.0 was adopted as the latest OASIS standard, essentially replacing SAML 1.1. SAML 1.1 and SAML 2.0 were both designed to achieve federated identity and single sign-on (SSO), allowing users to access multiple systems with a single set of credentials. However, SAML 1.1 had significant limitations in its implementation, causing SAML 2.0 to introduce some of the following key improvements: Multiple Bindings: SAML 2.0 introduced multiple communication methods known as bindings, including SOAP and non-SOAP options like HTTP Redirect, HTTP POST, and Artifact Binding. This expansion allows SAML 2.0 to work with a wider range of transport protocols that define how SAML messages are sent between IdPs and SPs on the browser. Single Logout (SLO): For users to be able to terminate multiple active sessions at once, SAML 2.0 introduced SLO functionality. SLO enables users to log out of all connected applications simultaneously. This feature addressed a significant security concern that was present in SAML 1.1. Improved Encryption and Security: SAML 2.0 offers more sophisticated encryption capabilities, allowing for the encryption of entire assertions or specific attributes. It also introduced persistent identifiers, enhancing user privacy across different service providers. Enhanced SSO Profiles: Unlike SAML 1.1, which primarily supported two browser-based SSO profiles, SAML 2.0 introduced a more improved SSO profile including IdP discovery, name identifier mapping, artifact resolution profile, and SLO. ​​The rest of this article will cover the other protocol improvements introduced with SAML 2.0. Key elements of the SAML 2.0 protocol There are five key elements that collectively function together to make the SAML protocol work. These include SAML Metadata, SAML Protocols, SAML Bindings, SAML Assertions, and SAML Profiles SAML Metadata: These are pre-configuration files that must be shared between SAML entities (IdPs and SPs) to establish a trusted relationship before SAML SSO can take place. SAML metadata is typically an XML document that contains entity identifiers, supported bindings, X.509 certificates for signing and encryption, endpoint URLs (e.g., SSO service URL in the case of an IdP and Assertion Consumer Service (ACS) URL in the case of an SP), and other relevant configuration details. SAML Protocols: Define the request/response rules for sending data between IdPs and SPs in a standardized manner. The core SAML protocols include the Authentication Request Protocol, which allows SPs to request authentication from an IdP, and the Attribute Query Protocol, enabling SPs to query for assertions. There are other SAML protocols that we haven’t covered in this article, but you can find them in the official SAML specs. SAML Bindings: Specify the transport mechanisms used to exchange SAML messages between IdPs and SPs. Common bindings include HTTP Redirect, HTTP POST, and SOAP. HTTP Redirect binding is typically used for transmitting authentication requests, while HTTP POST binding is often used for delivering SAML assertions. SOAP binding, on the other hand, is utilized for more complex or asynchronous communication. SAML Assertions: These are XML documents that IdPs use to send authentication, attribute, and authorization data to SPs. These assertions are digitally signed by the IdP and contain statements about the user, such as their authentication status, timestamp, and other relevant attributes (e.g., name, email). Authentication assertions prove that the user has been authenticated, Attribute assertions provide specific information about the user, and Authorization assertions define what permissions have been granted to the user. SAML Profiles: Describe how SAML assertions, protocols, and bindings are combined to support a defined use case or functionality. The most widely used profile is the Web Browser SSO Profile, which outlines how SAML can be used to enable single sign-on for web applications. The Enhanced Client or Proxy (ECP) Profile supports SSO for non-browser-based clients, such as rich clients or proxies, which need to interact with web services securely. Other profiles include the Single Logout Profile, which describes how users can be logged out from multiple applications simultaneously, and other less popular profiles. These profiles provide detailed guidelines for deploying SAML in different contexts, ensuring interoperability and consistency across implementations. So what exactly is SAML SSO? SAML and SSO are often used interchangeably or even seen as alternatives. While there’s a mutual relationship between these two concepts, there’s also a stark difference between them. Single Sign-On (SSO) is a broad authentication concept that enables users to access multiple applications using a single set of credentials that must have been provisioned on a separate application that can vouch for their identity. Once authenticated in one application, users can seamlessly access other connected applications without having to re-enter any credentials. On the other hand, SAML is one of the several open protocols that can be used to implement an SSO experience or functionality. As we’ve seen thus far, it defines a standardized way for identity providers (IdPs) to pass authentication and authorization data to service providers (SPs)—the application a user attempts to access. In essence, SSO is the “what”—the desired functionality—while open protocols like SAML, OIDC (OpenID Connect), Kerberos, and OAuth 2.0 are the “how”—the methods used to implement this functionality. As such, the discussion shouldn’t be “SAML versus SSO” or “OIDC versus SSO,” but rather “SAML + SSO” or “OIDC + SSO.” SAML SSO specifically involves transferring a user’s identity profile from an IdP to an SP using XML-based assertions. These assertions confirm the user's authentication status and are signed by the IdP to ensure their validity. In this way, users can access multiple applications that support SAML SSO by authenticating their IdP-provisioned credentials with the respective IdP, eliminating the need for separate credentials for each application. How does SAML SSO authentication work? Like OIDC, SAML authentication also works through a series of redirects and information that is conveyed along with those redirects. To start, let’s take a look at the main components. The SAML SSO authentication flow is a trust validation process that involves the exchange of identifiers, metadata files, security tokens, relay state, session indexes, and other relevant attributes between the key roles within a SAML SSO setup. The key roles within a typical SAML SSO authentication flow include: Principal (End users) Browser agents Identity providers (IdPs) Service providers (SPs) Auth providers (e.g., Stytch) Principal The principal, or end user, is the human who initiates the authentication process in order to access a protected resource or application. This is typically an employee, customer, or partner of an organization who owns a single set of credentials they use to log into the company’s identity provider. The principal is central to the SAML SSO process, as the entire flow is designed to facilitate their access to several applications without repeatedly entering unique credentials on each one. Browser agent The browser agent acts as the intermediary between the principal, the identity provider, and the service provider. It’s usually the web browser or a similar client application that the principal uses to interact with the web. When a principal tries to access a protected resource, the browser agent initiates the SAML SSO process by redirecting the authentication request to the IdP. After successful authentication, the browser agent also handles the redirection of the SAML assertion from the IdP back to the SP. The browser agent is also responsible for storing and transmitting cookies that maintain the user's session state. Identity provider (IdP) The IdP is a trusted entity that authenticates the principal’s identity. It maintains the principal’s credentials and profile information and verifies their identity whenever they attempt to access a service provider. Upon successful authentication, the IdP generates a SAML assertion which contains information about the user’s identity, authentication status, and other relevant attributes. This assertion is digitally signed and sent to the SP via the browser agent. Service provider (SP) A service provider is the application or system that a principal is trying to access. The SP trusts the IdP to authenticate the principal and issue an assertion that confirms their identity and associated attributes. Once it receives a SAML assertion from the IdP, the SP validates the assertion's integrity and authenticity and uses the information within it to make access control decisions. If the assertion is valid, the SP will automatically grant the principal/user access to the requested resource or service, without having to manage the user authentication process by itself. Auth provider (Stytch) An auth provider like Stytch isn't a necessary component within a custom in-house SAML SSO setup. However, organizations can choose to build their SAML SSO infrastructure using third-party auth providers, in which case Stytch could become part of your SAML authentication flow. Auth providers like Stytch don't function as standalone identity providers such as Okta or Microsoft Entra ID. Instead, they provide the APIs and SDKs that make it easier for developers to implement SAML SSO in their applications without directly handling the complexities of the SAML protocol. Stytch only acts as an intermediary that standardizes the authentication process across multiple identity providers and can integrate with any organization’s IdP. The IdP remains solely responsible for authenticating users and issuing SAML assertions. Stytch's role is to facilitate the authentication process between the IdP and SP, forwarding XML requests and assertions between them. SAML SSO authentication flows Let’s assume we have an employee who needs to access a SaaS application to complete a task, maybe Figma in the case of a designer or GitHub in the case of an engineer. If these applications support SAML SSO, our hypothetical designer or engineer could access Figma or GitHub in two ways—via the service provider-initiated (SP-initiated) SAML SSO flow or the identity provider-initiated (IdP-initiated) SAML SSO flow. In the SP-initiated flow, the user must attempt to access the SP directly (e.g., Figma or GitHub's login page). As such, the SP has to redirect the user to their IdP with a SAML authentication request (AuthnRequest). Once the user authenticates their IdP-provisioned credentials, the IdP would have to generate a SAML assertion and return a signed response to the SP. The SP then validates this assertion and grants or denies access to the user. On the other hand, the IdP-initiated flow begins at the IdP portal and doesn’t require an initial SAML AuthnRequest from the SP. Firstly, the user must log into their IdP and select an SP (e.g., Figma or GitHub) from a list of SAML-enabled applications. Upon selecting the application, the IdP has to generate a SAML assertion and send it to the chosen SP. The SP then validates the assertion and grants or denies access. In both flows, the common steps include the IdP authenticating the user, generating a SAML assertion, and the SP validating this assertion to grant access. Structure of SAML messages (requests and responses) To fully understand the SAML authentication process, we need to study the XML anatomy of SAML requests, responses and assertions. As we’ve seen so far, SAML messages come in two forms—SAML requests and SAML responses. The main difference between them is the direction in which they are sent. A SAML request is sent from the service provider to the identity provider in order to authenticate a user’s identity, while the identity provider sends a SAML response to the service provider to convey authentication status, assertions and other requested information about the user. Structure of SAML requests SAML requests are initiated by the SP to request authentication from the IdP on behalf of a user. These requests typically contain information such as the request ID, the SP's entity ID, and the ACS URL where the IdP is expected to send the response. We won’t be going deep into XML semantics or schema, but if you want more specific information on SAML data schema or namespaces (mentioned below) check out page 11 in the SAML specs. Here’s an example of a SAML request in XML: From top to bottom, we can deconstruct this XML request into its most important parts and summarize their meaning: AuthnRequest is the top level (root) element that represents the whole SAML message. xmlns:samlp is an attribute that communicates two main things: Namespaces are an XML-specific method for distinguishing between different element names. Any element prepended with a given namespace belongs to that namespace. In this case, xmlns:samlp establishes the samlp namespace, which means that any element names prepended with samlp, like the "samlp:NameID" element, are parts of that same namespace (elements prepended with other namespaces, like “saml:IssuerID” would not belong to the samlp namespace). protocol-related: The word “protocol” appearing in the string value simply indicates that this is a protocol-related data element. ProtocolBinding says the SAML request will use an HTTP POST to bind and transfer data to the identity provider. Destination is the identity provider's endpoint where the request is directed. AssertionConsumerServiceURL is the auth provider’s callback endpoint, where the identity provider should send the ensuing SAML response to. Issuer specifies the entity ID of the identity provider that will issue an assertion to the requesting service provider (https://identityprovider.com/123456) NameIDPolicy specifies the format of the user identifier (NameID) that the identity provider will include in the SAML assertion. In this case, the service provider requires an email address. In summary, this SAML request is bound to an HTTP POST and is being sent to the specified destination and entity ID within the request. It asserts that it needs an email address in the response when returned to the callback URL. Congrats, you’re now successfully reading SAML. Structure of SAML responses SAML responses are a much longer and nastier XML document, because they contain more information. They contain one or more assertions, which include details about the user's authentication status, attributes, and any other relevant information. These responses are created and signed by the identity provider before they’re sent to the requesting service provider for validation. They’re the most important artifact in a SAML authentication flow, since they carry all the assertions necessary for SSO to work. To examine the structure of SAML responses, we’ll have to break the full SAML response into three parts. SAML response – part one: At this point, part one should look familiar. Like the SAML request, the SAML response has a top level (root) element called the Response with attributes like xmlns and Destination, but with updated values. For example, the Destination attribute now specifies the service provider’s callback url that will parse and validate the SAML response. SAML response – part two: Part two of the SAML response is where all the relevant assertions start to come in. These assertions give context about the user and how they authenticated with the identity provider. The Assertion element wraps all the data statements, which include: Subject – the user or member who is trying to authenticate via SSO. Notice how the user’s NameID is an email address (your_user@email.com), the specific format asserted in the SAML request from before. Conditions – the requirements and rules for the SAML authentication flow. For example, the NotBefore and NotOnOrAfter attributes define a range of time for which the assertion is valid. AuthnStatement – the information regarding how the user was authenticated by the identity provider. Taking a look at the string value, it seems the user logged in with their password credentials. SAML response – part three: And finally, part three contains all the assertions about the user’s identity and profile. These user assertions are called attributes. Common attributes about a user include but are not limited to name, phone, email, location, etc. In our example, you’ll see an Attribute element for: The user’s name: Ada Lovelace The user’s phone number: +1 (123) 456-7890 The two groups the user belongs to: Group One and Group Two These attributes provide a robust profile of a user’s identity. And that’s because attributes are customizable, in the sense that assertions can include about as much information and metadata an IT admin cares to stuff in there. However, it's important to note that each identity provider has its own unique and generally configurable set of attributes for a user, which means the service provider will need to understand how to interpret them correctly. Adding all three parts together, the SAML response gives a full picture of the authentication flow and the user’s identity. But with multiple assertions and custom attributes, the length and format of the XML starts to multiply in complexity very quickly. However, the service provider must be able to parse and validate all the different variations of SAML syntax and assertions. Implementing SAML SSO using Stytch If you’re a B2B company looking to move up-market or already serving enterprise clients that have custom security needs, you can implement the SAML protocol in weeks or even days using Stytch. Many B2B companies either attempt to build SAML internally or choose auth providers that lack the flexibility needed as they scale. Unfortunately, both approaches end up draining engineering resources and then require even more time to rip and replace. From our experience, and that of our customers, we wouldn’t advise any engineering team to attempt building SAML in-house. In addition to wasted resources, it’s easy to leave vulnerabilities that could make your infrastructure open to attackers. However, with Stytch, you can easily and securely configure SAML for your enterprise customers regardless of the identity provider they use within their organization. Using Stytch, you can connect to any SAML-enabled service provider because we can forward AuthnRequests to whichever IdP, and also forward SAML responses back. It’s that easy and straightforward. Ready to implement SAML SSO with Stytch? Check out our Docs and start coding. If you have any questions, please reach out to us at support@stytch.com or schedule a chat with a member of our Solutions Engineering team. --- # Stytch honored with BuiltIn's 2023 Best Places to Work award Source: https://stytch.com/blog/stytch-builtin-2023-best-places-to-work-award/ Stytch is honored to be featured in BuiltIn's 2023 Best Places to Work Awards, for startup companies in both San Francisco and New York City. Built In announced today that Stytch has been honored in its 2023 Best Places To Work Awards. Specifically, Stytch earned a place on both New York City’s and San Francisco’s Best Startups to Work For. The annual awards program includes companies of all sizes, from startups to those in the enterprise, and honors both remote-first employers as well as companies in large tech markets across the U.S. “It’s my honor to congratulate this year’s Best Places to Work winners,” says Sheridan Orr, Chief Marketing Officer at Built In. “These exemplary companies understand their people are their most valuable asset, and they’ve stepped up to meet the modern professional’s new expectations, including the desire to work for companies that deliver purpose, growth and inclusion. These winners set the stage for a human-centered future of work, and we can’t wait to see that future unfold.” Built In determines the winners of Best Places to Work based on an algorithm, using company data about compensation and benefits. To reflect the benefits candidates are searching for more frequently on Built In, the program also weighs criteria like remote and flexible work opportunities, programs for DEI and other people-first cultural offerings. Stytch is thrilled to be recognized as a Built In Best Places to work award winner. We're a results-driven team, but we know we’d be nowhere without our company culture and guiding values: ambition and empathy. We want people with a high degree of ownership and drive to make our product the best it can be, but who also care about their team and support each other in our growth as individuals and as a company. While specialized skill sets are also important, we’ve found that those two values help ground and unite us as a team. About careers at Stytch Come work for us! Open positions are listed on our Careers page, along with contact info for us if you have any additional questions. To read a bit more about how we’ve built our team, check out our articles on how we’ve built our engineering team and how we use references in our hiring process. About BuiltIn Built In is creating the largest platform for technology professionals globally. Monthly, millions of the industry’s most in-demand professionals visit the site from across the world. They rely on our platform to stay ahead of tech trends and news, learn skills to accelerate their careers and find opportunities at companies whose values they share. Built In also serves 2,000 customers, innovative companies ranging from startups to those in the Fortune 500. By putting their stories in front of our uniquely engaged audience, we help them hire otherwise hard-to-reach tech professionals. www.builtin.com About BuiltIn’s Best Places to Work Built In’s esteemed Best Places to Work Awards, now in its fifth year, honor companies across numerous categories: 100 Best Places to Work, 50 Best Startup Places to Work, 100 Best Midsize Places to Work, 100 Best Large Places to Work and Editor’s Choice: 100 Best Hybrid Places to Work. The program honors companies – remote, hybrid and in-office – with the best total rewards packages across the U.S. and in the following tech hubs: Atlanta, Austin, Boston, Chicago, Colorado, Dallas, Houston, Los Angeles, Miami, New York, San Diego, San Francisco, Seattle and Washington DC. --- # Choosing a B2B auth provider Source: https://stytch.com/blog/choosing-a-b2b-auth-provider/ A step-by-step rundown of what you need to know and what you need to ask when choosing an auth provider for your B2B app Welcome back to B2B Auth School. Our mission is to help B2B companies’ uplevel their understanding and implementation of user authentication technologies. Our first series of posts is dedicated to single sign on (SSO). This article is lesson seven, and the final lesson in this series. Lesson one | Introducing B2B Auth School Lesson two | Organization tenancy: the foundation of SSO and B2B data models Lesson three | What is single sign on? Lesson four | SSO protocols: SAML vs OIDC Lesson five | What is OpenID Connect (OIDC)? Lesson six | What is SAML and how does it work? Lesson seven | How to choose your B2B auth provider In the previous lesson, we took a close look at Security Assertion Markup Language – the current legacy protocol for handling single sign on (SSO). We looked at SAML’s origins, its benefits, and the anatomy and quirks of SAML messages – including their core components and common challenges and footguns. To conclude this series of B2B Auth School, today we’re going to take a step back and walk through the decision of choosing a B2B auth provider – what you need to consider, what you need to ask, and how to choose a provider that will support your product in the long term. Building your B2B auth profile Because B2B businesses are so diverse, there’s no one-size fits all checklist for a B2B auth provider. BUT, all B2B companies can arm themselves for conversations with potential auth providers by taking a thorough inventory of their customer’s needs and expectations. Hint: it’s not just about SAML vs. OIDC! To choose the right auth provider for your B2B company, you need to develop two key customer profiles: one for the customers you have today, and the other for the customers you intend to have in the next year to five years. 1. How do my customers need to operate? How are they organized? How do they currently handle identity management? Do they use an identity provider that’s on-prem or in the cloud? Are their organizational and management structures complex? Do they have multiple personas, roles, teams, and departments using your application with different permissions and authorizations? How do they manage, provision, and deprovision their corporate accounts for their employees? Do they also have accounts for consultants, contractors, and other third-party members? 2. What regulations are important for my customers’ vertical and/or geography? What kinds of data challenges / threats do they face? Related to the above, are your customers in any uniquely regulated industries like healthcare or finance? Are they dealing with healthcare or financial data? Bank accounts and/or major financial transactions? Are they operating in specific geographies like Europe /GDPR, etc.? Do they have any specific SOC2 compliance expectations (i.e, security, availability, processing integrity, confidentiality, privacy, or some combination thereof)? Are they or have they been a target for account takeovers or ransomware? Have they ever suffered a breach before? What kinds of fraud protections do they currently have in place, and where might they still be vulnerable? What are the biggest risks that keep their CISOs up at night? 3. What kind of single sign on experience are my customers used to? Where is there room to ease pain points or delight them with something better? What kind of dashboard / management setup does their IT team use now? What other auth providers/experiences have they worked with in the past? Who do their other B2B vendors use and what has their experience been? Where have they encountered the most friction/greatest cost of engineering time with B2B vendors? Do they have any unique needs or expectations around approved domains or just-in-time provisioning? What kinds of metadata do they expect to be able to communicate during authentication transactions? 4. What kind of experience do your end users (i.e., customer org members) expect? What kinds of devices are they on? Are they dispersed across different time zones, geographies, native languages? Are they typically accessing applications through their identity provider? Or do they prefer to go directly through their service provider? What kind of authentication flow are they accustomed to? Which multi-factor methods are they already familiar with (if any)? Once you’ve answered all these questions for your current customers and prospects, you should do it again – this time for the customers you want to go after in the next few years. Too many B2B companies we’ve talked to think of auth as a “set-it-and-forget-it” feature, but the reality for many startups and smaller companies is that their auth needs will change, and the sooner they take stock of that, the better positioned they’ll be to scale efficiently and avoid headaches down the road. For this, they need more than an authentication provider – they need an authentication partner. B2B auth checklist – what you need to build Once you have a clear profile of your customer’s B2B auth needs, it’s time to take stock of your own resources. Whether you decide to build B2B auth in-house or go with an outside provider, to be an informed collaborator in the process you should make sure you have a solid understanding of the full-breadth of the B2B auth tech stack. Looking back at our series, that includes the following: Are you prepared to support organization tenancy? How will you define organizations and organization membership? Your data model can change drastically depending on what use cases the application supports. You need to consider how you’re going to guarantee data isolation, what structure you need to store the metadata in, if there can be sub-organizations, etc. How will you handle org discovery? – email domain, manual entry, etc.? How will you manage membership and roles? Will your product allow members to belong to multiple organizations? How will you handle various authentication/authorization settings, like account deduplication, just-in-time provisioning, etc.? Do you understand SSO auth flows? Do you have a solid understanding of the different roles and components of SSO? Ie., the roles and responsibilities of an identity provider, service provider, etc.? Do you understand the differences between IdP- and SP-initiated SSO? And the risks involved with each? Do you have a detailed grasp of the various transactions managed by the auth provider? This includes identity authentication, session management, and informational exchanges with both the identity provider and the service provider. Do you understand the value SSO provides to your B2B customers, and where you can enhance and differentiate that value? Do you know the protocols that facilitate SSO and the differences between them? What are the origins of OIDC and SAML? And what needs did each arise to fulfill? What is OIDC? And why are its roots in OAuth and use of JSON important? What is SAML? Why is it the legacy protocol, and what are the implications of being XML-based? What are the common customer profiles for OIDC vs. SAML? And is it worth it providing both? (Hint: almost certainly!) Do you understand each protocol (SAML, OIDC) in enough depth to implement? With OIDC… How does OIDC build off of OAuth to offer authentication and authorization? Where do these two protocols diverge and complement each other? How do the roles and functions differ between resource owners, relying parties, resource servers? How do those mirror terms from SAML? What’s the role and anatomy of bearer tokens? What are best practices for using them? With SAML… What are the different data elements in SAML? How do they relate to each other? What is the anatomy of a SAML message? What are the key differences and components of requests and responses? What are XML/SAML’s common footguns, and how can you best avoid them? Which are specific to SAML, and which are vulnerabilities of XML more broadly? Auth partner vs. auth provider – a future-forward approach At the beginning of this series, we talked about B2B auth as a crucial growth lever: the easier you make it for your customers to manage their employees’ accounts and onboarding to your application, the more likely you are to land upmarket sales and see widespread adoption. Authentication is often framed as a pure security consideration. But authentication touches many different parts of your product and involves several customer touchpoints – especially with B2B companies. These touchpoints and product features also look very different as companies scale: the needs of startup B2B customers are very different from the enterprise. That’s why when working with an authentication or SSO provider, B2B companies should find someone that’s not just looking at what their customers today need: they want an auth provider that’s able to predict upmarket needs so that authentication becomes an enterprise catalyst that accelerates a B2B company’s growth. The decisions you make today about your authentication solution could have long-lasting effects that either hold your product up, or launch it into a bigger, brighter future. If you want to talk to an auth expert about the right data model and auth solution for your B2B product, chat with one of Stytch’s auth experts today. Congrats on finishing your first “course” in B2B auth school! --- # JWTs vs. sessions: which authentication approach is right for you? Source: https://stytch.com/blog/jwts-vs-sessions-which-is-right-for-you/ JWTs vs. sessions: which authentication approach is right for you? Your application just received a login request, and the credentials passed successfully to prove the identity of a user in your system. Wonderful, you have a high degree of confidence in who this user is and what they should be able to access! But wait, what happens on the next API call where they don’t include their login credentials? HTTP is stateless, meaning that each request is independent and doesn’t contain any context about previous requests, but asking your user to re-authenticate on every request isn’t exactly a friendly UX. Session cookies and JSON Web Tokens (JWTs) are the two most popular ways to maintain this authentication state between calls. There are pros and cons to both, and choosing between them requires understanding these tradeoffs and how they relate to the specific needs of your application. Session-based authentication In session-based authentication (also known as cookie-based authentication), the server is responsible for creating and maintaining a record of the user’s authentication and providing a way for the client to reference that record in each subsequent request. This flow starts by the user authenticating and providing some credentials to the server for verification. If the credentials are accepted, the server will create a persistent record that represents this authenticated browsing session. This record will have some sort of primary identifier (typically a random string that is at least 128 bits long) in addition to an identifier for the user, the time the session started, the expiry of the session, and perhaps context information like the IP address and User Agent. This information will be stored in the database, and the session identifier will be sent back to the client to be stored as a cookie in the user’s web browser. Each subsequent request from the browser will include the session cookie in the HTTP headers, which the server can then use to look up the session record, confirm that it is valid and then make authorization decisions about what information to return based on the confirmed identity of the user. The benefits of session cookies The appeal of this approach is in its simplicity and reliability. The database record of the session serves as a clear, centralized source of truth for the state of the session, which allows for a high degree of confidence that the session information is up to date and can be used to make authorization decisions. Revoking a user’s access to the system is quick and reliable with sessions, as you can simply delete the session record from the database or mark it as invalid. For any subsequent requests after revocation, the server will fail to find a valid session that matches the identifier in the headers and will return a 401 unauthenticated error to prompt the user to re-authenticate. By offloading the state management to the server, we are able to reduce the data transfer overhead down to a single opaque string, which is lightweight and does not leak any information about the associated user or the context of the session. The downside of session cookies While session-based authentication is very reliable, at scale it can begin to introduce latency and performance issues. Since you need the session record to be highly reliable and accessible from any host, this means inserting a write request to the database for every authentication and more importantly a read request to the database for every subsequent request that contains the session header. Since session expiry is often extended with constant use, this can also mean an additional update on every request. Over time all these database interactions can add up, and introduce notable latency across your application. For applications that have highly dynamic clients, this latency overhead might not be worth the benefits that session-based authentication provides. JWT authentication JSON web tokens (JWTs) achieve similar goals of identifying and authorizing the logged-in user during subsequent requests, but solve the problem of how to manage that information in a very different way. This flow also starts with the user providing some form of credentials that the server uses to authenticate that particular request. However, while the session-based flow relies on storing all the necessary state in a database and looking it up on every request, in the JSON web token flow all that context is self-contained in the string being sent back to the client. At a high level, JWTs are JSON objects that follow a particular protocol for communicating “claims” or authorization context, and are then either signed or encrypted by the issuing server in order to provide assurance that these claims can be trusted. Clients can verify that the JWT has not been tampered with since the signature of the JWT contains the original header and payload data. JWTs consist of three parts – the header, the payload and the signature. The payload contains the core claims, such as the identity of the user the JWT was issued for, the permissions that the token might grant, and the expiry of the JWT, which indicates the time after which the JWT should no longer be accepted. The header contains information about the algorithm used to sign or encrypt the token. The header and payload are then base64url encoded, which makes the value easier to send and store. Since this is just as easy to decode, it means that the information stored in them can be viewed by anyone. The signature is created by combining the header and the payload and then hashing that combination with a secret key, providing a way to detect if a malicious actor has tampered with the claims after the issuer signed the JWT. In distributed systems, this is typically an asymmetric signature, where the issuing server will use a private key to hash the contents and then the audience can use the corresponding public key to verify that the current payload is the same one that was signed by the issuer. Once the JWT is constructed and signed, it is sent back to the client to store. This JWT can be used safely for authorization by verifying that the expiry has not passed and the signature is valid for the payload provided, all of which can be done on the client without checking with the server who initially issued the JWT. The benefits of JWTs for authentication JWTs contain all the information required to both verify the authenticity of the claims, as well as the information you’d need about the user to make authorization decisions. This self-contained quality of JWTs means that there is no longer a dependency on the server and database in order to validate the token and feel confident in making authorization decisions for the identified user. There are several advantages to this, most obviously, a reduction in latency for your application since client-side authorization is possible and server-side authorization can happen much faster without a call to the database. The other advantage is that it opens up a wider range of possible applications that can sign, verify and leverage the identity information and authorization granted through the JWT. Signatures and self-contained data make it possible to develop server-to-server applications that programmatically self-sign tokens and refresh them without needing manually entered credentials. In addition, the flexibility of the claims allows you to communicate other important information to these external applications within the token itself. This can be very useful when exposing APIs to external applications. The downside of JWTs for authentication The self-contained, stateless nature of JWTs has a significant downside though – once a JWT is signed, there is no way to invalidate the JWT or update the information contained within it. Provided the signature is valid and the expiry timestamp has not passed, the JWT will be considered valid by any process leveraging it for authorization decisions. If a user requests to log out of all devices, there is no practical way to honor this request through local validation before the natural expiry of all currently issued JWTs. In theory, JWTs can also be invalidated by revoking the secret key used to sign the JWT but that would invalidate all JWTs that used that key and would require handling to evict any cached validation keys, making secret key revocation an unsustainable option for something as simple as a user log out. Similarly, in the case where the JWT contains role-based authorization information (such as “admin” vs “member”), if the user is downgraded to a lower role that reduces the scope of what they are allowed to access, this change in authorization permissions would not be reflected until their existing JWTs expired. JWTs versus sessions cookies As we have seen, both JWTs and session cookies are viable approaches to solving the issue of persisting authentication and authorization context in a stateless HTTP world, but they take fairly different approaches that have their own pros and cons. JWTs enable faster authorization and more interoperability with external apps, but they demand more developer investment to address their security complexities, and might not be the best fit for applications that enable access to sensitive data or actions. On the other hand, while sessions provide stronger guarantees that each individual request is authorized and are simpler to implement securely, their bottleneck on the server-side database validation comes with a latency overhead that might ruin the user experience for highly responsive applications. While there are maximalists out there who will tell you that one approach is always superior, at Stytch we recognize that every application is unique and the security and latency tradeoffs need to be evaluated in context. Using a combination of session cookies and JWTs For those looking to blend the performance benefits of JWTs and the security benefits of session cookies, Stytch’s session management product offers a powerful hybrid option that can be customized for your particular needs. An extremely security-conscious organization, like a bank or government agency, might want to just use session cookies in order to ensure that every single call is authorized at that exact moment. Other applications might want the performance improvements of being able to do client-side JWT validation but do have some sensitive actions that require a source of truth to check in with before granting access. Applications without any sensitive info might value the performance benefits of JWTs and almost never want to ask their users to re-authenticate, but still want to be able to honor explicit logout requests. When you’re using Stytch session management, you can configure the duration of a user’s session, which defines how long Stytch will keep the session active before prompting the user to re-authenticate. Stytch will return both a session_token, which is a static value that is good for the lifetime of the session, as well as a JWT that is associated with the underlying session but has its own, shorter lived, expiry of 5 minutes. Expired JWTs can be passed to the Stytch session API in order to retrieve a fresh JWT, and the Stytch servers will ensure that the underlying session is still active before passing back a new JWT. If the user logs out, this revocation of access will take place within a maximum of 5 minutes. If you have a particularly sensitive route, you can configure the Stytch client libraries to have an even more restrictive max_token_age which Stytch will use to request a new JWT, lowering the threshold for potential staleness even further. This solution allows for a nice balance between performance and security. Getting started with session cookies is easy and secure. But as your app scales, you may start to notice the latency of the required API call. JWTs can help you reduce the number of calls you need for non-sensitive routes. If the API call only needs to happen every 5 minutes or before granting access to particularly sensitive actions, this greatly reduces the performance overhead while also protecting you and your end users from the risk of authorizing actions based on stale information. Conclusion While there may never be a clear consensus on which method is superior, the good news is that Stytch provides both options, with the ability to configure the perfect blend of latency vs security for your particular use case. Stytch is a modern authentication and fraud platform that lets you abstract over complexity and enables developers to choose what works for them. This choice includes the ability to switch between JWTs and session cookies as needed. Regardless of your developers’ favored approach, Stytch makes authentication easier and more secure. Read more about how Stytch can provide simple and secure implementations out of the box, or take a look at how you can use the Stytch platform to build frictionless, secure authentication flows. --- # Stytch Talks with Jaren Glover: Building high-powered engineering teams Source: https://stytch.com/blog/stytch-talks-with-jaren-glover/ Five key takeaways on hiring and nurturing top engineers from our interview with Jaren Glover. Assembling and growing a talented engineering team is a critical process that has an immediate impact on a company’s potential — especially for fast-growing startups. For our second Stytch Talks session, Stytch co-founder and CTO Julianna Lamb sat down with Jaren Glover, a seasoned software engineer, early stage investor, and advisor. Glover spent over five years as an early hire at Robinhood, where he helped scale their team and infrastructure as the platform ballooned from 150 thousand user accounts to over 22 million. He has a rich history of partnering with founders such has Parafin, Metronome, Arcade, and Stytch. He is now spending time investing and advising at the earliest stages – he has been a great partner to us! They discussed the growing pains that often accompany the early years of success, as well as the natural tradeoffs that arise as a startup makes its first major engineering hires. Below, we recap five of the key lessons and observations Glover and Lamb shared from their own experiences — along with their top tips for building a best-in-class engineering team to enhance both productivity and day-to-day culture. 1. It’s not just about thoughtful recruiting, but thoughtful onboarding. “Always be hiring” isn’t just an expression. Finding qualified engineers — especially for specialized projects like your core infrastructure — can be challenging in the current landscape, and it’s important to keep your pipeline rich. Based on his time at Robinhood, Glover suggests going beyond recruitment. It’s not just about discovering top talent out in the field, but supporting the talent you already have and nurturing tomorrow’s high performers with a well thought-out onboarding process. “At times, we were trying to find a needle in the haystack, when we should have been trying to hire new grads and create safe areas and guardrails for them to be able to evolve within the organization.” A solid onboarding system begins with creating a culture of mentoring and accountability. The quality of an individual employee is almost always related to the quality of the supervisor who trains and evaluates them. Provide a foothold for new hires, and give them the opportunity to grow from smaller wins to more elaborate tasks to build their confidence and trust — with clear benchmarks and expectations in place. Most importantly, ensure everyone follows the same process, whether they’re fresh out of school or an established engineer from a big-name company. 2. Root your interview loops in reality. If you want to suss out high-quality talent, avoid interview questions and assignments that aren’t relevant to the work you actually do. It may be impressive if a candidate can rattle off complex algorithms, but it doesn’t necessarily demonstrate how they’ll perform as a member of your team. Instead, introduce strainers that tackle problems you see in your day-to-day activities, like basic metric collection exercises. In the next round, you can spike from either an architecture or coding perspective to measure a candidate’s depth. As Glover points out, you should also run candidates through a project deep dive, which is the ultimate way to gauge how they’ll work as part of a team. “The project deep dive is super important, because you need to be able to communicate with your peers. It turns out, you can be a really great engineer, but if you can’t work with someone, it’s not really a good exercise.” Ideally, interviews should closely mirror problems and an environment that’s true to life. Ensure that the problems you’re asking candidates to solve are ones that will be truly indicative of their ability to solve the problems you’ll need them to do on the job. Above all, don’t let your interview loops grow stagnant. Make sure you’re constantly working to fill gaps in your method and keep up with best practices. If possible, work with a recruiter that can help you not only source promising new engineers but identify why any candidates are dropping out of the process. 3. Reward employees with meaningful incentives. This one is simple. Incentives matter, and they start right from the top, right from day one. Whatever you reward employees for — either explicitly or implicitly — in your company’s early days will naturally spill over across the organization and into future projects, and your team will always reflect (and expect) those initial standards. For Glover, it’s a founder’s responsibility to establish what matters and to reward and incentivize employees accordingly. That means establishing how employee performance is evaluated, finding meaningful ways to acknowledge employee achievements, and codifying and applying that system fairly and consistently across different engineering teams (whether product or reliability). “A strong set of founders can really turn an okay opportunity into a great opportunity, and a great opportunity into an exceptional opportunity.” Keep in mind, incentives aren’t just about one-off perks like bonus checks, gift cards, and PTO. Employees also value — and may even prefer — immeasurable rewards like internal recognition, whether a shoutout in a shared forum or meeting or a crystal clear path to a promotion. 4. There’s an art and a science to scaling your engineering leadership. One of the hardest parts of building an engineering team is knowing when and how to add in layers of management. On the one hand, you need to plan ahead and ensure you have the right leadership and resources in place as you grow. On the other hand, you don’t want to jump the gun and get to a point where you have too many people managing and not enough people doing. There are two key inflection points when strategic scaling is critical: Going from zero to one: Introducing your first engineering manager can be daunting. Glover recommends hiring this initial role internally, due to the social capital that’s already been built up among your team. That said, it’s also smart to get external assistance from a coach or advisor — preferably from among your cap table and other entities that know your organization well — to support and guide your new leader. Hiring the VP: The real question here is, do you need a VP of engineering, or are you actually looking for a head of engineering? Don’t be afraid to delay the VP role if you’re not ready, and focus on getting your first tier of managers right. You can always elevate an engineering manager or head if the right person comes along. When you do appoint a VP, be rigorous with your 30/60/90 evaluations, and be honest if it’s not working out. A VP can make or break an organization—and you want them to make yours great. Two final words of wisdom: First, whenever possible, promote from the inside. It sends a positive signal to your standing engineers that efforts will be rewarded — but make sure they also have technical opportunities to grow outside of a management track. Second, always check the references. It can be tempting to scoop up leaders from top tech companies when they show interest, but it’s more important to know that they’ll be a good fit. 5. Know what the best engineers are looking for. Glover doesn’t just consult for leading startups, he also advises many up-and-coming engineers. If you’re looking to put together a winning team, it can be just as crucial to know what your top candidates are looking for in you. Be transparent, and encourage open, honest conversations about what your organization has to offer, from risk profiles, term sheets, and compensation, to your company’s culture and opportunities for professional growth. It not only creates a foundation of trust, it sends a strong message about the progress and promise of your business. That extends to founders, who are the beating heart of an organization and the best equipped to express the passion and purpose behind its work. Those who are not only accessible but excited to engage with the next generation of engineers are the ones who reap the benefits of proud and productive teams. Looking to build a best-in-class engineering team? Check out our YouTube channel to watch the full Stytch Talks interview, or follow Glover’s latest insights and investing tastes through his website or on his Twitter, LinkedIn, or GitHub feeds. If you want to learn more about Stytch’s approach to team-building, read through our Founder’s Guide to Hiring Engineers — or, if you’re interested in joining our growing team, browse our current list of open positions. --- # Balancing security and adoption: preventing account takeover fraud with multi-factor authentication Source: https://stytch.com/blog/prevent-account-takeover-with-multi-factor-authentication/ Find out how to strike the right balance between keeping your users' data safe and making it easy for them to log in using multi-factor authentication. Since 2017, hackers have stolen 555 million passwords on the web. As a result, most security professionals consider passwords to be “pre-breached” when designing identity and access management for their applications – when you onboard a user, you have to presume that the password they’re using is either already compromised or likely to become implicated in a future data breach (after all, 45% of US companies suffered a data breach in 2021 and this figure continues to rise). In today's digital landscape where we have to assume that a user’s password is or will soon become compromised, multi-factor authentication (MFA) is a necessity for protecting against account takeovers and fraud. However, as an engineer, it can be challenging to determine which MFA options for your application strike the right balance between security and user adoption. Effective MFA adoption is dependent upon consumer access and usability, which is why we continue to see the popularity of less secure options like SMS passcodes far outpace phishing-resistant options like hardware keys or device-tied biometrics. In this post, we'll take a closer look at the different MFA options available, their relative security, and how to increase user adoption. To ground this discussion in real-world data, we'll draw upon Coinbase’s recent "Authentication Matters" article which shines a light on MFA types and the associated account takeover fraud. In this article, Coinbase provides detailed statistics on the cryptocurrency exchange’s customer adoption rates of different MFA options and the associated account takeover rates. It’s rare and commendable for a company to offer this level of transparency, and we believe that this data can be valuable for other engineers considering which MFA options to support and how to promote user adoption to prevent account takeover. Coinbase’s case study: why the most popular MFA option isn’t the most secure Coinbase’s data provides a great case study on both MFA adoption and security. Coinbase stores cryptocurrency on its exchange, which makes it a uniquely valuable account for hackers to target due to both the monetization potential and the irreversibility of cryptocurrency transactions on-chain. In other words, a hacker can make a lot of money off of a stolen Coinbase account. As a result, Coinbase requires all users to have MFA, but they provide multiple options: SMS one-time passcodes (OTP) Time-based one-time passwords (TOTPs) Push notification via their app Physical security keys (e.g. YubiKey) And their experience with both adoption and account takeover fraud rates illustrates the relative benefits and drawbacks of these various methods. For example, Coinbase discovered that their most popular 2FA option with users (SMS passcodes) is also the least secure – 95% of users opt for SMS, but this also accounts for 95% of successful account takeover attacks. A particular MFA type’s user adoption rate being correlated with account takeover rate isn’t surprising in a vacuum, but it is more of an indictment of SMS 2FA when you consider Coinbase’s attack surface and hackers’ incentives. The majority of customers’ funds on Coinbase (57%) is held in accounts that are protected by a 2FA option other than SMS (either TOTP, push notification, or a physical security key). From a hacker’s perspective, they are most incentivized to target user accounts that hold larger amounts of crypto if the effort to attack those accounts is similar. However, these larger accounts are seldom stolen by attackers because of the increased effort involved in breaking the MFA types that these customers use. Coinbase found that for these accounts using advanced MFA (TOTP, push notification, or security keys), only 5% of all account takeovers were successfully executed against these users. And of these rarer account thefts, 86% are concentrated on TOTP and push notification MFA, which unlike security keys, are not “phishing-resistant." Despite most Coinbase customer funds being protected by advanced MFA, only 5% of those accounts are stolen due to the increased effort involved in attackers’ trying to break those MFA methods. Meanwhile, SMS 2FA protects only 43% of Coinbase customer funds but comprises nearly all (95%) of account takeovers. Evaluating MFA options: Advantages and disadvantages of commonly used methods When it comes to MFA options, there are several available, each with its own set of advantages and disadvantages. Every application is different, but most should be offering multiple MFA options to promote both maximum adoption and advanced security options. When considering which options to offer, here’s some important considerations for each MFA method: SMS One-time Passcodes: This is the most basic form of MFA, where a user receives a one-time passcode via text message. Pros: This option is familiar and easy for users. It offers a particularly seamless experience on mobile due to the auto-fill capabilities on iOS and Android that allow a user to stay within the application experience when inputting the passcode. Cons: SMS 2FA is vulnerable to both reliability issues (it’s dependent on a single point-of-failure – the SMS provider – for the authentication) and security concerns. The major security shortcomings are phishing – where a user is deceived into sharing the passcode with an attacker – and SIM-swap attacks. A SIM-swap attack is a type of cyber attack in which a malicious actor convinces a mobile carrier to reassign a mobile number to a SIM card they control. Once they have control of the number, they can use it to reset the victim's password on any account that uses the phone number as a form of verification and gain access to sensitive information such as bank accounts, emails, and social media profiles. This type of attack is particularly concerning because it can bypass most two-factor authentication systems that rely on text messages. Time-based One-time Passwords (TOTP): This option uses an app like Duo or Google Authenticator to generate a time-based password (or passcode), eliminating the dependency on a customer's mobile carrier. Pros: TOTP isn’t dependent on mobile carriers, so there’s no deliverability issues or SIM-swapping concerns. Cons: This option requires users to have their mobile phone with them and can be a bit more complex to set up due to the need to download an application. Phishing also remains a key risk as a user can still be convinced to pass the code along to an attacker – this phishing risk is shared by SMS, TOTP, and Push notification and it explains why these three MFA methods account for 99.96% of all Coinbase account takeovers. Push Notifications: This option sends a push notification to a registered and authenticated device, which the user must approve before logging in. Pros: This option is convenient for users, but it requires them to have their device with them and have a stable internet connection. It’s been made more familiar for users through examples like Gmail promoting this method. Cons: From a security perspective, phishing is the primary concern here as a user can be tricked into clicking a push notification to grant access or may accidentally do so when on their phone. This method also requires users to have their device with them and have a stable internet connection (TOTP and hardware security keys do not require internet connection). Hardware Keys: This option uses a physical security key, such as a YubiKey, as the second factor of authentication. However, it can be more expensive and may require additional setup steps for users. Pros: This is considered the most robust form of MFA as it is phishing-resistant and requires a physical device to access the account. Cons: It’s more expensive and complex for users to initially set up a security key (for example, a YubiKey costs $50), which is why consumer adoption remains quite low. Biometrics: This option uses a fingerprint or facial recognition as the second factor of authentication. Pros: It is considered more secure than SMS one-time passcodes, TOTP, and push notification due to being resistant to phishing attacks, and it has the consumer benefit of being more familiar, convenient, and cheaper than setting up a physical security key. Cons: It requires users to have a device with a biometric sensor. Additionally, some users remain skeptical of biometrics due to the misunderstanding that their biometric data is accessed and stored by the application. Effective MFA requires maximizing user enrollment In conclusion, choosing the right MFA options for your application requires a balance between security and user adoption. By understanding the relative security and adoption rates of different MFA options, engineers can make informed decisions that protect their users while also ensuring maximum adoption. By studying examples like Coinbase, engineers can gain valuable insights into the effectiveness and uptake of different MFA options. While some MFA options are superior when it comes to security, the theoretical security model of any particular MFA method is useless if users find it too friction-heavy to enroll in that MFA option. The pragmatic path typically involves offering multiple MFA options to your user base and explaining the security benefits of enrolling in more advanced and phishing-resistant MFA. At Stytch, we’re particularly excited about the promise of new authentication technologies like passkeys, which provide many of the usability benefits of conventional MFA like SMS 2FA while also providing the security benefits of physical security keys like YubiKey. About Stytch With multi-factor authentication from Stytch, you’ll get the security protection your application needs, to prevent account takeovers, with a UX that will delight your users. Stytch offers a suite of MFA solutions that offer maximum flexibility and security while maintaining a great customer experience. Check out our products, explore our Docs or talk to an auth expert today! --- # TOTP vs SMS: Which one is better for two-factor authentication (2FA)? Source: https://stytch.com/blog/totp-vs-sms/ A side-by-side look at SMS one-time passcodes vs. time-based one-time-passcodes, and how to choose the right 2FA method for your product. With the staggering number of data breaches in recent years - 45% of US companies alone suffered a breach in 2021 – it's become clear that traditional passwords alone are no longer a sufficient form of security for preventing account takeovers. Hackers have stolen over 555 million passwords since just 2017, which is why security professionals now view passwords as "pre-breached" when designing identity and access management policies. Multi-factor authentication (MFA) is a crucial solution for this problem, but it can be difficult to determine which options are the most secure and user-friendly for a particular application. SMS 2FA (which uses one-time passcodes), for example, are less secure but more widely adopted by consumers, while phishing-resistant options like hardware keys or device-tied biometrics are more secure but less adopted. In this post, we'll examine the two most popular MFA options today (SMS 2FA and TOTP 2FA) , their relative security levels, and strategies for increasing user adoption. Pros and cons of SMS and TOTP 2FA SMS-based 2FA is the most widely used type of 2FA. It works by sending a one-time code to your mobile phone via text message, which you then enter to access your account. This option is familiar and easy for users. It offers a particularly seamless experience on mobile due to the auto-fill capabilities on iOS and Android that allow a user to stay within the application experience when inputting the passcode. However, SMS 2FA is not considered as secure as TOTP-based 2FA. The major security shortcomings are phishing – where a user is deceived into sharing the passcode with an attacker – and SIM-swap attacks. A SIM-swap attack is a type of cyber attack in which a malicious actor convinces a mobile carrier to reassign a mobile number to a SIM card they control. Once they have control of the number, they can use it to reset the victim's password on any account that uses the phone number as a form of verification and gain access to sensitive information such as bank accounts, emails, and social media profiles. This type of attack is particularly concerning because it can bypass most two-factor authentication systems that rely on text messages. In addition to these security concerns, SMS 2FA also involves reliability risk as you’re dependent on mobile carriers (and a SMS provider’s uptime) for delivery of the authentication code. Provider downtime or poor cell coverage can both complicate reliability of this method. TOTP-based 2FA, on the other hand, uses an app on your smartphone to generate a one-time code that changes every 30 seconds. To access your account, you need to enter the current code displayed in the app. TOTP-based 2FA is considered to be more secure than SMS-based 2FA because it is less susceptible to intercepts and spoofing. Additionally, TOTP-based 2FA does not rely on a phone number, so it can be used with any device that has the app installed. TOTP vs. SMS: Why Is TOTP more secure than SMS? Both SMS 2FA as well as TOTP 2FA use unique passwords to secure accounts. With SMS 2FA, the server generates and sends the random code to the phone of the user. Those codes will expire after use. Pending codes remain in effect for the amount of time the application sets (often at least a couple minutes to allow ample time for the user, but the maximum is typically bound at 10 minutes to reduce the attack surface). If the code is intercepted through a SIM-swapping attack, this allows for attackers to break into users' accounts. In contrast, TOTP token-generated codes generate every 15 to 20 sec and are only available in a device-tied application, which removes the SIM swap attack and reduces the potential time frame of attacks significantly. When the new TOTP code is generated, the previous code will be automatically invalidated. Both TOTP and SMS 2FA are susceptible to phishing attacks though, where a user is tricked into forwarding a code to an attacker. With SMS, it’s only necessary for the user to manually enter the OTP into the browser. On mobile, the SMS 2FA workflow is considerably easier due to the OS auto-fill capabilities mentioned above. How TOTP 2FA trumps SMS 2FA Both SMS and TOTP add another factor to the authentication process to protect users against unauthorized brute-force attacks. SMS 2FA is, however, using static codes which expire once they are used or not reused within ten minutes of sending. A fraudster may already have access to the user’s phone number through a successful SIM swap, or they may be able to convince a user to forward their code (often by acting as a fake support agent) within the valid 10-minute window. With TOTP, there’s no SIM swap risk because the TOTP application is tied to the user’s device (rather than being tied to their phone number). Additionally, the more ephemeral nature of the generated passcode with TOTP makes phishing attempts materially harder as an attacker has often 1/10th or 1/100th of the time available to them to convince a user to forward a valid code. The two-factor authentication winner In summary, SMS-based 2FA is easier to set up and use, but it is not as secure as TOTP-based 2FA. TOTP-based 2FA is more secure but requires an additional app to be installed on your smartphone. Ultimately, the choice between the two will depend on your individual needs and the level of security required for your specific use case. To ground the differences in real-world data, let’s consider Coinbase’s public data on MFA method popularity and account takeover rates. While only 43% of customers’ funds are protected by SMS 2FA, 95% of successful account takeovers exploit weaker SMS-protected accounts. In contrast, advanced MFA like TOTP protects the majority of Coinbase’s customer funds but only accounts for 4.13% of successful account takeover attacks. Table from Coinbase shows how often different authentication types are targets for account take overs (ATOs) proportional to each other. When choosing a 2FA solution for your organization or personal accounts, make sure to evaluate the security and usability requirements and choose the one that best fits your needs. Ultimately, the best MFA strategy is the one in which your users actually enroll in MFA – one approach is to offer both options to users but encourage users to select the more secure method. FAQs: Two-factor authentication (2FA) What is the difference between OTP and TOTP? One-Time Passcodes (OTPs) are unique and temporary codes sent to a user via SMS, WhatsApp, or email, and can be used as the primary auth factor or as a two-factor authentication to strengthen security. Time-Based One-Time Passwords (TOTPs) are unique time-based codes generated by authenticator apps, like Google Authenticator. The app is tied to a user’s device, preventing issues like SIM swapping, which can occur with SMS One-Time Passcodes. TOTPs are typically only used for 2FA. Is SMS better than an authenticator app? SMS-based passcodes are a commonly used solution but while it is easily accessible, it isn't the most reliable. Authentication apps are a second-level authentication solution that is safer, more reliable, and fast. Is TOTP more secure than HOTP and SMS? Hardware One Time Passscodes (HOTP), otherwise called physical security keys, are more secure than either SMS or TOTP 2FA. BUT, they historically have very low adoption because only extremely tech savvy individuals are willing to buy a hardware security key like a YubiKey. What is the benefit of TOTP? Time-based passwords available offline offer streamlined user protection for the second factor in the user experience. Similarly, TOTP can be referred to in applications or as a scalability token. The API for the authentication of applications is based on the TOTP standard. --- # The FIDO alliance and a passwordless future Source: https://stytch.com/blog/fido-passwordless-authentication/ An overview of the FIDO alliance, their important work in building a passwordless future, and why Stytch became a member. Stytch is thrilled to announce that as of 2023 we are now part of the FIDO alliance. In this article, we’ll discuss what FIDO is, why they’re important in the world of authentication, and why we joined. What is the FIDO Alliance? The FIDO Alliance is a nonprofit that began developing and improving security protocols to reduce the overreliance on passwords. In 2009 PayPal discussed its proposal for using biometrics as an alternative way to authenticate users, instead of using passwords. These conversations inspired a new industry standard for passwordless access using public-key cryptography and local logging technologies. In 2012, the FIDO alliance (Fast Identity Online) was formed. Why is FIDO authentication passwordless? We’ve written about the advantages of passwordless auth at length at Stytch – including the weaknesses of passwords, how to introduce passwordless options to password-familiar users, an overview of passwordless auth methods by business vertical, and more. But in a nutshell, passwords… 1. Aren’t secure enough According to Verizon’s Data Breach Investigations Report, passwords or compromised user credentials have been the cause of over 80% of breaches. With the sophistication of phishing attacks and credential stuffing techniques, passwords as a security technology are no longer enough to protect our accounts and information. Even with newer developments with two-factor or multi-factor authentication, they're simply too easy to compromise. 2. Create friction for users One of the reasons passwords are so insecure is that they’re hard to remember, and most users don’t receive good guidance about how to make passwords secure. Account creation and password reset flows tend to be long and convoluted, meaning users bounce from sites or abandon carts far more than they would if there were an easier way to sign up or log in. With passwords proving to be a let-down in both security and user experience, it’s easy to see why an alliance formed to create a better alternative. How FIDO pursues a passwordless future Since its founding, the alliance has pursued its passwordless mission by: Technical specifications: FIDO develops open and interoperable tech specs for passwordless solutions to make it as easy as possible for companies to wean themselves off of passwords and pursue more secure, user-friendly alternatives. Certification: FIDO runs certification programs that maintain quality and oversight of passwordless adoption. Standardization: Once mature, FIDO submits their technical specifications to standards development organizations to get their specs standardized and popularized in the dev community at large. FIDO passwordless authentication technology – how it works While we’ll be publishing a deeper dive into the ins and outs of this technology later on this quarter, at their core all FIDO technologies rely on public key cryptography to both identify users and keep their information secure. Public key cryptography Public key cryptography is an encryption scheme built around the relationship between two unique keys—a public key that encrypts the data, and a private key that decrypts it. What makes this kind of cryptography more secure is that while the public key is stored on the server (and thus fairly easy for others to access), the private key is stored either on the user’s device or on a hardware security module like a USB or biometric scanner. When a user authenticates, the private key sends a message with a unique signature to the public key, which then decrypts access to the server. WebAuthn After developing some initial standards and specs based on public key cryptography, FIDO wanted to find a way to make their passwordless methods more widely available. To do this, they started to work on new technical specifications that enabled FIDO authentication methods to be called directly in browsers and platforms via APIs. The most well-known of these API-based specs is called FIDO2: Web Authentication, or WebAuthn. Initially released in partnership with the World Wide Web Consortium (W3C) in 2019, WebAuthn has quickly become one of the most important advances in popularizing passwordless authentication because of its ability to be easily adopted and integrated by a much wider community of web browsers and applications. Common WebAuthn applications While you might not be familiar with the inner workings of FIDO2 or its technical specifications, you have probably encountered FIDO specs in the wild in one of three main ways: In-device biometrics If you’ve ever used your phone or computer’s thumbprint reader to log into an app or website from that device, you’ve used in-device biometrics. In-device biometrics – sometimes also referred to as a “platform authenticator” – verify both possession of the user’s original device and biometric proof in the user’s facial ID or fingerprints. That strength though is also its weakness: because in-device biometrics are by definition device-specific, they are somewhat limited for users who live their online lives on multiple devices. Yubikey Yubikeys are a small piece of hardware you can plug into a number of devices that exchange public and private key information with various apps on that device. They are referred to as “cross-platform authenticators” because, unlike platform authenticators that are tied to a particular device, the hardware key can be moved from one device to another and retain your authentication method. Similar to device biometrics, Yubikey's strength is also its downside: if you lose your key, there is no backup, and it can be very difficult and time-consuming to regain access to all of your accounts that relied on Yubikey for authentication. Passkeys Passkeys are the most recent implementation and combine the power of in-device biometrics with the flexibility of something more like a password manager. Their power is that they leverage WebAuthn but are no longer device-limited. Whereas prior uses of WebAuthn have typically only allowed for device-bound public and private keys, multi-device passkeys allow for these keys to be synced across cloud accounts to enable use on different devices. What’s more, passkeys also incorporate bluetooth and QR codes to enable login via biometric passkeys on different operating ecosystems. So hypothetically, users could use an iCloud passkey on their tablet to log into an app on their Android phone, and vice versa. While there are still some additional hurdles to be cleared on the road to widespread passkeys adoption, this latest breakthrough is the most promising of all of FIDO’s work to truly evangelize passwordless authentication methods on a massive scale. Why Stytch joined FIDO As a pro-passwordless platform from our inception, we’ve been impressed by the work FIDO has done to increase passwordless adoption. We’re particularly excited about everything they’ve done to make passkeys a reality, as it’s one of the new passwordless technologies we’re most excited about. At the same time, we’re also excited to join FIDO because we think we bring a decidedly different approach to the alliance. Lots of FIDO members are passwordless only, and we consider ourselves an identity and access management platform that’s building the bridge to passwordless adoption. But we strongly believe that the bridge to passwordless is paved with, you guessed it – passwords. Internet-based companies won’t pursue passwordless at the expense of customer comfort or experience – we shouldn’t ask them to take that kind of risk or leap. Instead, they need partners and bridge-builders to help them transition smoothly and profitably to a more future-forward user flow. At Stytch, we’re trying to model that kind of partnership in a way that other FIDO members can follow, in a way that will make passwordless authentication feel more palatable and attainable, even for the most password-entrenched among us. We think we have a unique position to embrace the passwordless world through our pragmatic approach to meeting companies where they are and think joining the FIDO alliance will help us improve our ability to move companies into a passwordless future. --- # Bot mitigation for identity and access management Source: https://stytch.com/blog/bot-mitigation-for-iam/ An overview of malicious bot traffic, and which bot mitigation solutions (i.e. device fingerprinting, CAPTCHA) are right for your product A crucial but sometimes overlooked aspect of customer identity and access management (CIAM) is the need to discern whether something interacting with your application is a real human user or a bot. This is also called bot mitigation. Most CIAM work understandably focuses on how to correctly validate identities and provide the appropriate access to those users, but bot detection and mitigation is an essential tool in building signup and login flows that provides protection to both your application and users. When done correctly, bot mitigation helps stop attacks at the perimeter of your application before bot attacks like phishing, credential stuffing, or account exploitation can take place. What is a bot? How are malicious bots different? Human beings make up less than 40% of all internet traffic. The other 60+%? Bots. And over half of that traffic is malicious bots. Bots are software that's been programmed to perform specific, repetitive, automated tasks online. They can be used benevolently — like to answer common customer questions in an ecommerce chat box — but they can also be used by hackers to automate and amplify cyber attacks. For example, bots can crawl the internet intercepting usernames and passwords, which they then mobilize to breach user accounts on different apps and websites. With bot attacks on the rise, it's no wonder that bot mitigation solutions are increasingly a part of conversations about broader CIAM and fraud and risk prevention. Common types of bad bots When it comes to CIAM, malicious bots enter the equation in a couple different ways and are a common weapon used in both first-party and third-party fraud. Before we dive into the specific ways bad bots are used in each fraud vector to attack applications, let’s align on two distinct fraud types: first-party fraud and third-party fraud. First-party fraud This is when the true account owner is the perpetrator (rather than the victim) of the fraud. There are a number of reasons an attacker would want to create a fraudulent first-party account with your application. Here are some of the most common examples we see: Abusing signup rewards In this attack, the intent is to create numerous fake accounts to take advantage of a limited offer (e.g. $10 in cashback for taking a certain onboarding action). Stockpiling items for resale Instead of signup, some bots target checkout flows to purchase limited resources only to resell at a higher price on the secondary market. This is particularly common with ticket sales (think Taylor Swift) and sneaker drops. Creating fintech accounts For certain digital investing, banking, and payment apps, bad bots target them by taking advantage of policies in which users can spend money before a deposit actually settles in the account. For example, if I can buy crypto before my ACH payment settles, that presents an opportunity for the fraudster to take advantage of this time delay. Third-party fraud This is when the account owner is the victim of the fraud. The user owns a legitimate account with an application, and that account is stolen by an attacker. This type of attack is called an account takeover or ATO, and the purpose is to exploit the underlying value of the account, which may hold money or sensitive data that the attacker can monetize. Here are a few of the attacks that can lead to account takeover via this vector: Credential stuffing In these cases, bots will try to log in with large numbers of credentials that they’ve stolen from other data breaches. If credentials are validated during this automated attack, they know those credentials can be used to breach the account. Phishing This can be perpetrated by real humans or bots. The intent is to trick a user into unwittingly providing their credentials (password, one-time passcode, etc.) to an attacker. Users often believe they’re providing their credentials to a secure site or to a bonafide support representative at the targeted application. What are botnets? Is that the same as first-party fraud? A botnet – short for “robotic network” – is a kind of malware that carries out tasks on other machines on behalf of an attacker, called the bot-herder. Botnets are typically established when the bot herder tries to gain unauthorized access by installing the bot on other peoples’ machines. They do this through file sharing, emails, or other protocols in which people are tricked into downloading and opening a malicious file without them ever knowing anything has happened. Once the bot is installed on a foreign machine, the bot-herder can control its actions remotely. A diagram of how botnets leverage other machines to perpetrate attacks. Botnets can be used for both first-party and third-party fraud. Botnets can infect millions of machines at a given time, giving the hacker controlling them a great deal of computing power. For attacks of scale that are best carried out by a large number of bots performing the same action (credential stuffing, stockpiling the latest Nike drop, etc.), they can be incredibly effective – and harmful. Because botnets can be used for both first- and third-party fraud, the bot mitigation solutions for botnets vs. a single bot are usually the same. Which bot attacks should I worry about? Many companies face both types of fraud, but which attack surface (signup vs. login) is more frequently and aggressively targeted depends on which vector provides the most potential monetization value to attackers. Put another way, the incentives are different for bots attacking signup and checkout forms vs. login flows. Most first-party fraud focuses on the account creation flow, and most third-party fraud focuses on the login flow. First-party fraud abuses your system by creating fake accounts, while third-party fraud abuses your system by stealing existing ones. So, if you’re an ecommerce site or marketplace with limited time rewards and deals, or a Fintech company with more flexible allowances for your customers ability to pay before deposits go through, your signup and account creation flows are more likely to be a target for bot attacks than your login flow for existing customers. That’s likely where you want to focus your anti-fraud protections the most. If on the other hand your customer or employee accounts have access to large amounts of sensitive data, there’s a higher incentive for attackers to target your login flow through third-party fraud tactics like credential stuffing and phishing. In that case, you’d likely want to invest in bot mitigation as well as unphishable authentication methods as your most probable attack vectors. Bot mitigation – telling bots from humans To understand the field of bot mitigation, it can be helpful to first think about where and when online users provide signal as to who they are and what they’re trying to do – signals beyond their username and password. There are several junctures in the signup or login process where bots may give away their, well, bot-ness (some of these are also general indications of fraud, whether from a human or a bot): Speed Bots can perform tasks on the web much faster than humans – this is one of their biggest advantages as a tool both for good and for ill. So if a user is creating an account or logging in at a super-human speed, it’s quite possible it’s bot traffic. Volume Similarly, most people don’t try to log in to their account thousands of times in an hour. They’ll usually try a few times and then call customer service or initiate a password reset. If a “user” is attempting certain repetitive tasks at a volume no typical user would benefit from, it might be a bot. Intelligence Bots are usually designed to perform a very limited number of tasks, and thus don’t have a lot of flexibility to perform tasks outside of what it was programmed to do. Consistency Like human fraud, bots also may give signal with behavior or characteristics that are inconsistent with a user’s typical behavior. If a user usually logs in from the same IP address, zip code, or device, and is suddenly halfway across the world on a new machine, there’s a strong possibility the “user” is a bot, fraudulent, or both. There are of course more technical nuances to these categories of bot detection methods, but they give a general overview of what bot mitigation tools use to identify and stop bot traffic. Bot mitigation products Today, two of the most common tools to thwart malicious bot traffic are CAPTCHA and device fingerprinting. CAPTCHA CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a bot mitigation solution that uses computer-generated puzzle or question to stump most bots. Bots are programmed to carry out specific, repetitive tasks within a narrowly defined scope. CAPTCHA puzzles are designed to give bots tasks outside of that scope, like identifying objects in a picture, performing basic math equations, or transcribing audio. Different types of CAPTCHA It’s worth noting though that not all CAPTCHA products are created equal, either for security or customer experience. Invisible reCAPTCHA from Google is a more recent kind of CAPTCHA that evaluates traffic without ever disrupting the user experience (hence the invisible part). But there are also hackers who use something calledCAPTCHA fraud. Also called CAPTCHA farms, these companies hire real humans to complete CAPTCHA puzzles on behalf of using a loophole in CAPTCHA’s source code. This is the landing page of one of the largest CAPTCHA solving services. Its website highlights why you should choose it over competitors: it’s cheap and reliable. Bot mitigation solutions like Stytch’s Strong CAPTCHA have protections built against CAPTCHA fraud, but not all CAPTCHA services do. Depending on the sophistication of your company’s typical attacker, you may want to consider more thorough or ironclad CAPTCHA services. Because CAPTCHA puzzles introduce a bit of friction into the user flow, they’re best reserved for situations that are either highly sensitive or in which fraud is suspected for other reasons. Device fingerprinting Device fingerprinting is a bot mitigation solution that identifies devices that are accessing a website or application, and store and associate those devices with different user accounts. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID. These attributes range from things like an IP address or browser type, to things like graphics card models, browser default language, etc. Different types of device fingerprinting Similar to CAPTCHA, not all device fingerprinting services are created equally. In part, this is because as device fingerprinting has become more common, hackers have designed more sophisticated bots to make them appear more like humans. For instance, many hackers automate speed-mitigation, so bots move and perform actions at a speed that is more akin to a person. They can also use VPNs or incognito browsers to fake or mask IP addresses. So when looking at device fingerprinting vendors, it’s important to ask which factors / attributes the fingerprint collects, and what other kinds of bot mitigation or authentication are stacked with it. Some solutions like Stytch’s Device Fingerprinting, use highly unique combinations of device properties, such as operating system, browser version, and IP address, whereas others just use a combination of browser make and model and time zone. Remember: the more unique the fingerprint, the stronger the solution at stopping bots in their tracks. Unlike CAPTCHA, device fingerprinting is completely unobtrusive to the user experience unless fraud is suspected. So while CAPTCHA solutions may only be introduced in a case-by-case basis, device fingerprinting is a broader bot mitigation solution that’s easier to implement without disrupting a user’s normal signup or login flow. Which bot mitigation solutions are best for me? The kind of arms race between cybersecurity professionals and hackers may seem overwhelming, especially if you’re just trying to sell shoes or provide a B2B data analytics tool. But like other areas of authentication, not every hacker on the internet is using the most sophisticated techniques to commit fraud. In fact, like white hat businesspeople, they’re usually going to invest only as much as they think they need to to be successful to maximize their ROI. When evaluating different bot mitigation services, you need to understand what those hackers are trying to do, and how hard they’re willing to try to evade detection. The more valuable and sensitive the information they’re after, the more sophisticated their techniques will likely get. Choose bot mitigation based on risk and sophistication At Stytch, we believe that authentication and fraud prevention should only introduce friction where it’s absolutely critical. When talking with customers, we usually scale our recommendations for fraud prevention based on the amount of risk and the sophistication of the hacker, to minimize any unnecessary disruption to the user flow. For the least sophisticated attackers + spammers, invisible CAPTCHA will likely do the trick. For medium-to-highly sophisticated attackers, device fingerprinting is recommended to pierce the various deceptions they may be attempting. For extremely advanced attackers, it’s best to layer CAPTCHA on top of device fingerprinting. If hackers are investing a lot of money to look like a legitimate device + browser, they’re also likely willing to invest in something like a CAPTCHA farm, so it’s worth also making them perform a Turing test in case their device deception is highly effective. The other important layer to consider beyond hacker sophistication of course is your company’s level of risk and the sensitivity and/or value of the data hackers are after. If you’re curious about how bot mitigation tools could help protect your product and customers, talk with an auth expert at Stytch today. --- # What are one-time passcodes (OTPs)? Source: https://stytch.com/blog/what-are-otps/ Learn how one-time passcodes (OTPs) can verify a user’s identity without the hassles of a traditional password. As developers step up security measures to evade the latest cyber threats, they’re adding a range of innovative authentication and identity management solutions to their sign up and log in flows. One of the strongest tools in their modern arsenal is the one-time passcode (OTP), also sometimes referred to as a one-time password. Below, we explain what OTPs are, how they work, and why they best traditional passwords when it comes to offering a more robust security profile with a smoother user experience. What are OTPs, exactly? OTPs are security codes that are automatically sent to a user’s phone number or email address upon a sign up or log in attempt. They typically contain a randomly generated string of numeric or alphanumeric characters that a user must input to verify their identity and gain access to or carry out sensitive actions within an app or website. As the name suggests, a one-time passcode can only be used once — that is, for a single authentication event. After a given code is entered, it is invalidated and cannot be used again. What are different types of OTPs? There are several different categories of OTPs, which are defined by the communication method involved. The most common forms include: Email one-time passcodes Email OTPs are sent to a user’s registered email address and can be accessed via their inbox on a desktop or mobile device. SMS one-time passcodes SMS OTPs are sent via text to a user’s registered phone number. While typically received through a mobile device, they can also be accessed on a computer using a messaging app like iMessage. WhatsApp one-time passcodes WhatsApp OTPs are sent through the WhatsApp messaging service, an app used by over 3 billion people worldwide. They’re a popular option for developers and platforms with a global user base, as they avoid the deliverability issues that can arise when sending text messages internationally. How do OTPs work? OTPs are considered something-you-have authentication, because codes are sent to a specific phone number or email address and must be accessed via a messaging app or inbox that is in the user’s possession. In practice, OTPs generally follow a simple progression: A user attempts to sign up for or log in to an app or website, initiating a verification request. The back-end server generates a unique, random code, which is sent to the user’s registered phone number or email address. The user accesses this code and enters it within the app or website to gain access. If correct, the server validates the code, and the user is granted access. The code is invalidated, preventing its future use. Using OTPs in an MFA flow Because of their ease and flexibility, OTPs can be used as a primary authentication factor or as a secondary factor in a two-factor authentication (2FA) or multi-factor authentication (MFA) flow. That means they can stand on their own or be combined with one or more other authentication methods, like OAuth logins, biometrics, or even traditional passwords. MFA takes a layered approach to verifying a user’s identity and role-based permissions, boosting an app’s overall security. Auth factors can be grouped together and front-loaded at the initial login or dispersed throughout the user journey in a process known as route-based (or just-in-time) authentication. With this approach, additional auth factors are only required when a user wants to perform a particularly sensitive task — like changing payment details or making a purchase — introducing extra friction only when it’s needed. How are OTPs different from traditional passwords? While one-time passcodes are sometimes referred to as “one-time passwords,” one of the most distinguishing (and advantageous) qualities of OTPs is that they are completely passwordless. In fact, OTPs differ from traditional, static passwords in two key ways that boost both their safety and their usability. Let’s explore them one by one. Stronger security Passwords are the single most dangerous element in cybersecurity today. According to one recent report, 82% of all online data breaches involved the “human element” of authentication — in other words, weak, shared, or stolen passwords. Unlike traditional passwords, however, OTPs: Cannot be predicted: With OTPs, each new string of characters is randomly generated, so it’s unlikely to contain easily guessable information like a user’s birthday or pet name. It’s also impossible to guess what the next passcode will be based on past examples. Cannot be reused: A static password remains fixed until it is changed by the user — so if a hacker intercepts it, they can enjoy ongoing access to that user’s account. But each one-time passcode is unique and can’t be used beyond a single login session. Cannot be repeated: 85% of users admit to repeating the same password across multiple sites and apps, putting all accounts at risk if a password is intercepted. OTPs, on the other hand, are generated for a specific platform and can’t be applied across accounts. That makes OTPs more resistant to common cyber attacks that target password-based authentication, like credential-stuffing, password spraying>, and account takeovers. Frictionless UX On top of security concerns, passwords are just plain stressful. In a recent study, 75% of users reported feeling anxious about the number of passwords they’re expected to remember across many online accounts. What’s more, passwords are bad for business. 65% of consumers say they’ve abandoned a website or app because the process of creating credentials was too complex — and 92% would rather give up than have to recover or reset a forgotten password. The user experience of OTPs is comparatively frictionless. Unlike traditional passwords, OTPs: Are accessible: OTPs often come in the form of 6- or 8-digit codes, so they’re easy to remember. Besides, they’re typically right in front of a user in a readable text or email. Are automatically fillable: Auth providers like Stytch offer auto-fill capabilities for OTPs sent to Android or iOS devices, so a user doesn’t even have to navigate away from an app to enter them. Are flexible: OTPs can be seamlessly inserted anywhere in an authentication flow or user journey as a secondary factor, adding extra security without extra hassle. Thanks to their ease of use, OTPs promise not only greater protections, but greater conversion rates, as well. Potential drawbacks of OTPs Like many authentication methods, OTPs aren’t absolutely foolproof, even when used as a secondary factor in an MFA flow. Why? The short explanation is that any auth factor tied to a user’s phone number or email address can be compromised by a skilled hacker. For one thing, OTPs are sent as unencrypted plain text, so any communication that can be intercepted and read by a malicious actor — through rare but viable tactics like SIM swapping> — potentially puts a passcode at risk. Moreover, OTPs are also subject to phishing attacks. These are social engineering schemes, in which hackers send fraudulent emails or text messages that manipulate users into clicking on a bad link or unwittingly sharing a passcode. That’s why auth experts recommend fortifying all MFA flows with unphishable factors to ensure top-notch security and outmaneuver even the most determined hackers. What are TOTPs? Time-based one-time passcodes (TOTPs) are a newer, more advanced form of OTP often included as part of an MFA flow. They rely on authenticator apps — like Google Authenticator, Microsoft Authenticator, or Authy — to generate a random passcode that automatically changes every 30 or 60 seconds. That means a potential hacker has only a very short window to carry out an attack before a code is invalidated. Additionally, unlike with original OTPs, authenticator apps are installed on and tied to a specific user device (rather than just their phone number). That means TOTPs can protect users against more sophisticated attacks like SIM swapping, while original OTPs cannot. While TOTP provides stepped-up security, the time limitations means users need to be able to move fast to verify their identity and gain access to their desired app. Otherwise, they risk adding extra steps and friction to the login process. As a result, TOTP flows are typically reserved for highly risky actions or sensitive data — like moving money across fintech platforms or accessing a company’s payroll records. Key takeaway OTPs are a great option for modern developers who want to reinforce the security of their app or website without the inconveniences of passwords, and they work well as primary or secondary factors in a sign up or login flow. Discover Stytch’s OTPs and TOTPs Stytch offers flexible, frictionless One-Time Passcodes and advanced TOTP Authenticator Apps/a> as part of our comprehensive product suite. If you want to learn more about how these or other solutions work, reach out to an auth expert to start a conversation — or sign up for a free account to try them out for yourself. --- # What is passwordless authentication? Source: https://stytch.com/blog/what-is-passwordless-authentication/ Learn how the advanced cybersecurity of passwordless authentication can manage user access without the security and UX risks of a password. On the surface, passwordless authentication is a pretty straightforward concept. It's simply allowing users to access an online account, application, or website without the use of a password. Under the surface, however, there's a lot going on. There are many different types of passwordless authentication factors, many different ways that passwordless login can be applied in an auth flow, and many different reasons why traditional passwords are no longer a secure or convenient way to verify a user's identity. Let's tackle these topics one by one — starting with the reasons why passwordless authentication is necessary in the first place. What’s wrong with traditional passwords? What isn't? Passwords made sense in the 1990s, when the internet first went mainstream. At the time, users had few online accounts, and remembering one or two simple credentials didn't pose a burden. Moreover, most users were not yet using the internet for highly sensitive activities like banking and commerce, so the stakes of a swiped password weren't quite as high as they are now. Today, though, the average user has 100 passwords — far too many to remember outright. Since less than 23% of users employ a password manager, the vast majority use riskier methods to keep track of their proliferating credentials. According to a recent survey, 65% end up reusing the same password across multiple accounts, and 23 million still use “123456” as their password of choice. That has led to a situation where passwords are neither safe nor practical. Among other issues: Passwords are easy to breach. It's estimated that 82% of all online data breaches exploit the “human element” of cybersecurity — in other words, passwords that are easily guessed, stolen, or otherwise compromised. Passwords are considered something-you-know authentication, and anyone who knows one can gain access to every related account. Modern hackers have a variety of methods they can turn to — from malware and phishing scams to brute force attacks and credential stuffing — to intercept or crack a legitimate user's password and capture their sensitive data. Passwords are frustrating. On top of having to recall dozens (if not hundreds) of passwords, no one enjoys the drawn-out password recovery and reset processes they must follow if they happen to forget one. In fact, 92% of users report that they'd rather abandon an app or website altogether than undergo a password reset flow. Passwords have gotten overly complicated. In an attempt to offset the risks of weak credentials, many apps have imposed increasingly complex password creation rules. Many follow the LUDS formula, which requires a password to contain at least one lowercase letter, uppercase letter, digit, and symbol. In many cases, this leads users to make simple substitutions that are easy for bots to crack (like P@ssword1 or Password1!) or convoluted strings of characters (like I8*&YnFhyg) that are difficult for humans to remember — triggering even more password reset flows. Passwords are arguably destroying the planet. You may not think passwords have a big carbon footprint, but we calculated that a year's worth of password usage in the U.S. alone produces the greenhouse gas equivalent of 877,415 cars, due to the time (and energy) it takes to type in and reset credentials. All that said, auth providers like Stytch are improving on antiquated password models to bring them up to speed with modern expectations. More on that later. How does passwordless authentication work? Passwordless authentication is not one-size-fits-all. There's a wide variety of passwordless authentication factors, and each involves a different process and results in a different user experience. Some of the most common passwordless authentication methods include: Magic links With email magic links, users can sign up for or log in to an app or website with a click. They simply enter their email address when prompted, receive a unique, single-use URL in their inbox, and click on the link to instantly verify their identity. This form of passwordless authentication is considered something-you-have authentication, because the user must prove they have ownership of a specific, registered email address. With embeddable magic links, these same unique URLs are embedded into marketing materials sent to a user via email, SMS, or other form of communication. Because the user is accessing these materials through their inbox or messaging app, clicking on the link necessarily demonstrates their possession of that email address or phone number. One-time passcodes One-time passcodes (OTPs) are randomly generated security codes that are sent to a user's phone number or email address and accessed through an inbox or messaging app. As the name suggests, a one-time passcode can only be used once — or, for a single verification event. After a code is entered, it is invalidated and cannot be used again. Like magic links, OTPs are considered something-you-have type of authentication factor, as users must show they can access a given phone number or email. Time-based one-time passcodes (TOTPs) offer a stronger version of OTPs for particularly sensitive apps or user activities. They rely on authenticator apps — like Google Authenticator or Authy — to generate passcodes that change every 30 or 60 seconds. That means a hacker has only a very short window to carry out an attack before a code is voided. Additionally, unlike OTPs, authenticator apps are installed on and tied to a specific user device (rather than just a phone number or email), so they can protect users against remote cyberattacks. OAuth logins OAuth logins allow users to leverage single sign on capabilities and access an app or website using a pre-existing third-party account. That means, if they have an active social account through Google, Facebook, Apple, or other platform — or an active dev account through Github, GitLab, or BitBucket — they can enter those credentials to verify their identity. Innovative options like Google One Tap take this one step further, detecting an already logged-in Chrome or Gmail session and allowing users to automatically apply those credentials. Web3 logins Much like OAuth, Web3 logins allow users to access an app or website using any existing Ethereum- or Solana-based crypt wallet. In addition, forward-thinking providers like Stytch are now offering encrypted, consumer-facing browser extensions — we call ours Vessel — that function like a passport to the internet, empowering users to navigate limitlessly online without ever having to manage another password, private key, or seed phrase. Biometrics Biometric authentication is considered something-you-are authentication, as they rely on physical attributes that are inherent to a user's body or behavior. Biometric tools are typically built into a device and are designed to scan, analyze, and recognize distinctive, measurable features — like a user's fingerprint, facial contours, iris/retina patterns, and voice qualities. Many biometric solutions are also equipped with liveness detection tools, so they can distinguish between a legitimate user and a reproduction (like a photograph or voice recording) in order to prevent fraud. Historically, biometric data has been stored locally on a user's mobile device or laptop, making it impossible to transfer biometric logins across different devices and platforms. Next-generation solutions like passkeys, however, can now back up the cryptographic keys containing a user's biometric data to their cloud account, enabling smooth interoperability. WebAuthn Web Authentication API (WebAuthn) is one of the most exciting passwordless technologies on the market, building on advanced public-key cryptography. WebAuthn combines the layered security of multi-factor authentication (MFA) with the physical component of built-in biometrics or external security-key hardware like YubiKey. This is by no means an exhaustive list, with passwordless authentication methods like push notifications, device fingerprinting, and CAPTCHA solutions also helping to detect bad actors like bots, prevent fraud, and manage legitimate user access. Passkeys Passkeys are a new evolution built on WebAuthn, with some key improvements. While WebAuthn pioneered the concept of a single-device passkey (i.e. a single hardware key or a biometric validation tied to your mobile device or laptop), “passkeys” as we're discussing here refer to multi-device passkeys and introduce a few major UX and developer improvements: They are a drop-in replacement for passwords. They are cross-device, cross-platform, and cross-ecosystem. Enrollment and login credentials with a passkey leverages UX patterns made familiar by password managers. For higher security contexts, passkeys can discern between existing and new devices attempting to access an account. While passkeys have a couple of infrastructural hurdles to clear before they become widely available, it's Stytch's firm prediction that passkeys will be a tipping point in helping companies and users alike make the full transition into a passwordless future. What's the role of multi-factor authentication in the world of passwordless? Multi-factor authentication (MFA) is a layered approach to confirming a user's identity when logging into an app or web service. Whereas many authentication flows today only consist of one factor (like a username and password), multi-factor authentication will ask a user to use at least one additional authentication factor – like the answer to a security question, or a one-time passcode. Though the passwordless authentication methods described above are generally more secure than passwords (can't be reused, harder to steal), each still comes with its own vulnerabilities. That's why at Stytch we not only recommend going passwordless, but also implementing them as part of a multi-factor authentication process. MFA helps ensure that if one authentication method is compromised, your user's accounts are still protected. The benefits passwordless authentication solutions There are many advantages to eliminating passwords from your authentication flows. Some of the most notable benefits include: Passwordless authentication is more secure. As noted above, passwords are the most common and vulnerable target for capable hackers, and taking them out of the equation bolsters an app's protections exponentially. Passwordless authentication is more efficient. Passwordless authentication flows often allow users to log in with a single click — and to avoid lengthy, multi-step password reset processes. For developers, they slash the time it takes to record and respond to log in issues, error tickets, and security risks. Some studies estimate that around 40% of all help desk calls are related to password resets. Passwordless authentication is more cost-effective. Similarly, research suggests that each password reset flow costs upwards of $70 in lost productivity and support time. In total, the average organization stands to lose around $5.2 million each year due to the inconveniences of passwords. Passwordless authentication gives a better user experience. Passwordless authentication flows are faster and friendlier, ultimately driving better user experiences, engagement rates, and lifetime value. For example, one Web3 mobile wallet platform jumped to 80%+ conversion rates at onboarding after integrating with Stytch's frictionless One-Time Passcodes. Potential drawbacks of passwordless authentication factors While passwordless authentication is popular among both users and developers, there can be shortcomings when it comes to implementation, including: Access: Many passwordless auth methods require users to verify their identity using a separate account, application, or physical device, which may not be readily available. Interoperability: As mentioned, some forms of passwordless authentication — like native, built-in biometrics — aren't able to travel across different platforms or devices. Complexity: Many users are still unfamiliar or uncomfortable with the idea of passwordless authentication and may hesitate to install a related application or extension on their device. Security: While safer than passwords, passwordless methods aren't 100% foolproof on their own. Any factor that is tied to a user's phone number or email address can be intercepted by a determined hacker through strategic phishing or SIM swapping, and even robust factors like biometrics can be compromised by successful spoofing. That's why experts recommend investing in MFA to keep up with and outsmart the most sophisticated attacks. Not all apps (or their users) are ready to take the leap into a fully passwordless experience. Nonetheless, adopting passwordless auth isn't an either/or proposition. It's easy to add a passwordless option as a seamless primary or secondary factor in an existing auth flow and still enjoy all of the associated UX and security benefits. Is it difficult to implement passwordless authentication? No. The truth is, many companies don't realize that they're already relying on passwordless authentication. They call it a password reset flow. Password resets are really just an overly complicated email verification flow, with a requirement to create a new password tacked on at the end. Remove that, and you're left with an easy email magic link — so why not trim all the excess steps and offer a streamlined (but equally secure) experience? Not all passwords are bad It's worth noting that passwords aren't inherently evil, they just haven't been properly updated and upgraded to address the latest cybersecurity threats and user expectations. Stytch offers a modern Passwords solution for companies that (for whatever reason) still need or prefer to offer traditional sign up and log in factors as part of their auth flow. Unlike conventional passwords, however, ours feature next-level breach detection, strength assessment, deduplication measures, and intuitive, human-first reset options to give users the smooth experience they're looking for, plus the peace of mind that comes with stepped-up security. The bottom line There are good reasons why traditional passwords are on the way out, and why a completely passwordless internet is the way of the future. Fortunately for today's businesses and developers, there's a variety of advanced passwordless factors and flows that are easy to implement and to use, making them a promising path to stronger security, better user experiences and engagement, and greater overall value. Discover Stytch's passwordless product suite Stytch offers a range of frictionless passwordless solutions — including one-click Email Magic Links, instant One-Time Passcodes and seamless OAuth Logins — as part of our integrated product suite, which can be fully customized to your needs. If you want to learn more about how these or other flows work, reach out to one of our auth experts to start a conversation — or sign up for a free account to try our platform out for yourself. --- # All about biometric authentication Source: https://stytch.com/blog/all-about-biometrics/ A deep-dive on biometric authentication – its history, current types, how they work, and the pros and cons of using them in your product. It wasn't too long ago that biometric authentication was the stuff of science fiction and spy films. When Back to the Future Part II premiered, paying for a cab ride with a fingerprint in 2015 seemed nearly unimaginable. But from where we’re standing in 2023, that future is just about here. Biff, Marty McFly's nemesis across time-space, pays for a taxi ride using his fingerprint in Back to the Future Part II. Today, biometric authentication has become a part of daily life for just about anyone with a smartphone. Unsurprisingly though, it works a little differently from how it appears in films or TV. In this blog post, we'll take a deep dive on biometric authentication, including: What it is and how it came about Types of biometric authentication FIDO and the future of biometric adoption How it works Advantages and challenges compared to other authentication methods Biometrics: definition and history A biometric (also called biometric identification) refers to a set of physical or behavioral traits that can be used to uniquely identify a person. In the world of authentication, a biometric authentication method refers to the process of using someone's biometric information to identify and grant (or deny) access to accounts and/or resources. Biometric authentication is considered a “what you are” form of ID (as opposed to what you have or what you know). Note the key difference here: whereas biometrics in general are simply used to confirm someone's identity, biometric authentication specifically refers to confirming that identity for the purpose of accessing resources online. As Stytch is an authentication platform, we're most concerned with the latter. Biometric authentication: a brief history In the 20th century, scientists made major leaps and bounds with a variety of biometric identification factors, including iris patterns, hand geometry, and facial and voice recognition. Though the last century didn’t see widespread biometric adoption, it laid important groundwork for the momentum biometrics would gain in the new millennium. Some key events included: 1969: The FBI launched research into how to automate fingerprint scanning and verification, which until that time had been a laborious, manual process. 1976: The first prototype for a speaker / voice recognition system was developed by Texas Instruments. 1971: Hand geometry biometric identification was patented by Robert Miller at Stanford University. 1994: Iris recognition was developed and then patented by John Gustav Daugman at Cambridge. 1996: Hand geometry was used for admission to the Olympic Village at the Atlanta Summer Olympic games. 1997: The National Security Administration sponsored the Human Authentication Application Programming Interface (API) – the first standard for commercial biometric interoperability. This was a key step forward, and would help make widespread biometric adoption much more feasible. While there have been incremental advances in biometric authentication adoption in the 21st century, perhaps the most significant milestone was 2013, in which Apple released Touch ID for the iPhone, marking the first integration of biometric authentication into a major commercial product. Since then, biometric technology has rapidly accelerated. As of 2022, 80% of smartphones now have biometrics enabled. Types of biometric identification methods Biometric identification methods can generally be grouped into two categories: physical biometrics and behavioral biometrics. Physical biometrics are what most people are familiar with in their day-to-day use, and consist of a computer gathering, storing, and comparing data relating to someone’s physical traits. Behavioral biometrics relate to how a person behaves online, and typically deals with motor / manual actions on a computer like typing, mouse movement, etc. Since physical biometrics are more common, we’ll start with those. Fingerprints A biometric fingerprint scan is used to get into one's home in Total Recall, a science fiction film. Fingerprint biometrics are the most common form of biometric authentication today, in part because they were so widespread in identity and law enforcement before the internet. Today, fingerprint biometric authentication relies on scanners to gather a person’s unique finger or thumbprint. While there are different types of scanners, they all rely on receiving a signal from someone’s finger that returns different values when it interacts with the ridges of the fingerprint and when it interacts with the valleys. Optical fingerprint scanners rely on bouncing light off of the finger. Capacitive fingerprint scanners discharge a very small electric charge onto the finger. Ultrasound fingerprint scanners rely on bouncing sonic waves off of the finger (much like ultrasounds in other medical uses). Thermal fingerprint scanners detect the temperature difference between the valleys and ridges. Regardless of the type of scanner being used, once it receives the data points about the precise location of an individual's valleys and ridges, an algorithm is then used to translate that biometric data into a character string that is then stored either on the device that took the print (more common) or on a cloud or server (less common). Importantly, the algorithm that encodes the fingerprint into a character string cannot be reverse-engineered to generate an image of the fingerprint. Face A thumbnail from the Bourne Identity movies, in which a face is matched using facial recognition technology. Facial recognition is the next most common form of biometric authentication found on everyday devices today. Like other biometric authentication methods, facial recognition scanners take various measurements of the user's face to create a unique data set that is then compared against future scans. While some facial recognition systems have been updated to detect liveness, many are still based on analyses of still images, rather than live scans of light, sound, or heat. Hand geometry A hand geometry scan as represented in the 2015 film Jurassic World Hand geometry identification is composed of several measurements of different dimensions of the human hand, such as the length and width of each finger, the span of the hand at various cross sections, etc. Because hand geometries are not as unique as other biometrics like fingerprint, iris, or retina, they are not considered as secure. For this reason, hand geometry is more often combined with other forms of identification and authentication (such as ID cards, etc.) rather than serving as the primary auth or identification factor. Voice In the Star Trek franchise, certain sensitive actions could only be performed once the captain's voice had been authenticated. Voice biometric authentication analyzes the unique sound characteristics of a person’s voice, including duration, dynamics, intensity, and pitch. The uniqueness of these characteristics results from a combination of their own jaw and mouth movements, throat shape, vocal cords, etc. Many biometric auth solutions are equipped with liveness detection capabilities, so they can distinguish between a real, live user and a mere reproduction or copy — like a photographic image or voice recording — in order to detect and prevent fraud. Eyes A thumbnail from the film Minority Report in which Tom Cruise performs an eye-based biometric authentication scan While certainly less common in everyday devices, eye-based biometric scanners focus on highly unique biological characteristics that are near-impossible to fabricate – namely the retinas and irises. Retina Scanners Retina scanners might more accurately be called blood vessel scanners, since they’re actually mapping the network of blood vessels that feed into a person’s retina at the back of the eyeball. This blood vessel network is unique in every person, and is scanned by sending UV light into the back of someone’s eye and then registering the reflections of light sent back by the blood vessels. While retina scanning probably sounds extreme for everyday uses, it is incredibly accurate. Retinal patterns are consistent throughout a person’s life, but certain diseases like glaucoma, diabetes, and a few select others can alter them. Iris Recognition Iris patterns are also incredibly unique, but these scanners instead detect biometric data from the front of the eye to capture patterns on a person’s iris, including size, color, etc. Unlike retina recognition, which bounces off UV light and registers the reflection, iris recognition and scanning is done with cameras (albeit UV cameras). This makes the technology required for successful iris recognition biometrics much less expensive and less complicated, and thus a bit easier to implement. Behavioral Biometrics Unlike physical biometrics, which are used to identify a single user, behavioral biometrics are more commonly used to distinguish fraudulent users (often bots) from human ones. While this is not the only way to mitigate malicious bot traffic, it can provide helpful signal because of the particular ways bots behave. Behavioral biometric factors include: Mouse activity and motion, including speed, movement patterns, scrolling behaviors. Bots tend to move multiple times faster than a human does. Keystrokes, including speed, use of shortcuts, and use of copy and paste functions, which bots tend to use instead of actually typing. Touchscreens, including the pressure and surface area that interacts with a touchscreen surface. Device being used, including gyroscopic movement of the device, orientation, etc. Bots don’t need the computer oriented or stable in any kind of way to operate (since they’re software-based) whereas humans have specific orientation needs for their device hardware. What are the pros and cons of different biometric authentication methods? At Stytch, we always believe the security provided by a given authentication method must always be measured against the amount of friction it introduces for users – what they trust, understand, are most familiar and comfortable with, etc. This tradeoff often varies depending on a variety of factors, including the industry, user population, and product design. But really, the choice of biometric detection is often not up to the average app or product builder, but is instead a decision for hardware makers. So if you’re building an iOS app, you’re already locked into the Face and TouchID biometrics Apple has built into their iPhone. FIDO – popularizing biometric security In addition to Apple's introduction of TouchID in 2013, the a group called Fast Identity Online, (or the FIDO alliance) has been instrumental in evangelizing biometric authentication systems and making them easier for companies to adopt and implement. FIDO was originally formed in 2012 by a group of invested parties from across cybersecurity who united behind a simple goal: make the internet easier and more secure to navigate by developing a more intuitive, standardized approach to passwordless authentication. Over the past decade, FIDO has made impressive strides in developing technical standards that improve on both security and usability. Two of the most well-known technical standards FIDO has advanced are WebAuthn and passkeys. If you’ve interacted with a web app that allows you to authenticate with on-device biometrics on your phone or a Yubikey, you’ve likely interacted with WebAuthn. While spy thrillers often show biometric authentication being used as a primary authentication factor (think of using retinal scans to get into government buildings), in both WebAuthn and passkeys biometrics instead serve an intermediary function that safeguards access to login credentials or cryptographic key pairs. That combination is also referred to as device biometrics, on-device biometrics, or native biometrics. It’s the combination of biometric data with public key cryptography that makes biometric authentication on one’s phone or computer so secure, and such a promising alternative to passwords. But FIDO has recently taken device biometrics one step further. While WebAuthn solutions were historically limited to a specific device, passkeys improve on WebAuthn by leveraging a user's cloud account (e.g. iCloud) to securely log people in across devices and operating systems with biometrics. This means that a person's biometric data that's saved to their iPhone can be used to log them into an app on their MacBook, or even their PC. Thanks to FIDO, the world of ubiquitous, secure biometrics just got a lot closer. Because device biometrics are one of the more common implementation cases for biometric authentication today, it's worth breaking down what exactly is happening under the hood. Let's take a look. Device biometrics – a step-by-step guide The first crucial component to device biometrics (besides the biometric reader itself) is public key cryptography, and how it's different from more basic cryptographic systems. Basic cryptography To understand public key cryptography, it’s helpful to have a basic understanding of cryptography as a whole. In cybersecurity, cryptography generally has four parts: Plain text message: the information being protected by encryption Cipher algorithm: the mathematical operation done to the plain text message to encrypt it. These algorithms are generally common and publicly known, and utilize keys in their operation. Cipher message: the result of encrypting the plain text message with the cipher algorithm. Key: This is the unique value or string used by the algorithm to encrypt or decrypt the cipher message. To give an over-simplified example of how this works: Let’s say you want to share the message “apple” with someone. “Apple” is your plain text message. You use the cipher algorithm of addition paired with the key of 4. In this case, “4” indicates the number of letters you move down the alphabet to create your cipher message. With this cryptographic process, “apple” would become “ettpi.” “ettpi” is then your cipher message. In reality of course, both the keys and the algorithms are much more complex. Keys are usually randomly generated strings of letters and numbers, and the algorithms involve a bit more advanced mathematics than basic addition. But the main principle and roles as described above apply. Now in order for this to work, both people and/or entities sending and receiving the encrypted message have to know both the cipher algorithm and the key. In cybersecurity, because the algorithms are more or less public knowledge, that makes the key an incredibly valuable piece of information. So the question of how keys are initially shared and then stored is a critical juncture in keeping data and accounts secure. Enter public key cryptography. Public key cryptography Unlike basic cryptography in which the algorithm and key are shared between parties exchanging data, in public key cryptography each party possesses a different key – one to encrypt, and one to decrypt. Typically, the public key is used to encrypt the data, and the private key is used to decrypt it. What makes this kind of cryptography more secure than regular cryptography is that while the public key is stored on the server (and thus fairly easy for others to access), the private key is stored either on the user’s device (like your iPhone) or on a hardware security module like a USB or biometric scanner. Because the keys are asymmetric and one of them is stored locally, this makes it much more challenging for hackers to access, thus helping prevent account takeovers. Device biometrics – bringing it all together Now that we have a good understanding of public key cryptography and biometric authentication factors, we can see how it all fits together on a day-to-day basis when we use biometric auth on our iPhones or Androids. When you first sign up for an application or service, you may be asked if you want to use biometrics on your device, let’s say an iPhone, to log in. If you say yes, and have already saved your biometric information to your phone (be that a thumb print or a face scan), the following will happen: Signing up with biometrics The app you want to access generates a key pair to be used throughout this sign-in process. That application notifies their authentication provider (let’s say Stytch) that you, the user, want to use biometric authentication, and register for a biometric key with Stytch. Stytch stores the public key, and sends a challenge for the device to solve with the private key to confirm ownership of the other half of the key pair. The app on your phone receives the challenge, solves it with the private key, and returns that puzzle answer (also sometimes called a signature) to confirm the registration process. After each party verifies each other, the private key registration is stored securely on your device (in the case of an iPhone, it’s stored in the Keychain), along with any other metadata that’s helpful when logging into the app. That’s a successful biometric authentication registration! Logging in with biometrics When it comes time to log into the app or service, that app or service will do the following: First, the app will check to make sure there’s a keypair registration on the device you’re using. Most authentication providers only allow one keypair per application per device. When the app asks the Keychain on your phone for the keypair, that’s when the system will ask for the biometric prompt. You provide your device with your biometric information, which prompts the device to unlock the keystore. Note at no point does the app have any access to your biometric data! This is only stored on your device, as a way to protect any credentials or keys stored locally. Just like they did with the signup flow, once you’ve unlocked your key data with your biometrics, the auth provider will use the public key that they have to create a challenge that can only be solved with the private key on your phone. The auth provider here does not have access to the private key, but they do know what the answer should be based on the public key. The challenge is solved using the private key on your phone, and that answer/signature is returned to the auth provider for verification. If the response matches what Stytch believes it should be, you are authenticated and officially logged in! The main takeaway here is that biometric authentication is especially powerful in cybersecurity when paired with public key cryptography. This combination helps reduce friction and increase security all at once, without giving your biometric information to a single application. What are the advantages and challenges of working with biometric authentication? Advantages The two main advantages of biometric authentication are security and ease of use. Enhanced security Because biometric authentication is based on a user’s unique characteristics, it cannot be lost, forgotten, or guessed. This makes it a more safe and secure authentication option vs password-based authentication, which is an increasingly insufficient means of protecting sensitive information. A dditionally, biometric authentication offers best-in-class security by ensuring that a user demonstrates both possession of an original device and a unique biometric trait such as a Face ID or fingerprint. Ease of use Convenience and ease of use is the major advantage of biometric authentication. It’s much easier for users to glance at their phone or tap a sensor to unlock a device or log in to an app than it is for them to enter (and remember) a password or request a SMS passcode every time they want access. Biometric authentication reduces friction, which, in turn, can increase user conversion and retention. Challenges The biggest challenges with biometric authentication relate to spoofing,usability, and trust. Spoofing While much more secure than other forms of authentication, hackers are quickly developing ways to get past biometric authentication processes. They may use an authorized user’s photo, voice recording, fingerprint replica or other form of mimicry to trick a biometric reader into giving them access. Fortunately, spoofing isn't possible with the device-tied nature of on-device biometrics. So for any developer building for FaceID, TouchID or other mobile applications, spoofing is not a concern. And for that small cadre of developers who have non-on-device biometric authentication in mind, mapping users’ faces in 3D or requiring them to say a unique phrase at every login, for example, can help mitigate the risk of spoofing. Usability While the technology is improving every day, there are still some false rejections with biometric authentication that users may find frustrating. These can result from changes to users’ faces and voices as they age or due to circumstances such as mask-wearing, glasses, or lighting. Biometric methods like facial recognition systems have also come under scrutiny in their confluence with artificial intelligence (AI) and law enforcement use cases, particularly for the ways their inaccuracies affect treatment of those who are underrepresented in AI's databases, particularly women and people of color. Privacy & trust Biometric data is highly sensitive, and people are understandably wary about it being stored in centralized databases or transmitted between systems susceptible to a breach. As of 2019, 25% of people surveyed said they did not trust biometrics, while 35% felt they didn’t have enough information. There are a few things companies can do to help build trust and protect privacy: Triple-check your security measures: This should go without saying, but biometric authentication is no different from other types: it’s very easy to do poorly, and hard to do well. If you’re going to be using biometric authentication information in your app, do due diligence and our partner with a third party (like Stytch!) to help manage your security risks. Transparency and education: Develop a highly secure and transparent plan for using and protecting biometric data. Explain how your technology works to your users, so they understand who has access to what, and all the ways in which they’re protected. Device biometrics: Because of some of the risks that can come with storing biometric information, it often makes more sense for app developers to use device-based biometrics (described above) for their purposes. Using Apple and Android biometric technologies allows them to avoid many liabilities, and device-based methods are becoming increasingly easy to implement. Get started with biometric authentication Stytch is leading the way in easy-to-implement authentication solutions that boost security and increase conversions. If you’re interested in integrating biometric authentication, check out our WebAuthn and Passkeys products, or check out our docs. Sign up for a free account to get started, or contact support@stytch.com to discuss all things auth. --- # What is a passkey? Source: https://stytch.com/blog/what-is-a-passkey/ Stytch goes over the basics of the passkey – what it is, how it works, and how it improves on past auth methods like passwords and WebAuthn. Of all the innovations in passwordless authentication over recent years, passkeys are arguably the most exciting. Passkeys expand on biometric technology by allowing biometric data to be backed up to (and accessed from) a user’s cloud account, enabling a level of interoperability that has never before been possible. Given their portability and ease of use, passkeys are a top contender to dethrone the password as the dominant form of passwordless authentication, and we’re here for it. Still, they face several hurdles when it comes to implementation, especially since they require biometric-protected keys to be synced across different platforms and devices. For this reason, we expect that widespread passkey adoption will be slow to take hold — more like a dimmer light gradually turning on than the instant flip of a switch. In this post, we run through the basics of passkeys: what they are, how they work, the barriers they face, and the steps we’re taking at Stytch to support every stage of their rollout. What is a passkey? Passkeys were developed by the Fast Identity Online (or FIDO) alliance, a group of cybersecurity experts dedicated to creating secure, frictionless authentication standards that eliminate the need for passwords. In fact, passkeys were originally introduced as “multi-device FIDO credentials” — “passkeys” is just a catchier term, and it has the added benefit of emphasizing how this new auth solution departs from and improves on the less-secure password. Essentially, passkeys are a phishing-resistant, drop-in replacement for passwords. They rely on biometric verifications like FaceID or TouchID and can be used across different devices, platforms, and ecosystems. Using a passkey is a bit like using a password manager, since a user’s credentials are stored in the cloud and easily accessible from any connected device, just like other cloud-synced features like a user’s photos, contacts, emails, and documents. How do passkeys work? Passkeys rely on pre-existing public key (or asymmetric) cryptography, which creates pairs of public and private cryptographic keys that usually encrypt and decrypt user data, respectively. Typically, the public key is stored on the server, while the private key is stored locally on a user’s device or on hardware like a USB drive or biometric scanner. With passkeys, however, the key pair is end-to-end encrypted and backed up to the cloud account on a user’s primary device — that is, iCloud for iPhones and Macs, Google for Androids and Chromebooks, and so on. That means that any device that syncs to this cloud account can use a biometric factor like FaceID or TouchID to verify a user, access the cryptographic key pair, and log the user in. It is worth noting, too, that the raw data from the biometric authentication itself is not stored in the cloud — just the cryptographic key pair it unlocks — so it cannot be stolen and put to malicious use. How are passkeys different from native biometrics and WebAuthn? Passkeys have certain commonalities with other forms of passwordless authentication like biometrics, but there are key technical differences when it comes to how the biometric data is captured and where it is stored. Let's look a little closer. Native (or on-device) biometrics Native biometrics leverage a biometric scanner on a user’s laptop or mobile device and ties it to locked storage of either credentials or public/private key pairs. For example, a user might use a fingerprint, faceprint, or voiceprint to unlock the key pair sharing capability with an application in order to log in. This is referred to as native biometrics because the biometric data is only stored on their local phone — never on the app itself. WebAuthn WebAuthn is the combination of public key cryptography with either native biometrics or a piece of physical hardware like a YubiKey. As with native biometrics, the identity data from WebAuthn is always tied to a specific device, whether that’s a user’s phone or their YubiKey. Passkeys Passkeys as we've covered also combine public key cryptography with native biometrics, but unlike WebAuthn they are not limited to a single device. Using wireless technologies like bluetooth or a QR code, a user can sync passkey data with other devices within the same operating system (like from an iPhone to a MacBook) or even a device on a different operating system (like from an iPhone to a PC). What are the benefits of passkey login? Passkeys offer the same advantages as biometric authentication more generally, including one-step account creation, a seamless user experience, and stepped-up security. It comes with three big advantages: Passkeys make recovery easy Unlike on-device biometrics or WebAuthn, backed-up biometric data means users have ongoing access to a biometrics-enabled account, even if they lose or break the original device used to create it. Passkeys optimize access and usability for FIDO authentication Before, biometrics were restricted to a single device, so a user would need to re-enroll in a new biometric auth flow for each of their devices — on their phone, their tablet, their laptop, etc. — for the same account. With passkeys, the original biometric flow carries over. Passkeys are as user-friendly as a password, but more secure As with native biometrics and FIDO's WebAuthn, passkeys rely on unique bodily or behavioral traits to verify a user’s identity, and these attributes cannot be lost, forgotten, guessed, or easily replicated by a hacker. Moreover, passkeys are equally impervious to phishing, because they’re tied to the specific website or application that prompted them and can’t be used on a malicious or fraudulent site instead. To put it another way, passkeys work just like traditional, interoperable passwords, but without the security risks and the need to remember complex credentials. Like all biometrics, passkeys still fall under the category of “something-you-are” authentication — they just respect the fact that you’re still you, regardless of where you go or which device you use. What are the challenges to using passkeys? Various platforms have already begun implementing passkeys, including Apple, Google, and Microsoft, and their future looks bright. However, there are still a few obstacles to face in terms of usability, security, and implementation. From a usability standpoint, passkeys share some of the same drawbacks as other forms of biometrics. These include occasional false rejections, which can occur with everyday variations to a user’s physical features — for example, if they’re wearing a mask or their voice is altered due to illness. Biometrics are also imbued with society’s systemic biases, exhibiting higher error rates for AI-underrepresented groups like women and people of color. Furthermore, passkeys are only as secure as the cloud accounts they’re stored on. And the fact that users’ biometric credentials are automatically synced across all cloud connections means their data may end up on devices where it was not intended to be. In terms of implementation, passkeys are currently somewhat limited in scope, since biometric-protected keys are still incompatible with the cloud-syncing function in many cases. For this reason, their large-scale adoption will be a slow burn as auth providers and other cybersecurity platforms learn to integrate their syncing features securely and effectively. How Stytch is supporting passkeys Stytch is committed to providing phishing-resistant FIDO credentials as part of our suite of passwordless authentication products. We’ve already launched a set of robust native biometrics, including fingerprint and facial recognition tools powered by our flexible API, as well as frictionless WebAuthn solutions. Today, we support multi-device passkeys as a secondary authentication factor for 2FA, but we're also excited to extend support for passkeys as a primary authentication factor in the near future, too. Check out our biometric solutions To learn more about our approach to biometrics — and how we’re opening the door to multi-device, phishing-resistant passkeys — get in touch with one of our auth experts. You can also sign up for a free account to try our solutions out for yourself. --- # Argon2 vs bcrypt vs. scrypt: which hashing algorithm is right for you? Source: https://stytch.com/blog/argon2-vs-bcrypt-vs-scrypt/ A look at the hashing algorithms Argon2, bcrypt, and scrypt – their benefits, differences, and how to choose the right one for your product. As an engineer, you’ll likely come across the concepts of data hashing and encryption whenever you’re handling sensitive data. Both hashing and encryption are important to cryptography and are often confused, and choosing the right algorithms for your use case is not necessarily a straightforward decision. In this article, we'll cover the basic definitions of hashing and encryption, and compare three common hashing algorithms you're likely to come across in your work: Argon2, bcrypt and scrypt. We'll look at their origins, their strengths and weaknesses, and in what circumstances you'd likely use each. L et's dive in. What is encryption? Encryption is a process that involves scrambling or coding information so that only someone with a key to how you scrambled or coded it can read it. This is key: you only encrypt information when you expect or intend at least certain parties to decrypt it and access it later. It is a two-way, reversible process. In computer science, encrypting is typically done with complex mathematical algorithms. What is hashing? Similar to encryption, hashing is another mathematical technique used to obfuscate data you want to keep unavailable to other people. But there are two major distinctions that make hashing different: Hashing goes one way – if you hash something, it is not intended to be "un-hashed." Hashing converts data into a fixed-length output, also known as a hash value. With encryption, the output from the encryption may vary in length depending on the algorithm. The conversion from data to hash value is done by an algorithm, and the choices and operations involved are what make each hashing algorithm unique. Every hashing algorithm has its own history and design. Some were created to support additional parameters that you can adjust to meet your security or computational needs. What parameters are available depends on the hashing algorithm you choose to use. This is why the choice of hashing algorithm is so important: you want to make sure it meets the computational and security needs of your use case. Why do we hash passwords? Password storage is one of the paramount concerns for any application or web service that deals with authentication. Depending on how and where they store passwords, their users' credentials could be exposed to bad actors in the event of a data breach or cyber attack. Password hashing is a great way apps and online services can protect users' accounts in the case of a cyber attack or data leak. A stored hash has two big advantages over storing a plain text password or even an encrypted password. Irreversibility Once a hash value is generated, there is no way to derive the original input based on the hash value alone. Hash values usually appear as a random string of characters. Consistency At the same time, companies that only store a password's hash can still verify the identity of a user with their username and password because the same input string will always generate the same hash. So if a user enters their password and it generates the same hash as the one in the application's database, they can safely verify the user without storing their credentials. Is password hashing unhackable? Like any cybersecurity measure, though password hashing can greatly increase the cost of hacking or account takeovers, it is not completely attack proof. The main way hackers can break a hashing system occurs requires a few steps, each one of which can be thwarted by additional security measures: To gain access to a hashed password, the hackers must first breach the account storage information of their attack target. If these passwords are hashed, this information on its own is not usable – hence why password hashing is such a valued protection! Once hackers have a list of hashed passwords, they can create a database of words they think are likely to be used as passwords (strings like "password123," "qwerty," or perhaps even passwords they've obtained from other breaches). They then hash these likely passwords using the hashing algorithm they either suspect or or know their attack target uses. This creates a database of password hashes. With their possible or probable hashes in hand, the attackers then compare their database with entries in the hacked database of password hashes. If they find any matches, they can then gain access to those accounts. While we've summed up this process in three neat steps, it's a very time and computing-intensive process, which serves as a strong deterrent against most hackers. How does hashing work? All hashing algorithms involve taking a piece of information called the "input" and a number of other parameters that determine the hash's complexity, computing requirements, and additional security measures. Note that not all hashing algorithms use all the parameters below. Indeed, the parameters hashing algorithm use are a big part of what distinguishes one from another. Some examples of parameters include: Input: Every hashing algorithm needs an input to hash. The input is usually a plain text string of varying lengths (like a password). Salt: The "salt" refers to a string of characters that is appended or prepended to the input before it is hashed. A salt changes the hash value by increasing the length and complexity of the input. It is a common practice to help guard against dictionary attacks (a kind of brute force attack that tries to reverse engineer the hash) or rainbow tables (a more sophisticated method and dictionary attacks. Length: Length refers to the number of bytes or HEX characters in the generated hash value. Cycles: The number of cycles describe how many times or iterations the algorithm’s hashing function will run. More cycles create a stronger hash but require more time to compute. The number of cycles are determined by the work factor, by an exponential relation in which cycles = 2^work factor. Work factor: The work factor refers to the number of times the hashing algorithm is performed – this is usually expressed as an exponent, like 2^work iterations. The higher the work factor, the harder it would be for a hacker to crack the hashing algorithm. But, the higher the work factor, the greater the computational cost to the application and/or its auth provider. Threads: Threads refers to the number of concurrent threads, or degrees of parallelism, that the algorithm will utilize to compute the hash. Memory/memory hardness: The amount of memory to be used in the hashing process. Algorithms generally are evaluated by many factors, one of which is called "memory hardness," which refers to how much CPU and RAM usage is required to perform a given function or action. Hashing algorithms need to strike a balance between not being too memory hard without being too easy to crack either. CPU: The cost or work factor that increases the memory and CPU usage needed to generate the hash. Some scrypt implementations require this parameter to be a power of 2. What are the different types of hashing algorithms? With so many options for hashing algorithms, like SHA-1, SHA-256, MD-5, Argon2, scrypt, and bcrypt, it's important to understand the differences and choose the right one for your needs. For password protection, Argon2, bcrypt, and scrypt are recommended due to their configurable memory and cost parameters that can increase computational strength against attacks. Argon2 Argon2 was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg. They released their specification paper on Argon2 in 2015 and that same year won the Password Hashing Competition, organized by a global panel of security and cryptographic experts. In their paper, the designers state their motivation for creating Argon2 was "to maximize the cost of password cracking" and that "passwords, despite all their drawbacks, remain the primary form of authentication." bcrypt Bcrypt was designed by Niels Provos and David Mazières. They presented their paper "A Future-Adaptable Password Scheme" in 1999 at the Unix Users Group conference. They based their hashing algorithm on Blowfish, an encryption algorithm created by Bruce Schneier in 1993, to take advantage of its purposefully expensive key setup phase. Provos and Mazières took the concept further by designing bcrypt to have adjustable cost. In their paper, they state that "the computational cost of any secure password scheme must increase as hardware improves." scrypt Scrypt was created by Colin Percival who presented his conference paper in 2009 at the Berkeley Software Distribution conference. It was originally developed for Tarsnap, an encrypted online backup service for UNIX operating systems, which Percival also created. Scrypt was designed to be a memory-hard algorithm that would be maximally secure against hardware brute-force attacks. Which algorithm is right for you – Argon2 vs. bcrypt vs. scrypt While there are of course deeper nuances to Argon2, bcrypt, and scrypt, the choice between them boils down to weighing computing and time requirements against memory hardness and parameter number. Argon2 is a great memory-hard password hashing algorithm, which makes it good for offline key derivation. But it requires more time, which, for web applications is less ideal. bcrypt can deliver hashing times under 1 second long, but does not include parameters like threads, CPU, or memory hardness. scrypt (Stytch's personal choice!) is maximally hard against brute force attacks, but not quite as memory hard or time-intensive as Argon2. At Stytch, once we've salted and hashed all passwords using scrypt, we store them in an encrypted database that we manage. This ensures our Passwords solution is secure and built for performance. If you’re looking for more information on each hashing algorithm, read more about the differences here. --- # Onboarding the next Web3 wave with Crossmint + Stytch Source: https://stytch.com/blog/onboarding-the-next-web3-wave-with-crossmint-stytch/ Onboarding the next Web3 wave with Crossmint + Stytch Crossmint’s mission is to make NFTs easy to access for users and simple to deploy for developers and enterprises. Part of that mission means bridging the gap between users that are comfortable with Web2 but aren’t yet Web3 native. Onboarding this wave of users means building familiar and delightful onboarding flows – that’s where Stytch comes in. See how you can build API first and combine the best of both Web2/3 worlds with our Stytch + Crossmint example app and guide. Now, you can deploy Stytch’s seamless authentication (social and passwordless) with Crossmint’s powerful wallet APIs to launch an end-to-end wallet onramp in minutes. Check out Crossmint’s blog post about this launch or jump into writing code with their guide! About Crossmint Crossmint is a leading NFT infrastructure provider, with tools like credit card payments for NFTs, enterprise-grade minting APIs, and secure NFT custodial wallets. We’ve supported over 9,000 developers and enterprises - including key customers like Magic Eden, Origin, Rarible, X2Y2, Crown Royal / Diageo, Salesforce, Cinemark, Armin van Buuren and more. Read more about Crossmint at their website, docs, or contact sales to learn more. --- # Stytch Talks With Jordan Burris: “The Future of Multi-Factor Authentication (MFA)” Source: https://stytch.com/blog/stytch-talks-jordan-burris-mfa/ A recap of our live conversation with security expert Jordan Burris, focusing on the future of multi-factor authentication. As traditional passwords become increasingly unreliable, more app developers have decided to enhance their sign up and log in flows with layered multi-factor authentication (MFA), which requires two or more verification steps to confirm a user’s identity. But not all MFA is created equal, and there are many different ways apps can implement it to protect their users and stave off the latest online threats. To explore the nuances of MFA and how it fits into the current digital landscape, Stytch’s co-founder and CEO Reed McGinley-Stempel sat down with Jordan Burris, VP and head of public sector strategy at Socure, the preeminent platform for identity verification. As former chief of staff for the White House’s federal chief information officer, Jordan led cybersecurity efforts across two presidential administrations, and he’s a leading expert on issues of identity management and digital trust. Missed the live webinar? You can find a full recording of the event on Stytch’s YouTube channel. In the latest installment of Stytch Talks, Jordan and Reed tackled everything from the state of the password and advances in biometrics to how new AI tools are emboldening modern hackers. Below, we share seven key takeaways from their discussion and the Q&A, along with actionable strategies to help you take full advantage of MFA. 1. Passwords should be considered “pre-breached” in today’s cybersecurity climate, which is why we need stepped-up auth measures like MFA. According to recent studies, over half (52%) of global companies have experienced a cybersecurity breach in their operational history, with each attack carrying an average price tag of $4.35 million. These stats are scary, but their root cause is entirely avoidable. The vast majority of data breaches (80% in total) can be traced to compromised credentials — that is, weak or reused passwords that can be easily intercepted by hackers and used to take over legitimate accounts. In fact, industry experts at the Open Worldwide Application Security Project (OWASP) advise app developers to treat all passwords as “pre-breached” and to supplement them with stronger security measures like MFA to protect their data. Research by Microsoft has shown that layered MFA flows can successfully block up to 99.9% of all password-based cyberattacks. That’s because most hackers prefer cheap, high-yield strategies, like using >pre-programmed bots to run automated brute-force or credential-stuffing attacks. By asking for additional credentials that a bot cannot easily provide — like an SMS passcode or biometric verification — MFA requires human intervention, raising the cost and complexity of an attack. 2. The most popular MFA methods are also the least secure, and companies need to find ways to make robust factors easier to adopt. There’s no one-size-fits-all when it comes to MFA. Which factors a company decides to include in their flow (and when) will largely depend on criteria like their user demographics and the sensitivity of their data. That said, some forms of MFA are inherently more secure than others, and there’s often a tradeoff between strength and usability. Most apps opt for factors like SMS one-time passcodes that are both familiar and easy to use, resulting in higher conversion rates. Unfortunately, they’re also the easiest to circumvent, as they’re vulnerable to both phishing and SIM-swapping attacks. Stronger factors like time-based one-time passcodes (TOTPs) require users to download a third-party app, introducing friction and the potential for drop-offs. And the strongest WebAuthn factors either force users to buy physical hardware (like YubiKeys) or cannot be implemented across devices (like native biometrics). Coinbase recently discovered (and publicized) that 95% of their users opt to log in via SMS passcodes, but passcodes also account for 95.65% of their account takeover volume—compared to 4.13% with TOTPs, 0.18% with push authentications, and just 0.04% with a physical security key. While optionality will continue to be crucial, companies interested in providing the best protection will find ways to make it easier to adopt more secure factors like TOTPs and passkeys. 3. Emerging AI tools are enabling more sophisticated phishing attacks, making more advanced unphishable MFA more important than ever. New, AI-powered chatbots like ChatGPT, which saw 100 million users within two months of launching, are empowering hackers to be bolder and more prolific. Historically, hackers have used obvious typos in phishing emails, as a way of ensuring respondents are gullible and thus more likely to unwittingly carry out a fraudulent action. That’s because phishing is a predominantly manual method, requiring hackers to interact live with their victims. If conversations can be delegated to a convincing chatbot, hackers can target more sophisticated users with little to no human cost, allowing them to widen their net and increase the volume and scope of their attacks through automation. As phishing gets more sophisticated, it’s on companies to adopt unphishable MFA practices that render these more sophisticated fraud attempts a moot point. 4. A top priority is pairing enhanced MFA flows with innovative identity verification tools, to protect users across the access lifecycle. One of the most pressing needs in cybersecurity is supporting authentication with next-level identity verification strategies — essentially, pairing strong MFA factors from Stytch’s product suite with strong fraud-detection and ID-verification tools from Socure’s. Without the former, you get legitimate user accounts that can be easily breached. Without the latter, you get heavily protected accounts with fake or fraudulent identities behind them. In other words, an identity verification flow confirms that a user is the actual individual they claim to be — avoiding gaffes like 2022’s messy Twitter Blue rollout, where any internet troll could claim an “official” Twitter profile under any real/stolen or fictitious identity. One instance where this relationship matters is the account recovery process. Authentication can only take users so far if they lose all of their identifiers (their email inbox, the device that was hosting their biometric data, etc.) and they need an easy, secure way to verify their identity and regain access to their accounts. That’s why prominent organizations like the FIDO Alliance are making identity verification and binding a top priority in their upcoming cybersecurity initiatives. 5. Biometrics is the future of phishing-resistant MFA, but that means little if people won’t use it. Biometric factors like fingerprints and facial recognition allow for high-security, low-friction logins, giving them an edge over other auth methods. But biometrics also faces steep challenges when it comes to both user trust and implementation. Currently, over half of users (around 58%) trust biometrics more than they do traditional usernames and passwords — but many in the remaining 42% feel strongly that biometric technology violates their privacy and puts their personal data at risk. To bridge these adoption gaps, more education and transparency is needed for users to understand how and why biometric data is used and when it’s shared. Advances are also needed to address situational hurdles, like shared devices used by multiple members of a household. From an implementation standpoint, biometric auth has historically been locally bound to a specific device, disrupting the user experience and hindering universal use. Fortunately, innovations like passkeys are making it possible to store and sync biometric data through the cloud, so it’s accessible and interoperable across different platforms and devices. That said, it will be some time before these tools can be widely implemented and adopted. In the meantime, a more practical and comfortable solution is to give users and developers a choice in their auth journeys and to ensure the technology used in cybersecurity is as open and inclusive as possible. 6. For a glimpse into best-in-class MFA, look to high-stakes sectors like fintech and government. Because they have a lot to lose in a data breach, high-risk sectors like fintech and government are great spaces to find examples of MFA best practices in action. Some of the best practices to look for include: Optionality: Though MFA factors vary in terms of security strength, any MFA is better than no MFA at all. That’s why companies like Coinbase (in the example above) offer users several different paths to log in, so they’re sure to find factors that meet their needs and comfort level. Future-proofing: Young fintechs like Robinhood tend to be more tech-forward than legacy banks, building advanced factors like TOTP authenticator apps into their log in flows, rather than just SMS and email passcodes. One reason for this could be the irreversible nature of crypto transactions, which places a greater fraud liability on newer companies that trade heavily in digital currencies. Mandatory (but flexible) MFA: While choices are good, safe choices are better. On the SaaS side, B2B apps like Stripe and Gusto often require MFA, either at initial login or as part of a route-based or just-in-time auth flow. These platforms tend to deal with high-value use cases like payroll, payments, and invoicing with bank accounts attached, so they’ve thought a lot about optimizing both security and adoption 7. The secret to building your MFA flow? Just get started. Our panelists had a few helpful tips on how to implement MFA efficiently and effectively. Most notably: act decisively, and don’t get mired in analysis paralysis. The bottom line MFA is playing an increasingly important role in fighting off evolving cyber attacks, but its success largely depends on how it’s implemented. Learning the ins and outs of different factors, how they match up against the latest threats, and how they affect your specific user base can help you minimize friction, maximize security, and create seamless digital experiences. Want to learn more about the latest in MFA? Reach out reed@stytch.com or jordan.burris@socure.com to continue the conversation — or check out Stytch’s flexible suite of authentication solutions to optimize your MFA flow. --- # Foundations of scalable B2B auth Source: https://stytch.com/blog/foundations-scalable-b2b-auth/ The foundations of your app's B2B auth solution can make or break your growth trajectory. Learn what to do, and what to avoid. It’s easy to think about “authentication” as just an isolated, brief interaction where the user performs some sort of challenge to prove their identity. If you think about authentication in that way, your criteria for an authentication provider is probably something like “do they support X login method.” However, authentication is anything but isolated – it’s deeply coupled with your core assumptions about what defines a user. The foundational decisions you make around auth and user definitions have long-lasting impacts on how well you are able to scale to meet tomorrow’s needs. Nowhere is that more true than in B2B. There are a few specific decisions that can make your later scaling journey either painless or challenging, so we’ll look at them one by one. 1. Users and organizations One of the very first decisions you need to make when building a B2B application is what defines a User, an Organization and their relationship. That sounds pretty easy at first glance – you’re building a tool for teams at work, so a User is an employee of an Organization. Employees of the same company are all typically issued work email addresses, so a User is defined by their work email address. Right? Kind of. The details around how you might implement this seemingly simple model can end up being the source of enormous headaches and end up limiting the use cases and enterprise customers you can sell to in the future. Let’s take a look at each of those approaches and their implications. One to one relationship One common approach is to say a User is defined by a globally unique email address and belongs to a single Organization. This makes a lot of intuitive sense – if your application is only something that people would use at work, then the most straightforward approach is to have them login and immediately land in the Organization context that they have access to. However, this assumption will start to break down for any companies who work with contractors, agencies or external services that don’t receive corporate email addresses – or where a single company has multiple tenants within your application, in which a few individuals have access to multiple instances. If your data model and app architecture are based on the assumption that a user only has access to one Organization, users who need to have access to multiple Organizations will need to leverage email aliases to work around this constraint and will need to constantly be logging out and logging back in, just to switch Organization context. As you scale and start to hit these use cases, you are faced with a difficult choice between a time intensive migration of your core data model or continued frustration on the part of your users. One to many relationship If you already know that there are use cases in which a single end user will have access to multiple Organizations, you might choose to say that a User is defined by a globally unique email address but can have permissions or membership to multiple Organizations. It is particularly common to choose this data model in the interest of creating a seamless end user experience. After all, if we already know that this is ada.lovelace@stytch.com on Organization A, why would we add additional friction for the end user by asking them to re-authenticate when switching over to Organization B? Shouldn’t we just ask them to login once and then allow them to easily toggle between their different Organizations under the same session? Unfortunately, if you achieve this low-friction experience by consolidating into a single User entity that spans multiple Organizations, that consolidation creates a lot of issues the minute you start trying to sell upmarket to enterprise companies. Most enterprises require the ability to set their own authentication policies for their members, and they have no reason to trust the authentication policies of other Organizations – particularly when it comes to authentication that happens through another company’s IdP. Therefore if ada.lovelace@stytch.com is a single UserID that belongs to both Organization A, which requires that their members all do password login with TOTP MFA, and Organization B, which requires that their members SSO via their workforce IdP, then she would need to go through both sets of authentication requirements – even if she just wants to access Organization A. This can become even more frustrating once you introduce configurable session durations, and Organization A requires that their users have to re-authenticate every 6 hours. The data model that seems low-friction for end users at small companies ends up creating tons of friction once you start selling to larger, more security aware customers. 2. JIT (Just-in-Time) provisioning If you allow self-onboarding (signing up for a new Organization via your site) you might have noticed that people frequently create a new Organization when really what they meant to do was join their co-workers in an existing Organization. One really helpful way to address this issue is to introduce the concept of “JIT (Just-in-Time) Provisioning” by email domain. In this setup, an Organization can specify that users with a verified email address from a particular domain can automatically join their Organization without an explicit invite. This is incredibly helpful for smaller customers, who likely don’t have a dedicated IT admin in charge of provisioning employees to the tools that they need. Their team is small enough where they’re able to audit on an ad hoc basis. That said, it can be easy to go overboard with JIT provisioning, and make decisions that haunt or hurt you – today or in the future. JIT and 1:1 user/org relationships One common mistake we’ve seen that quickly becomes an issue is pairing JIT Provisioning with a 1:1 relationship between Users and Organizations. In this data model, an end user can only join a single Organization under their email address. This is fine, except if a new end user is accidentally JIT Provisioned to the wrong Organization, they are now prevented from joining the Organization they intended to or creating a new Organization without first deleting their account – which may require reaching out to customer support, creating a frustrating and friction-filled experience. This situation may seem unlikely, but consider the case where john.von.neumann@acme.com creates a new Organization on your application, turns on JIT Provisioning for all @acme.com email addresses – and then leaves Acme shortly after. As other Acme employees go to check out your app, they are JIT Provisioned to this abandoned Organization without an active owner – and since the 1:1 data model only allows a single email to belong to a single Organization, they must delete their accounts before being able to create a new Organization. This becomes even messier if your application automatically JIT Provisions, instead of asking the end user if they would like to join the application – because then there is no recourse without deleting the abandoned Organization itself. JIT and SSO JIT can also complicate matters further down the road when introducing SSO. Given that the main function of a workforce Identity Provider (IdP) is to centralize managing employee access to the company’s applications, it seems very natural to assume that you can automatically JIT provision any new user who successfully authenticates via the Organization’s IdP. However, this assumption starts to break down at scale, especially as you start to take on larger enterprise clients. Some of the biggest Fortune 100 companies in the world use home-grown IdPs that don’t handle app-specific provisioning – meaning that these companies will want to explicitly provision users to your application, rather than rely on their IdP as the source of truth on who can create an account. It is important to always make JIT Provisioning configurable to account for the wide variety of company setups and preferences you’ll encounter at scale. As one tech lead we interviewed noted: “For every feature you introduce, someone will literally pay you for the ability to turn it off.” 3. Simplicity doesn’t hold Early on, all of the members of a given Organization share the same email domain and all use the same Identity Provider. Before you know it, these assumptions have been baked into the foundations of your application: your Organization object uses email_domain as the unique, primary identifier; you put the SAML IdP URI as a singular field on the Organization object; JIT Provisioning is a simple boolean. etc. Until one day, you encounter your first prospect with subsidiary companies with different email domains, or different IdPs that all follow different JIT Provisioning rules, all within a single Organization. Now you are tasked with the unpleasant reality of needing to take a massive refactor to remove uniqueness assumptions spread throughout your database models and millions of lines of application logic – right at the stage of growth when you have a million other, validated and differentiated projects you could be working on instead – or lose out on enterprise prospects whose basic authentication requirements are now “unsupported use cases”. Save your team future headaches by making the right investments today Speed of execution is one of the most critical factors in a company’s success or failure, and it is a very rational reaction to read this list of edge cases and say “that’s nice, but we can deal with that if we get there.” When you’re still iterating towards PMF, or if your target ICP today are other small startups, it would likely be a waste of precious time to build a fully extensible approach to auth that accounts for multinational subsidiaries, large scale acquisitions and homegrown IdPs. That’s years away, and you have pressing client needs now. However, once you’ve made some of these foundational decisions they become incredibly difficult and time consuming to unwind, crippling your ability to scale smoothly, and forcing you to shift resources away from much more differentiated and exciting parts of your product roadmap. Luckily, you don’t actually need to make that tradeoff. Instead you can use an authentication provider that is built with these edge cases in mind, that can deliver the consumer-grade, conversion oriented authentication experiences that drive growth and align with your smaller customer’s authentication needs alongside the robust, enterprise grade requirements of the Fortune 100. --- # Stytch postmortem 2023-02-23 Source: https://stytch.com/blog/stytch-postmortem-2023-02-23/ Stytch postmortem 2023-02-23 On February 23, 2023, an infrastructure configuration change took down all our Kubernetes worker nodes resulting in a full system outage of the Live Stytch API for 14 minutes, the Stytch Frontend SDKs for 17 minutes, and the Stytch Dashboard for 17 minutes. We have published our full, internal RCA here. We’re sharing these technical details to give our community an understanding of the root cause, how we addressed it, and what we are doing to prevent similar issues from happening again. Table of contents Timeline of outage Background What happened Action items Conclusion Timeline of outage Available replicas in the production environment. All times in the postmortem are in UTC. 20:48 – Deployment Replicas Unavailable Alerts begin firing in production. 21:00 – Engineers identify node group change as likely root cause. 21:10 – Production Live and Test API go down. 21:14 – Support team flags outage. 21:15 – New node groups are launched. 21:17 – Dashboard and SDKs go down. 21:24 – Production Live API service is restored. 21:34 – Dashboard and SDK services are restored. 21:36 – Production Test API service is restored. All systems are operational. Background A primer on Stytch infrastructure Stytch uses AWS EKS, a managed Kubernetes service, to manage our compute infrastructure. AWS EKS offers a few different ways to host nodes that will run the containers – each have their own strengths and unique qualities. Self-managed nodes provide complete control over the instance at the expense of full management of the instance itself. Managed node groups handle the provisioning and lifecycle of Elastic Compute Cloud (EC2) instances through Auto Scaling Groups (ASGs). AWS Fargate, as a serverless platform, can offload the complete node management to AWS. Stytch initially used managed node groups for shared resources such as CoreDNS, log forwarding, ingress controllers, etc. and Fargate to run major data plane services such as the Stytch API. To create these cloud resources (EKS cluster, managed node groups, Fargate profiles, etc.), Stytch uses Crossplane, an open-source tool, which allows us to manage our clusters in code. It also utilizes the Kubernetes control plane to consistently reconcile differences between our clusters and the desired state. Our Crossplane is set up to utilize a “management cluster” which provisions our clusters across environments and accounts. Migrating from Fargate to EC2 and Karpenter In H1 2022, we began an effort to migrate from Fargate to EC2 nodes to run our pods and workloads ourselves. Fargate’s slow time to spin up a new pod both impeded our internal development process and hampered our agility to deploy in the case of an incident. We had two major milestones in the project: Move to intentionally over-provisioned managed node groups which were statically sized. Use Karpenter to dynamically provision and manage self-managed nodes as our scaling solution for worker nodes to achieve the elastic compute parity that we had with Fargate. Illustration of how Karpenter operates (source: Karpenter). Both milestones created positive results for us. Our move to EC2 nodes with managed node groups reduced our complete deploy time from 25+ minutes to under five minutes. Meanwhile, Karpenter’s just-in-time provisioning of a dynamic number of nodes proved to be highly available, quick to schedule new pods, and resilient. We not only made our internal development teams much more efficient, but also improved our ability to scale to meet peak customer load and greatly reduced our time to resolution in the event of an incident. Using managed node groups and Karpenter, we had both static compute and dynamic compute. After about a year with this redundancy in place, we felt confident enough in Karpenter’s dynamic compute that the managed node groups were no longer needed. We decided to move fully to just-in-time-provisioned nodes by Karpenter and to remove managed node groups for our data plane applications. What happened Root cause: deletion of instance profile (14:21 - 14:50) 14:21 – We landed a change to remove and delete unused managed node groups. As a safeguard, our Crossplane resources (XRDs) are set up to use an orphan deletion policy – meaning that, if the Crossplane Kubernetes resource is deleted, the resource is not deleted from the provider. Because of our Crossplane orphan deletion policy, this required us to do some operations in the AWS console. In line with established team norms, two engineers paired on the process to make the changes to staging first before rolling out to production. While deleting the node group, the engineers noticed a warning that deleting a managed node group could affect self-managed node groups since the worker role is removed from the aws-auth ConfigMap. Warning in AWS console. Like the rest of our infrastructure, this ConfigMap is managed by Crossplane, and we were confident that even if the role was removed from the config map it would be replaced immediately. After noticing no impact in staging, we applied the same changes in production. However, unknown to our engineers and absent from AWS documentation, in the background, the AWS API was making opaque clean up calls after a node group deletion. Upon inspection of our CloudTrail logs, we were able to confirm that the node group deletion resulted in the deletion of the instance profile. 14:24 – The instance profile in staging was deleted. 14:50 – The instance profile in production was deleted. Managing our resources through Crossplane should have saved us here by automatically recreating the deleted instance profile. But while the role was recreated, our Crossplane Cluster Composition used a randomly generated name instead of the previous instance’s profile name which our Karpenter configuration depended on. With these incompatible names, Karpenter did not have the permissions to launch new nodes. We would encounter issues several hours later once the deleted instance profile needed to be used again – by either new or existing nodes. First warning and nodes shutting down (16:06 - 19:54) Time series of root cause, warning, and outage. 16:06 – We received a low urgency warning in staging that Karpenter could not find the specified instance profile and was unable to launch a new node. The on-call engineer triaged the alert and identified that there were some issues related to the staging environment. The issues were limited to staging and deemed low urgency because existing deployments were healthy and new pods were being scheduled. 17:48 – We received a similar low urgency warning in production. We came to the same conclusion as we did in staging: we should resolve it today, but it wasn’t a critical incident. 19:40 – The on-call engineer began investigating the issue in staging to try and understand what changed with the IAM instance profile. 19:54 – Existing staging nodes began shutting down. We started to receive kube-proxy health notifications in the staging environment. These kube-proxy issues were a symptom of the deletion of the IAM instance profile. At this point our production environment still appeared to be healthy, so we remained focused on fixing staging issues and addressing the root cause. Unhealthy nodes in production (20:13 - 20:26) 20:13 – Our first production node status was marked as Ready:Unknown by the Kubernetes Control Plane. Because our nodes were running with a deleted instance profile, they slowly began to terminate as they attempted to use the profile. Rise of unhealthy nodes. Typically, when a node is in Unknown ready status, and after a five minute wait, the taint controller in the Kubernetes control plane adds an unreachable taint to the node. The taint causes the eviction of all pods running on that node. In our case, our existing nodes were all slowly shut down, then evicted, and we were unable to schedule new pods. The Karpenter controller attempted to launch new nodes with the deleted instance profile. Very quickly, our services began degrading with fewer and fewer pods being scheduled. Pods not being scheduled. 20:26 – These node launching failures spiked our Karpenter error rate. We kicked off our incident process and froze deployments. At this point in time, the Stytch API and SDKs were still operational. Outage and return to service (20:44 - 21:36) 20:44 – Our Kubernetes monitoring alerts triggered in production. We immediately reshifted our focus to mitigating the impact to production. 21:00 – We identified a node group change as the likely root cause. We reverted the node group deletion, which quickly recreated the node groups. We thought this would mitigate the issue by spinning up healthy nodes with a working instance profile to schedule new pods. But, the new pods did not schedule quickly enough because they had to wait for the new nodes to spin up. 21:10 – Stytch API went down in production. Stytch API calls all returning 5XX. In order to return to service quickly, we manually scaled up one of the Live API node groups with more nodes that were significantly bigger in compute size and removed taints from the node group. We then removed node selectors from the application consecutively so they could schedule. Within minutes, each application was successfully scheduled with the correct number of nodes. 21:24 – We confirmed the Live API returned to service. 21:34 – We confirmed the Dashboard and Frontend SDKs returned to service. 21:36 – We confirmed the Test API returned to service. All our systems were operational again. Action items We have a detailed incident postmortem process which allows our team to debrief exactly what went wrong and, most importantly, identify concrete action items and owners to prevent this class of failures from happening again. In this case, we came away with four main focus areas with specific action items that we are either actively working on or have already completed. 1. Alerting improvements Raise the severity of Karpenter errors and treat them as high urgency alerts that go straight to the on-call pager. Tune the cluster alerting thresholds to send a high urgency page earlier. Add alerts for nodes marked as NotReady or Unknown for long periods to better keep track of the health of existing nodes. Raise the thresholds for other deployment-related alerts including unschedulable pods and replicas not available. 2. Cloud configuration and IAC improvements Replace the IAM instance profile used by Karpenter to be distinct from the IAM profile used by the node groups. Separate out other AWS resources (specifically IAM and security group) that were being overloaded in usage. Overhaul our EKS and Karpenter configuration so that new system instance profiles are unique and static per cluster and generated by Karpenter, reducing complexity. Introduce a cloud visualization tool to further improve the tools available to our developer team when making infrastructure changes. 3. Status page improvements Add live system and product metrics to the status page to provide a real-time view of how our Stytch API is behaving. 4. AWS improvements and learnings Reach out to AWS to confirm the undocumented actions and side effects. Correct overloaded use of IAM roles and security groups in our infrastructure. In the wake of the incident, we reached out to AWS in hopes of getting a better understanding of how they handle managed node group deletions. AWS confirmed that the Delete Node Group Action sparked off a set of (undocumented) cascading actions: DeleteNodegroup API invoked > worker nodes are drained Pods running on the target node are evicted from draining nodes Service role cleans up (deletes) any resources associated with the node group (i.e. roles, policies, security groups, etc.) Worker node instances are terminated Although it’s not obvious that the instance profile would get deleted, in retrospect, we should never have used the same IAM role for Karpenter self managed nodes as the node groups because overloading the usage of an IAM role would cause the exact issue we encountered during the incident. During our initial configuration of Karpenter, we missed separating out these roles in the interest of expediency and simplicity. What made this incident difficult to assess as a whole was the delay between cause and effect. It took on the order of hours until the configuration change started to impact our clusters. We have confirmed with AWS that this is expected behavior and will take this into account when making future IAM instance profile changes. Conclusion We are committed to improving our platform and incident process to reduce frequency and duration of incidents, ensure a smoother response and tighter, more detailed communications. In the event of any major disruption of service, Stytch will continue to publish an incident postmortem with context, learnings, and follow ups to share with the community. Visit and subscribe to Stytch’s status page and changelog for future updates. --- # How do voice recognition biometrics work? Source: https://stytch.com/blog/what-is-voice-biometric-authentication/ Learn how voice recognition technologies enable fast, frictionless logins that protect and delight your users. In recent years, advances in authentication technology have enabled developers to enhance the cybersecurity of their app or website without overburdening their users or disrupting the user experience. One of the most powerful innovations in this regard is biometrics, or tech-forward tools that can verify a user’s identity using only their physical or behavioral characteristics. While fingerprint scans and facial recognition remain the most popular forms of biometrics, other emerging methods like voice remain more on the fringe. Below, we explore how voice authentication works, what its benefits are, and perhaps why it hasn’t seen the same level of adoption as other biometric methods. The basics of biometrics Biometrics is considered something-you-are authentication, because it relies on attributes that are inherent to a user’s body or behavior. This sets biometrics apart from something-you-know auth factors (like passwords), which require users to create and remember complex credentials, and something-you-have auth factors (like one-time passcodes or security keys), which require users to prove possession of a registered phone number, email inbox, or physical device. Instead, biometric factors use built-in verification tools to capture, analyze, and recognize a user’s distinctive, measurable features. There are many different types of biometric authentication, with flows that vary according to the specific feature involved. Some of the most common include: Fingerprint recognition Fingerprint recognition tools scan and map the unique ridges and valleys of a user’s fingerprint when they press their finger to their laptop or mobile device. Facial recognition Facial recognition tools scan and map the proportions and contours of a user’s face and translate them into a unique numerical code known as a “faceprint.” Iris/retina recognition Iris and retina recognition tools scan and analyze the distinctive color markings (iris) or the distinctive blood vessel patterns (retina) in a user’s eye. Voice recognition Voice recognition tools capture and analyze the sound qualities and other unique properties of a user’s voice, which are determined by their particular jaw movements, throat shape, and behavioral or linguistic inflections. Many biometric auth solutions are equipped with liveness detection capabilities, so they can distinguish between a real, live user and a mere reproduction or copy — like a photographic image or voice recording — in order to detect and prevent fraud. Let’s dive deeper into what voice recognition technology does and how it works. What does voice recognition do? Essentially, voice recognition tools allow users to access, activate, and/or interact with digital platforms simply by speaking to them. They’ve become well-known in recent years, with the release of smartphone software (like Siri) and virtual assistants (like Amazon’s Alexa and Echo devices or Google’s Home or Nest systems). However, there’s a big difference between voice recognition technology and the speech recognition technology many of these voice-controlled systems rely on. Automatic speech recognition (ASR) technology is trained to identify and act upon what is being said, regardless of who is saying it. Think, someone instructing an Alexa device to play a specific song or using a speech-to-text program to transcribe what different participants say during a meeting. Voice recognition (or speaker recognition) technology is trained to identify who is speaking, based on the unique attributes of their voice. For this reason, voice recognition is typically used to offer a personalized user experience or to provide extra protection in sensitive or risky use cases. Think, someone using a voice command to set or disarm a home security system through Google Home. When used as an authentication factor, biometric flows rely on voice recognition technology to verify that the person speaking is the legitimate, registered user they say they are. How does voice recognition work? Voice recognition tools must be programmed or trained to identify a specific user’s voice. This typically involves taking one or more speech samples and creating a unique digital template or “voiceprint” — similar to the fingerprints and faceprints used in other biometrics. This voiceprint is stored within the system and compared against any sample obtained during a log in attempt. A voiceprint takes into account physical/physiological as well as behavioral/inflectional attributes, such as a user’s: Pitch Timbre Intensity Accent or pronunciation Cadence Some voice recognition systems require a user to input a specific, pre-determined phrase or sentence — which they must then repeat with every login — whereas others allow a user to say whatever they please. Accuracy of voice biometrics The precision of voice recognition technology has improved significantly in recent years, and it continues to make steady progress. As with many authentication methods, voice biometrics is not foolproof, but accuracy rates top 95% on average and frequently reach up to 99%. Compare that to passwords, only 80% of which can be considered even remotely secure. The benefits of voice biometrics for authentication When compared to other biometric authentication factors, voice biometric authentication has a couple of distinct advantages. Voice recognition can be used with accessories that sometimes get in the way of other methods, like hats, gloves, masks or sunglasses. Voice biometrics is also contactless. That said, there are a few shortcomings that make the voice a less preferable biometric method than others. Shortcomings of voice biometrics Some of the downsides that have hampered voice biometric authentication adoption to date include: Advanced cyber attacks like “voice spoofing” that attempt to record and/or replicate a user’s voice and gain access to an online account. While liveness detection tools help defend against such attacks, hackers are always adapting and improving upon their methods in an effort to outsmart the latest cybersecurity efforts. Environmental interference like loud background noise, static, and poor connections that can muddle the quality of an audio sample. Physical impairments like respiratory illnesses, allergies, vocal cord injuries, and other conditions that may alter the sound qualities of a user’s voice. Privacy concerns around the ethics or safety of devices potentially “listening to” and capturing users’ personal communications. While some voice recognition solutions are turning to artificial intelligence (AI) and machine learning models to better understand and adapt to changes in the human voice across circumstance, these friction points and spoofability factors make the voice a less attractive biometric option than say, face recognition or fingerprints. When in doubt, choose what users will adopt At the end of the day, we at Stytch believe that the security of any given authentication method is effectively moot if users won’t adopt it. So while the tech of voice biometrics may feel like the thing of sci fi movies (and kinda fun!), we’re far more interested in the biometric methods that are gaining traction and popularity, in large part due to the pioneering work of companies like Apple, who have worked hard to make biometrics a seamless, integrated part of their user experience. Discover Stytch’s biometric authentication Stytch offers many passwordless authentication solutions as part of our comprehensive product suite, including Native Mobile Biometrics. --- # What is OAuth 2.0? Source: https://stytch.com/blog/what-is-oauth-2-0/ An introduction to the OAuth 2.0 protocol, one of the most widely used and influential authorization protocols on the web today. OAuth (which stands for open authorization) refers to a set of protocols that allow web apps to share information with each other on behalf of a user, without sharing any account credentials. In more technical terms, we can say that OAuth is a protocol that delegates access and permissions between APIs and applications in a safe and reliable exchange. OAuth 2.0 is the most recent version of these protocols. What is the history of OAuth? OAuth was jointly developed in 2006 by Twitter and Google. With near universal adoption of social media sites, developers realized that their applications would greatly benefit from letting users bring in their data from accounts like Facebook, Twitter, or Google. You’re probably most familiar using OAuth with social accounts. If you’ve ever authorized an app to access the resources in your Gmail or Facebook account, you’ve used OAuth. Examples of these authorization prompts look like: “Allow this app to add all your Facebook friends as contacts?” “Allow this app to post links on your Twitter feed?” “Allow this app to sync events with your Google Calendar?” “Allow this app to use your profile picture from Gmail?” The beauty of OAuth is its ability to let users provide access to their accounts without exposing their login credentials, and to fine tune what exactly each app can or cannot access within the others' resources. When you're able to specify which actions another app can take with your GoogleDrive contents, you're benefiting from OAuth. OAuth 2.0 roles There are four key roles involved in any OAuth transaction: the client, the resource owner, the resource server, and the authorization server. (If you've read our material on OIDC, these may seem familiar because OIDC was built on top of OAuth 2.0!) Client This is the service that attempts to obtain access to the resource owner's account or resources that are held on the resource server. This is the application seeking authorization, and is often also referred to as the application. Resource owner The resource owner is the user, application, site, or system that owns the resources the client is trying to access. This is the application granting authorization, and is often also referred to as the user. Resource server The resource server is where the resource owner hosts its protected resources or accounts on behalf of the user, or resource owner. Authorization server The authorization server is the party that makes it possible to grant authorization between different apps or services without sharing credentials. They both verify the identity of the user and send the access tokens to the client on behalf of the resource server once access has been granted. OAuth 2.0 basic flow Now that we understand the main roles involved in an OAuth 2.0 transaction, let’s look at the basic flow. Note that there are a few different OAuth flows that vary by the grant type (see below), so for covering the basics today we're just going to look at the most common – the authorization code flow. Here's how it works: Client requests access to the resource server from the resource owner. If this is something they want, the resource owner then grants access. Upon granting access, the client receives an authorization grant. The client then presents this authorization grant to the authorization server, and requests an access token. Assuming the resource owner granted access, the authorization server will then issue an access token to the client. Using their newly-minted access token, the client then requests access to the resources in question from the resource server. The resource server then passes the resources to the client. Success! Now that we have the lay of the land, let’s look a little closer at each of these steps to understand what exactly each role is passing to each other, and how. Step 0 – Client registration While the first step of a basic OAuth 2.0 generally begins with the client's authorization request, it technically begins with client registration. To do this, they’ll need three main inputs: their application name, their application website, and a redirect URI where the resource server can redirect the user after access has been authorized. These registered URIs help prevent token stealing and other attacks. Upon completing registration, the client receives two key pieces of information they’ll need for their authorization request: CLIENT ID The client ID is a public string that the resource server uses to identify the client. CLIENT SECRET The client secret is a private string that is used to verify the identity of the client with the resource server when they submit their access token in step 6. Step 1 – Client requests authorization Once registered, a client kicks off an OAuth 2.0 transaction when the client requests to access resources belonging to the resource owner. This is most commonly done by actually creating a URL for the user to click on that redirects them to the authorization server. The application makes sure this URL has all the relevant information including the client_id, the scope, the authorization grant type, and a PKCE code, if they have one. Let’s look at what all of those parameters entail (except client ID, which we just learned): SCOPE The scope defines the exact resources to which the resource owner is granting the client access. So if for example you want to give Twitter access to your GooglePhotos, the scope parameter helps ensure that Twitter doesn't also gain access to any other resources on your Google account. GRANT TYPE The grant type refers to the method used to authorize the client on behalf of the resource server, and depends both on the grant type requested by the client and the capabilities of the resource server's API. There are generally three types of authorization grants, each with their own best use cases: authorization code, client credentials, and device code. (You may also hear some OAuth literature discuss implicit and password grant types, but these are considered legacy practices and not recommended today because of various security concerns). Grant Type: Authorization Code: The authorization code grant type is the most popular among server-side web and mobile apps, as these apps' source code is not publicly available, making it easier to protect confidential information like the client secret. It is usually a simple string of alphanumeric characters. Grant Type: Client Credentials: The client credentials grant type is a bit of an outlier, as it's only used when the client is trying to access its own account, not the account of a user. This can be helpful if and when the client needs to update their information with the resource server, like their redirect URI. Grant type: device code: Device code grants are best suited to use cases where a device has no browser access (and thus is unable to meet the requirements of an authorization code grant type). Good examples of this include SmartTVs or other media devices, which have tons of apps that may want to access a user's resources, but have no ability to interact with a browser on the client's side. PKCE CODE The authorization code flow also has an extension called PKCE, or Proof Key for Code Exchange, that helps thwart cross site request forgery (CSRF) and authorization code injection attacks. In this system, the client creates a secret with each authorization request, which they then resubmit with the authorization code when requesting the access token. This helps ensure that if the authorization code is intercepted, attackers still won't be able to gain authorization without that additional secret. Step 2 — User authorizes client access When the user clicks on this newly-minted link, they will be taken to a URL with an authorization request. This is the part of this transaction we've most likely seen before, something like, "This application [aka the client] would like to access resources on your account [aka the resource server]. Do you authorize this access?" We'll proceed with the rest of this flow on the assumption the user clicks "Yes"! Step 3 — Client receives authorization grant (in this case authorization code) Once the user authorizes access, the authorization server will redirect them back to the client's application, but to a URL that includes the authorization code. Note this is sent as an HTTP request from the authorization server to the user's browser – there's no direct communication with the client's application. Step 4 – Client requests access token Once they have their authorization code, the client requests the access token from the authorization server by making an HTTP POST request, which includes the authorization code, the grant type, the redirect URI, the client ID, client secret, and PKCE code verifier if they're using it. ACCESS TOKENS Access tokens are how the client is able to make API calls on behalf of the resource owner: they prove to the resource server that the client is authorized to do and access certain resources on that user's behalf. Because they give authorization permission to whoever bears them, they are also sometimes called bearer tokens. Access tokens can come in a variety of formats, but generally consist of an alphanumeric string that is randomly generated and then securely stored with the authorization server. Some authorization servers opt for self-encoded tokens, which encode all the necessary information within the code string itself, thereby eliminating the need of a server-side database. Regardless of the token's form, it is important in every case that they are kept confidential when in transit from the authorization server to the client, and from the client to the resource server. For that reason, access tokens can only be exchanged across HTTPS connections. Step 5 - Authorization server issues access token Upon receiving this HTTP post request, assuming all of the parameters are correct, the authorization server will issue an access token (and sometimes a refresh token), along with the token type and the expiration time. Step 6 — Client requests resources with the access token With the access token in hand, the client can now request access directly from the resource server via an API call. This should be successful so long as the access token has not yet expired. Step 7 — Resource server returns the resource to the client If the API request contains all the correct information, the resource server will grant the client access to the scoped resources. And with that, we have a successful OAuth 2.0 transaction! How is OAuth 2.0 different from OAuth 1.0? OAuth 1.0, released in 2007, was the initial result of Twitter and Google's collaboration. It was largely based on two pre-existing protocols: Flickr’s authorization API (remember Flicker?) and Google’s AuthSub. After several years of developers using OAuth 1.0 out in the wild, a larger group of invested companies began discussing possible improvements. These companies included Facebook, Microsoft, Mozilla, and Yahoo!, (as well as the original collaborators Google and Twitter). In 2012, five years after 1.0, OAuth 2.0 was released. It came with some major improvements: From three roles to four In OAuth 1.0, there are only three roles, not four: the consumer (what we now call the client), the user (what we now call the resource owner), and the service provider (what we now call the resource server and the authorization server, collapsed into one). From cryptographic signatures to bearer tokens Instead of bearer tokens, OAuth 1.0 uses cryptographic signatures, in which each access token has both a public and private string, with the private string being used to sign the authorization request. Because bearer tokens don't require a cryptographic signing of every request, they're viewed as a simpler, more elegant access token solution. From one flow to several grant types OAuth 1.0 originally had three flow types, but those were eventually collapsed into a single flow that was supposed to work for all use cases – web-based apps, desktop clients, and browserless apps. But as OAuth use scaled, it became clear that this "one-size-fits-all" approach actually resulted in clunky functionality and poor user experience. Hence the variety of grant types in OAuth 2.0, that allow more tailored flows for different use cases. From long to short-lived access tokens As originally implemented, OAuth 1.0 tokens were valid for a very long time, sometimes indefinitely or up to a year (yikes!). OAuth 2.0 replaced this system with very short-lived access tokens and the option to implement longer-lasting refresh tokens – a much better way of allowing minimally disruptive session refreshes without compromising on security. Why is OAuth 2.0 important? Every person who's online today divides their resources between upwards of dozens of applications. With so many of our individual and company resources increasingly stored on the cloud, interoperability and mutual access become all the more important. But with that increased interoperability comes great responsibility, and potential security risk. OAuth 2.0 is a crucial piece of cloud-based information access and sharing because it enables for secure, scoped, delegated access. Additionally, OAuth 2.0 paved the way for OpenID Connect (OIDC), an authentication and authorization protocol that allows users authenticated in one place to gain access to resources in another (if you've ever used "social login," or logged into another app with your Google, Facebook, or LinkedIn account – you've used OIDC!). At Stytch, we offer social login for consumer-facing applications, and are on the verge of releasing our beta OIDC-based single sign on for B2B businesses. If you're interested in how these products might help streamline your developer's workload, feel free to explore our docs or talk to sales by clicking the links below. --- # Authentication vs. authorization: what you need to know Source: https://stytch.com/blog/authentication-vs-authorization/ Both authentication and authorization are critical for session management. Let's look at how they're different, and how they work together. Authentication (authN) and authorization (authZ) have a lot in common, which is why they’re often confused. Both play a key role in user identity and access management (IAM), both have a big impact on the user experience, and as words, they look and sound pretty alike. But the parallels end there. In fact, authentication and authorization serve very different purposes, though each is essential when it comes to protecting your app. Ideally, it shouldn’t be “authentication vs. authorization,” but both “authentication and authorization.” In this post, we explore the key differences between these two critical processes and explain how they work together (but separately) as part of your app’s security architecture. What is authentication? At the most basic level, authentication verifies a user’s identity, ensuring a user is who they claim to be before they gain access to an app. Typically, a user must provide one or more authentication factors (or credentials), which can fall into three different categories: Something-you-know, like a password or personal detail Something-you-have, like proven possession of a registered mobile device, security access token, or digital ID card Something-you-are, like biometric data from fingerprints, retinal scans, facial recognition, or voice recognition The authentication process Historically, the user authentication process relied on basic factors like passwords and PINs, which can cause significant cybersecurity gaps and UX concerns. (Case in point: today, over 80% of data breaches come from stolen or otherwise compromised passwords). But as the online security process has evolved and grown more sophisticated, forward-thinking companies have increasingly switched to passwordless authentication methods, like one-time passcodes, email magic links, and biometrics. Depending on your business needs and the sensitivity of the user data you work with, there’s a wide range of methods you can use to build out your authentication system. The three main types, from least to most secure, are: Single-factor authentication In a single-factor flow, only one layer of verification is required — for example, a username-and-password pair. Two-factor authentication (2FA) In a two-factor flow, a user must supply a password plus a secondary credential, which could be anything from a security question (e.g., the classic “What’s your mother’s maiden name?”) to an SMS one-time passcode. Multi-factor authentication (MFA) In a multi-factor authentication (or MFA) flow, two authentication factors or more are required. That means 2FA is considered MFA, but not all MFA flows are 2FA. Multi-factor authentication can be front-loaded at initial log in — meaning users must pass through all authentication steps at once just to enter an app — or they can be spread throughout the user journey. The latter method is known as just-in-time authentication, as it allows developers to introduce extra security steps (and thus, extra friction) only when a user attempts to access sensitive information or carry out a sensitive task, like changing payment details or viewing confidential data. What is authorization? After a successful authentication, authorization verifies what a user is permitted — and not permitted — to do within the app. In other words, user authorization processes grant access rights to specific resources and give a user permission to undertake specific actions like viewing, editing, downloading, or deleting important data. How authorization determines access control Access control, or unique user permissions, can be structured in a few different ways: Role-based access control (RBAC) In a role-based model of control, access to information is based on the user’s position within an organization. Attribute-based access control (ABAC) In an attribute-based model, access to information is limited and based on a complex series of factors, potentially including: User attributes, such as name, organization, ID, and level of security clearance Environmental attributes, such as the time or location of access or the current level of organizational threat Resource attributes, such as a file’s owner or department or its level of data sensitivity Rule-based access control (also RBAC) In a rule-based access control model, user access is determined by fixed, standardized guidelines, rather than subjective or variable criteria. Authentication vs. authorization: key points of difference There’s a common analogy used to explain the difference between authentication and authorization: think of it like an airport. When you pass through security, you’re asked to provide a boarding pass and formal identification like a driver’s license or passport. These two factors prove that you’re allowed to enter the terminal. That’s authentication. Once you’re in the terminal, the details on the boarding pass determine where you can go. For example, you can use your pass to board your plane and take your assigned seat, but if you try to get on a different flight or gain access to an employee-only area, you’ll be denied entry. That’s authorization. In addition to having separate functions, authentication and authorization differ in the role played by the user: The authentication process is visible to the user. The user can also change certain authentication settings by resetting a password, modifying security questions, or choosing to register biometric data. The authorization process is rarely user-facing. Rather, permissions are pre-set and maintained on the back end by the organization. Let’s break these differences down into one easy chart for comparison: Combining authentication and authorization with session management Authentication and authorization work in tandem to create a secure environment for both the end user and the app or website they’re using. In a standard flow, authentication comes first, followed by authorization. One component of authorization is session management, or the process of storing contextual information for a given user. For example, session management can be used to determine if a user is still logged in or if their session has expired, and it’s often coupled with permissions data about what that authenticated user can and cannot access. Typically, that permissions data is stored either with session cookies or access tokens (typically JSON web tokens, or JWTs). At Stytch, we let you use both, but if you want to dive deeper you can read our blog on the differences and tradeoffs between session cookies and JWTs. The bottom line “Authentication vs. authorization” is a bit of misnomer – both contribute substantially to your app’s IAM. Together, authentication and authorization ensure you grant secure access to the right users at the right time. Take your auth up a notch with Stytch Now that you can distinguish authentication vs. authorization, the next step is finding a security flow that fits your needs. That’s where Stytch comes in. Our passwordless product suite and breach-resistant Passwords strike the perfect balance between robust protections and a frictionless user experience. Register for a free account to begin exploring — or reach out to our team to get your questions answered. --- # What is SOC 1 Type 2? Source: https://stytch.com/blog/what-is-soc-1-type-2/ An overview of SOC reports, and the specific importance of SOC 1 Type 2 for service organizations and applications. If you’re working as or with a company that handles sensitive financial data, at some point you’re going to need to ask for — or you're going to be asked for — a SOC 1 Type 2 report. When this occurs, it helps to know what to expect from a SOC 1 report, how it differs from other SOC reports, and why it’s a good idea for any service-providing organization to have their report up-to-date and at the ready. So, let’s break it all down, starting with the basics. What is a SOC report, exactly? SOC stands for system and organization controls, formerly service organizations controls. At the broadest level, SOC refers to a suite of reports issued and overseen by the American Institute of Certified Public Accountants (AICPA). To receive any SOC report, a service provider — or any organization that handles potentially sensitive customer data and documents, including user entities' financial statements, health records, and any other private or confidential information — must pass a SOC examination or audit conducted by an independent, third-party CPA. Types of SOC reports There are three general categories of SOC reports. Each reporting option is subject to distinct AICPA auditing standards, which are outlined in their Statements on Standards for Attestation Engagements (SSAE). SOC 1 reports SOC 1 reports are financial in scope. They mainly concern what AICPA refers to as the "controls at a service organization relevant to user entities' internal control over financial reporting." In simpler terms, a SOC 1 report evaluates the systems, policies, and procedures that a financial service organization uses to manage and protect their customers’ financial data. How these systems work, and how well they work, will directly affect customers' internal controls over financial reporting (ICFR). In a SOC 1 audit, key control objectives are identified and tested for both information technology (IT) and business processes around the specific services an organization provides their customers. SOC 2 reports SOC 2 reports deal with a service organization's internal controls around operations and compliance. They test in five specific areas that are laid out in the AICPA’s Trust Services Criteria (TSC): Security Availability Processing integrity Confidentiality Privacy The security criteria (also called the common criteria) are the only required elements when it comes to SOC 2. Otherwise, the main difference between SOC 1 and SOC 2 reports is that, in a SOC 2 report, an organization can choose which other criteria to include in an audit. SOC 3 reports SOC 3 reports are far less common. They cover much of the same ground as SOC 2 reports, but with a less comprehensive approach. Typically, a SOC 3 report omits details around the specific controls at a service organization and the results of any SOC examinations. That also means that, unlike a SOC 2 report, a SOC 3 report can be publicly shared. For example, a service organization can post its SOC 3 report on their website or distribute it to potential clients as a marketing asset. SOC for cybersecurity More recently, as cyberattacks have increased in both frequency and sophistication, AICPA has developed a new SOC for Cybersecurity report. This report examines a service organization's system as it relates to their risk management program and online security practices. Type 1 and Type 2 reports Each of the above SOC categories can be further broken down into Type 1 and Type 2 reports. While each report type includes similar parameters, there are a few key differences between them. A Type 1 (or Type I) report evaluates the design of a service organization's system and its ability to achieve the related control objectives included in the audit, as of a specified date. A Type 2 (or Type II) report assesses both the design and operating effectiveness of a service organization's system and its ability to achieve related control objectives over a specific period of time — usually six months. In short, a Type 2 report sets a higher bar by examining not only the design of a service organization's system, but also its performance. Furthermore, Type 2 reports cover a longer audit period, ensuring that a service organization's controls work reliably and consistently. There are times when a service organization might pursue a Type 1 report on its own — like if they are pressed for time and just need to prove that they have certain controls in place. But generally, Type 2 reports are seen as the standard to which service organizations should be held. Meeting control objectives and criteria It should be noted that SOC reporting allows for flexibility in terms of how exactly different objectives and criteria are met. For example, when evaluating controls related to cybersecurity, any combination of safeguards and authentication methods — from passcodes to biometrics — can be used to fulfill necessary criteria. Why is a SOC 1 Type 2 report important? Putting the above points together, a SOC 1 Type 2 report attests not only that a given service organization has the right controls over financial reporting in place, but that an objective auditor has confirmed that those controls are performing reliably and effectively. In other words, it goes beyond mere compliance. A SOC 1 Type 2 report is a stamp of approval from a recognized regulatory body verifying that a service organization can be trusted to maintain the security and integrity of their customers' financial data. When should you ask a service organization for a SOC 1 Type 2 report? (Or, when might you be asked to provide one?) SOC 1 report checks are a key ingredient in strong organization vendor management programs. Ideally, you should ask to see evidence of a valid SOC 1 Type 2 report any time you outsource a financial service to a third-party vendor. For example, if you rely on an external partner or platform to handle your payroll processing, the way they handle your payroll data will have a direct impact on your own financial reports and processes. You want to know that they have solid policies and procedures in place to handle your data accurately and responsibly. Similarly, if you handle financial services on other companies' behalf, you want to be able to demonstrate the same — and you should have evidence of your own SOC 1 certifications ready to go. It's not just a best practice and part of being an ethical business partner; it's a key selling point for your organization as you work to stand out from the competition. The bottom line A SOC 1 Type 2 report demonstrates that a service provider has the right controls in place to manage financial data on behalf of their customers and to handle that data properly. Obtaining and presenting these certifications should be standard practice for all financial service organizations, and making this a universal practice will help us to build safer and more transparent partnerships when it comes to sharing sensitive data online. Learn more Stytch is committed to supporting secure, frictionless digital experiences, from robust authentication solutions to fraud and risk prevention strategies. If you want to learn more about how SOC 1 and SOC 2 reports contribute to your online security — or what they might mean for your organization — reach out to one of our data experts, and get your questions answered. --- # IdP- vs SP-initiated SSO Source: https://stytch.com/blog/idp-vs-sp-sso/ IdP and SP initiated SSO may appear similar on the surface, but a few differences result in critical vulnerabilities for B2B customers. In today's world where the average business manages 88 applications, single sign-on has become indispensable. IT professionals looking to manage their company's identity and access management, from user authentication to identity providers, rely on SSO to simplify work streams for them and the users they manage. But not all single sign-on solutions are created equally. As we covered in-depth in our B2B Auth School series, there are two main technical protocols used for single sign on today: Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). Within SAML, there are two main types of login flows: those initiated by identity providers, and those initiated with service providers. In this blog post, we'll look at the differences between these two forms of SAML single sign-on, and their implications for developers looking to incorporate SSO capabilities into their application. Recap: what is SAML and how does it work? Security Assertion Markup Language, or SAML, is the legacy standard protocol for single sign on. Specifically, SAML standardizes the exchange of authentication and authorization data between parties, most commonly for single sign-on transactions. Those parties are typically defined as: Service Provider (SP): the B2B app or website that users attempt to log into. In SAML, they receive both user identities and control user access to resources from the Identity Provider via a SAML assertion. Identity Provider (IdP): the service that maintains user identities and issues SAML responses on behalf of the B2B customer (i.e. Okta, OneLogin). Auth provider: a 3rd party or in-house auth solution that interfaces and coordinates auth flows between identity providers and service providers. B2B customer: the customers of the SP (usually a company or businesses) that wish to log into the service provider’s application with SSO, and use an identity provider for identity management. Member: also often referred to as a user, the member in B2B authentication is the end user who is a part of the B2B customer’s organization within the service provider’s app. They are the person or machine attempting to authenticate (or “gain user access”) to resources within the service provider using their identity provider. SAML standardizes transactions between these different parties through requests and responses written in extensible markup language (XML) (for a closer look at how these SAML messages work, check out our in-depth blog on SAML transactions). SP vs. IdP SSO: a crucial difference The phrases "SP" or "IdP-initiated SSO" refers to where a member begins their user authentication journey. SP-initiated: they can start their login journey with the service provider, which will then redirect them to the identity provider for authentication, OR IdP-initiated: they can start their login journey directly with their identity provider, and once authenticated they can navigate to the service provider they wish to access. While these two options only slightly alter the experience for the end user, it's the transactions behind the scenes that are crucially different. SP-initiated A member of an organization (likely an employee of a company) goes to log in to the app they want to use (i.e., the SP). The service provider then redirects that member to their company's identity provider, with a SAML request. Among other pieces of information, this request contains two key parameters: a requestID, that uniquely identifies this authentication request, and a RelayState, which can be a string of any value added to the SAML request URL. These two parameters are used later to verify that the IdP's response is in fact intended for this user and this SP. Once redirected, the member authenticates with the identity provider. After the member has authenticated, the identity provider then creates a SAML response with all the relevant information about that member (their ID, what resources they're authorized to access). This response also includes an InResponseTo field that verifies requestID, as well a separate parameter verifying the RelayState When the SP receives the IdP's SAML assertion, it checks the requestID and RelayState against the ones in its records, to make sure the correct request is being addressed by the IdP. Upon receipt and verification of the SAML response by the SP, the user is logged in. IdP-initiated Instead of going to the SP, the member begins by logging in directly to their IdP. Once authenticated, the member can then see all of the apps and resources their company has granted them access to. They select the app or service they want to use. The IdP then creates the SAML assertion, and redirects the member to the SP. Like with SP-initiated SSO, this assertion contains information about the user and resources they can access, but it does not contain a requestID or RelayState. Assuming the SP accepts the assertion, the member is then logged in. The main difference then, between IdP and SP-initiated SSO on the backend amounts to one additional redirect and two additional parameters. As we'll see in the next section, those components can make a world of difference. IdP-initiated vulnerabilities Without the requestID and RelayState in IdP-initiated SSO, there is no way for the SP to verify that the SAML assertion they're receiving corresponds to the right request. In other words, if a hacker or bad actor were to gain access to an IdP-initiated SAML assertion, they could access the member's account with the SP application, even if the member themselves did not request it. In this "man-in-the-middle" type of attack, the SAML assertion is intercepted on its way from the IdP to the SP, as follows: The member logs in directly to their IdP. Once authenticated, the member can then see all of the apps and resources their company has granted them access to. They select the app or service they want to use. The IdP then creates the SAML assertion, and redirects the member to the SP. Like with SP-initiated SSO, this assertion contains information about the user and resources they can access, but it does not contain a requestID or RelayState. The hacker-in-the-middle intercepts the SAML assertion before it reaches the SP. At this point, the hacker will either log into the SP posing as the organization member, or it can replace the IdP's SAML assertion with another that logs the member into the SP as the attacker. When the SP receives the SAML assertion, all they have to go off of are the issuer (the IdP) and the signature, which, if the hacker leaves them untampered, will appear valid. In each of these scenarios, without additional security measures, there's no way to verify this SAML assertion is in fact resulting from a legitimate member's authentication request. A SAML-only issue If you’ve read any of our B2B auth school series, you’ll know that SAML is now one of two major protocols for single sign on – OpenID Connect, or OIDC is the other. IdP-initiated SSO is not a concern with OIDC though because it is not possible with that protocol. By design and because of its direct evolution from OAuth 2.0, OIDC authentication is token-based, with identity tokens that are designed to be read and validated by the same application that made the authorization request. Even in cases where members begin the authentication process from a third party that is not the service provider (or what’s called the relying party or RP in OIDC), the member is still first directed to the RP initiation endpoint, and begins the transaction almost identically to a true RP (or in SAML’s case, SP) initiated SSO login. XML is more flexible, but as we’ve seen, that flexibility comes with risk. Protecting IdP-initiated SSO So what's to be done? There are a few steps that can be taken to thwart these attacks, but they unfortunately put the onus on the SP (and/or the SP's authentication provider): Beware the unsolicited InResponseTo The SAML 2.0 specification warns that an SP must not validate any unsolicited SAML responses they receive from IdPs that contain the InResponseTo parameter. This indicates a prior SP-initiated SAML assertion has been intercepted from the IdP and is being falsely re-used in an attempt to gain unauthorized access to the member's account. Set tight validity periods Both the IdP and the SP have the power to set the validity period (the time for which a SAML assertion is considered trustworthy or valid). Generally, no IdP should take more than a couple minutes to issue a SAML assertion, so any time longer than that and you risk leaving your application open to those attacks. Standard constraints include NotBefore and NotOnOrAfter. Replay detection In addition to setting tight expiry windows on your SAML assertions, SPs can also track which messages have already been used and prevent those from being reused by hackers. That said, replay detection does not protect against hackers intercepting unused SAML assertions. Dealing with SAML for your product Despite these vulnerabilities, many B2B customers today still prefer IdP-initiated SSO. This is in part because from their IT department's perspective, certain aspects of user identity and authentication services are easier to manage with centralized, gated, access to all their different apps and services. But this means that service providers working with these IdPs then need to work very carefully with either their in-house auth team or their auth provider to put all necessary precautions in place to protect their customers and users from IdP-initiated SSO vulnerabilities. None of the solutions above are ironclad, so it's doubly important to have dedicated conversations with your customers and your auth provider about how best to offer protection with their preferred SSO method. If these challenges sound like something you'd like to talk to an auth provider about, we'd love to chat about our own SSO solutions. --- # Announcing new pricing and self-serve options Source: https://stytch.com/blog/announcing-new-pricing-and-self-serve-options/ Stytch announces our new pricing model, designed with more tiers and support for our growing diverse base of customers. Today, we’re excited to launch new pricing tiers that will provide customers with more self-serve options along with greater transparency, flexibility, and scalability. These changes will take effect today for all new customers. For our existing contracted customers, you will continue to enjoy access to your full features and benefits at the same price. For our existing pay-as-you-go customers, you will be moved to our free self-serve tier while maintaining your full set of existing features. Specific details can be found on our website at https://stytch.com/pricing. In particular, customers will see the following changes: We’ve created a feature-packed free tier for both our B2C and B2B product suites. For B2C, all of our auth products and 5,000 MAUs are included. For B2B, all basic auth products and 1,000 MAUs + 25 monthly active organizations are included We’re introducing new, distinct pricing tiers for our B2B product offerings Self-serve upgrades and downgrades are now available in the Stytch dashboard We will be adding pass-through usage fees for International (non-US or Canada) WhatsApp and SMS passcodes, but this change will not take effect for existing customers until 8/1/23 A history of pricing at Stytch – in SaaS pricing, simplicity can become a false idol Our initial (and very basic) pricing philosophy was that simplicity > perfection. Based on our own frustrations with the incumbent solutions in the authentication market, we believed that presenting our pricing more simply than competitors’ complex, opaque tiers could absolve many of our yet-to-be-discovered pricing shortcomings. This philosophy scaled surprisingly well with us for most of the past 2 years as we brought thousands of developers, hundreds of paying customers, and millions of users onto our platform. But as we’ve grown our product suite, we’ve found that simplicity can become a false idol if it’s your primary pricing objective. Simplicity matters a lot in purchasing decisions (and it remains one of our pricing values), but overly simplistic pricing can actually harm customers. With our legacy pricing, we took the approach of offering developers two options: A pay-as-you-go self-serve tier that included all authentication products at a higher unit rate A custom contract with volume discounts, personalized pricing, and premium features We’d seen this simpler two-option approach work well with some of our favorite developer tools (e.g. Stripe), but we’ve found it doesn’t translate well from the payments market to the authentication market for a number of reasons. For us, it created unintended consequences that required a new pricing philosophy to account for our maturing product and customer base. Given Stripe's value prop as the "gatekeeper" of their customers' payments, Stripe has been able to maintain a consistent, single self-serve option for more than a decade. This fits Stripe’s business model well because payment acceptance products are always placed at the exact point of realized customer value – customers only pay Stripe when they make money. This allows Stripe to forgo a free offering and immediately start customers on a higher margin pay-as-you-go plan. And despite offering a high margin for Stripe, this is also amenable for customers because most internet businesses can easily absorb a ~3% cost of revenue for core infrastructure. For non-payments SaaS, there’s a much wider spectrum of value you’re providing to different customers, which makes a “one size fits all” self-serve tier untenable. Crafting a new pricing philosophy As our legacy pricing model started to strain in recent months, the primary culprit was the oversimplification of our self-serve tier. What started as a singular pay-as-you-go option when we had just one authentication product became a catch-all bucket for most new features. As new auth products launched, we’d roll these new features into the overall monthly active user (MAU) cost of 10 cents in our pay-as-you-go plan. Initially, we deemed this the most customer-friendly route (providing more features at the same cost meant customers didn’t have to worry about being nickel and dimed for each new feature). However, this “one size fits all” approach became a “one size fits none” approach as customer segments were using markedly different products (and receiving disparate value) but all paying the same MAU cost, regardless of the underlying cost of serving each customer. In particular, the cost to serve each customer began to diverge significantly once we launched our phone-based authentication products (SMS and WhatsApp). SMS and WhatsApp are relatively expensive rails when compared to authentication methods like email (programmatic email is a commoditized product with small unit rate costs) and social logins or biometrics (e.g. offering FaceID and Sign in with Google/Apple/Facebook/etc involve significant upfront costs but are lower marginal cost to serve thereafter). Additionally, SMS/WhatsApp are even more expensive to serve internationally. Our self-serve pricing tier first started to strain when we included these phone-based auth methods within our overall MAU rate. This decision stemmed from initially only supporting North America for these products – in these geographies, the costs were low enough to roll into the 10 cent MAU cost and maintain a healthy margin. But as we onboarded more global customers, we incurred significantly higher international SMS and WhatsApp costs. While this is a particularly salient example, we found similar issues arise as we launched other new products like B2B authentication (SSO), fraud + risk tools, extensive customization, and enterprise admin controls – rolling so many disparate features into a single self-serve tier became increasingly untenable. As both our customer base and platform has expanded over the past couple years, we want to give customers enough options to choose what works best for their needs and budget. Here are the primary changes we’re incorporating: Launching multiple self-serve tiers to better segment customer needs Our current "one size fits all" pricing means "one size fits none" - we’re launching new tiers to better segment customers into different tiers (free and paid), so they can self-select into the tier that fits their needs and budget Additional self-serve tiers reduce friction for customers to sign up with Stytch and access features without having to contact our Sales team. This means you can talk to our team on your terms and timeframes.. Our sales team is ready to assist you when your needs evolve, your company grows, and you require enterprise-grade features like bot prevention, uptime SLAs, and volume discounts. Creating a more generous free tier We’re intentionally providing far more features in our free tier than competitors, so customers can set up auth for free without hitting annoying roadblocks with feature gates. In our free tier, we’re proud to include all of our authentication methods, no admin limits, password breach detection, phishing-resistant MFA like biometrics, unlimited OAuth connections, SMS and WhatsApp OTPs, and much more. Separating B2C and B2B pricing for greater customer clarity + customization We’re excited to introduce standalone B2B and B2C pricing tiers - these distinct tiers should help minimize confusion across our feature sets. And if you do have a use case across our B2B and B2C product lines, you can manage both within the same workspace. Improving how we scale with customers We care about pricing that scales as you grow - avoiding a common practice by competitors to charge predatory pricing once you're already locked in. Our MAU costs won't scale by 5x when you want to access more features - and from the start, you can access all of our auth products, MFA, unlimited OAuth, and plenty more without being forced into a five- or six-digit contract. Passing through expensive marginal costs (e.g. international SMS/WhatsApp) to ensure cost is value aligned for all customers To lower our starting price per MAU for all customers, we’ll be passing through international (non-US, non-Canada) SMS and WhatsApp OTP costs as these costs have an outsized impact on our cost of goods sold (COGS). Historically, we needed to charge a higher MAU rate for all customers to cover these costs, which was unfair to those not sending international OTPs. Opening consistent lines of communication with customers and prospects on pricing We’ve interviewed dozens of customers and prospective customers to preview the changes, but we can’t anticipate everything. We actively welcome feedback from customers and prospects to help us determine where we need to continue iterating. Supporting customers through this transition While we made these changes with the intent of improving pricing for customers, we understand that change can sometimes be difficult, and we value the trust you've placed in us. To make this transition as smooth as possible, we are pleased to offer the following to existing customers: Legacy Pricing: For our contracted customers, you will continue to enjoy access to your features and benefits with no impact on your pricing. If you do have questions on any changes, please reach out to your Sales representative. For our self-serve customers, you will have access to your existing features, plus full access to the new free tier - including free usage up to 5,000 B2C MAUs or 1,000 B2B MAUs. As part of this transition, we will not charge any existing customers for International WhatsApp and SMS passcodes until 8/1/23. Hands-on Support: Our support team will be at your service to discuss your needs and help you select the most suitable plan when the time comes for you to transition to our updated pricing structure. Flexibility: We understand that your company’s circumstances and requirements may vary. We pledge to be as accommodating as possible to ensure a seamless transition that suits your needs. As pricing is core to your experience using Stytch, we would love to hear your feedback. If you have suggestions or concerns, please reach out to our customer support team at support@stytch.com or send us a message in our #stytch-feedback channel in the Stytch community slack. Thank you for your continued trust in Stytch. We look forward to providing you with exceptional products and services that help power your growth. --- # Make a memorable first impression with messaging from Enveloop + Stytch Source: https://stytch.com/blog/enveloop-stytch/ Learn how to create beautiful, customer emails that increase engagement and boost conversion by integrating with Enveloop and Stytch. Enveloop understands that it's not enough to have a great app – you need stellar user communications too. That's why they've created an API-first, developer-focused message builder that helps engineers create user messages as elegant as their tech. But as we know at Stytch, user communications – especially emails – can do so much more than just send copy. They can log you in, passwordlessly and seamlessly. In a new blogpost, Enveloop walks you through how to combine their sharp, easy-to-use messaging platform with Stytch's Email Magic Links, all for a smoother user experience and higher conversion. Check out the blog today! About Enveloop Enveloop is a developer-focused message builder and API that makes it easy to design & send beautiful emails and texts from your app using one simple implementation. And you don’t have to be a designer — we’re focused on making developers look awesome. Read more about Enveloop on their website, docs, or create an account to get started today. --- # Build a no-code signup & onboarding flow with Feathery + Stytch Source: https://stytch.com/blog/feathery-stytch/ Learn how to build a seamless signup flow using Feathery's visual editor and Stytch's intuitive auth platform, in just four simple steps. Feathery is a powerful form builder that allows users to deploy beautiful login and signup flows powered by Stytch, without writing code. Instead of manually coding custom UI components, state management, and Stytch API integrations, Feathery’s visual editor allows you to design the flow and configure Stytch authentication actions (magic links, social logins, etc.) directly from the editor. Check out the full guide in Feathery’s documentation or follow along below for a quickstart tutorial. How to build a no-code signup & onboarding flow Sign up for Feathery and choose a signup form template to start from. By default, your form will have test Stytch credentials enabled so you can immediately test your new signup flow. However, to use this form in your product you will need to create your own Stytch account and replace the credentials in your Feathery form settings. (Optional) You can adjust your login flow behavior from the visual editor. Adjust login methods (magic link, social login, SMS code, etc.) Edit form design Add and remove onboarding steps Congratulations! Your signup & onboarding flow is ready to integrate with the rest of your site. Follow our integration guide for step-by-step instructions on integrating your flow. About Feathery Feathery is the leading form builder for product teams, with a beautiful visual editor that allows users to launch brand-native forms and user journeys. With millions of forms served, Feathery is a scalable solution for any company. By building your signup and onboarding flow with Feathery and Stytch, you can save time and developer resources while retaining total control over the experience. Read more about Feathery on their website, docs, or sign up directly. --- # Stytch Talks with Enzo Avigo: Building a high-performing B2B sign up flow Source: https://stytch.com/blog/stytch-talks-with-june-analytics/ Discover top insights from our recent webinar on the value of optimized onboarding, with June Analytics CEO and co-founder Enzo Avigo. How do onboarding processes impact the B2B user experience? And how can B2B app developers build sign up and log in flows that maximize conversion and retention rates? These are common questions in the authentication community, and they were top of mind when Stytch’s Reed McGinley-Stempel invited Enzo Avigo to join our Stytch Talks webinar series. As the co-founder and CEO of June, a plug-and-play product analytics tool for B2B SaaS, Enzo sees first-hand the effects that frictionless onboarding flows can have on user engagement — and his professional background in product management has instilled a passion for simple SaaS solutions that are easy to use right off the bat. Missed the live webinar and Q&A? You can access a full recording of the event over on our YouTube channel. Optimizing your B2B onboarding can be a complicated lift, as there are unique considerations when it comes to managing organizations, preventing account deduplication, and implementing complex auth flows like single sign on (SSO) and multi-factor authentication (MFA), among other things. But there are certain steps you can take and best practices you can follow to ensure it’s worth your while. In this post, we recap the expert tips Reed and Enzo had to share from their respective domains of auth and analytics — so you can build smooth, secure B2B sign up flows that convert and delight. Auth is arguably the most critical investment you’ll make for your onboarding flow. It’s typically the first interaction a customer has with your app, and it has a direct impact on multiple touchpoints, from user experience and cybersecurity to product adoption. While B2B auth methods are similar to B2C — they include passwords, 0Auth logins, email magic links, and so on — considerations differ from a data model perspective. That’s because B2C flows are focused on a single user, while B2B flows ultimately serve the organization that user belongs to. Organizations tend to have distinct security needs, often requiring advanced authentication and authorization settings. They might mandate the use of SSO or MFA, implement custom session duration limits, or have several levels of user access permissions. In short, while organizations care about the user experience, they also need to have complete control over user accounts to mitigate the risk of a data breach. Reed had a few recommendations for building effective auth flows for the B2B market: 1. Meet organizations where they are on security. When it comes to B2B auth, security is relative. It’s not only about the strength of your auth flows, but whether they fit the IT architecture and policies of the organizations you serve. You want to make sure you’re providing a range of factors for different verticals and levels of data sensitivity and that you have options in place if customers aren’t yet ready to go fully passwordless. Chessly is a great example of an app doing this well on the B2C side. They offer a mix of auth factors, from secure passwords and Google OAuth to magic links and OTPs, basing their flows on customer demand to drive adoption. 2. Eliminate barriers to conversion and retention. You want to get users to not only sign up for but return to your app. That means implementing low-friction auth flows and strategically managing sessions so users don’t hit dead ends. For example, one common snag when B2B auth hasn’t been fully thought out is having a user try to join an organization, only to be told someone has already created an organization for that appdomain.com. They then have to identify the responsible team member and request access, resulting in needless friction and dropoffs — or they end up accidentally creating a duplicate account. Either way, it’s bad for business. You want to get users to not only sign up for but return to your app. That means implementing low-friction auth flows and strategically managing sessions so users don’t hit dead ends. For example, one common snag when B2B auth hasn’t been fully thought out is having a user try to join an organization, only to be told someone has already created an organization for that appdomain.com. They then have to identify the responsible team member and request access, resulting in needless friction and dropoffs — or they end up accidentally creating a duplicate account. Either way, it’s bad for business. 3. Build your auth flows to scale. If you’re still young in B2B SaaS, you’re likely selling to smaller startups and SMBs. But over time, you’ll find you’re moving upmarket for larger deals. The reality is, as an organization grows, their auth needs change. Enterprises in particular tend to have more idiosyncratic identity policies, requiring complex solutions like MFA, SSO support, SAML and OIDC, approved domains, and just-in-time provisioning. That means, even if you’re just starting out, It’s important to anticipate the need to scale your data model to accommodate these more complex tools, so they’ll just be a one-sprint effort when the time comes. As an example of the future customer headaches you can encounter in the B2B world, here’s a likely outcome when it comes to the various org-level differences 4 different customers might have in the future: You’ll also want to decide when to start upcharging, and which services that will involve. For Stytch, our first upsell was allowing bigger customers (that is, those willing to pay more) to remove the “powered by Stytch” watermark at the bottom of their auth flow, so they could own their UX and UI from end to end. 4. Auth can be a growth opportunity. As you may remember from earlier Stytch Talks, auth isn’t just a box to check — it can be a differentiator. Getting a B2B auth flow right can deliver real results. Consider Zapier, a workflow automation app that makes it easy for users to try the platform and invite other team members to join. Zapier made mild changes to their auth flow — like maximizing optionality and implementing Google OneTap (which recognizes active login sessions), ultimately increasing conversion rates by 20%. The main takeaway? If you take time to think about your customer journey and reflect it in your auth flow, you can create seamless sign up and log in experiences that improve acquisition costs and lifetime value. The role of analytics Analytics allow you to measure the performance of your sign up flow once implemented and to use real data to identify and improve critical problem points in your onboarding process. Whether you have no analytics program in place — or even if you have a mature analytics flow — Enzo had a few pointers to share around how tracking key metrics can help you move the needle. 1. Method matters. When it comes to leveraging onboarding data, the first thing to think about is the method you will use — and there are three considerations to keep in mind: Activation, or the checkpoints users need to follow to ensure they not only land on but keep using your product. These will differ depending on your product category and vision, but there’s a simple data method you can use to find them. It involves looking into your best/busiest accounts, finding patterns in the actions they take, and using those patterns to create specific milestones. With an analytics tool like June, you can even determine when (and if) users are completing milestones, so you can organize customer support, marketing, and other initiatives to ensure success. At June, for instance, milestones include checking if and when users connect to a data source, invite teammates, and load at least 10 reports in their first week. The cherry on top is having users integrate June into their workflows, which allows them to receive value on autopilot and makes the product extra sticky in their day-to-day operations. Qualifying signups. In B2B SaaS, not every signup is equal. You’re going to have a lot of users who go through your onboarding flow, but your goal is to identify the relevant signups and learn from them. There are three important insights you can glean: Where users are coming from, whether you’re capturing the source of the signup through a UTM or posting a survey that asks users where they heard about your app. It’s important to figure out how GTM channels are performing, so you can allocate resources accordingly. User segmentation metrics, including job roles and functions, levels of product expertise, or main goal(s), so you can build ideal customer profiles (ICPs) and build your onboarding, sales, and customer success processes around real data Overall onboarding success, including common problem points where users are likely to drop off, so you can take actionable steps to improve them Moving beyond conversions. When users first visit your site, they’re an anonymous number. You don’t know much about them, other than they’ve agreed to your cookie policy. But then they start to navigate your product, complete your onboarding flow, and provide you with additional information. Analytics can help you reconcile the anonymous user data with their later, identified data by ensuring you have a cross-functional setup between your website and your app. The point is, if you look beyond conversion metrics and can connect earlier touchpoints to later behaviors, you can optimize your onboarding flows to match the actual journeys your users take. 2. Onboarding flows aren’t set in stone. It’s important to always be iterating on your onboarding experiences to improve their performance. For example, at one point, June used a self-serve, forced-assist model, where users could sign up and at some point would be offered an account lease so they would take a call. They found that many users were taking calls, improving their activation, but many less-motivated users were instantly turned off. Over time, June shifted to branched onboarding, where tech-proficient users can self-serve, while others can invite someone for additional support. 3. Track user actions minimally and strategically. You can visualize a user’s onboarding journey with a funnel view by tracking the linear steps they take — but track less, rather than more. If you track too many aspects of your product, you’ll quickly lose the crucial context around a user’s actions. One suggestion is to track and compare only the first and last steps of your onboarding process. You can then assess how it’s performing by talking to other startup founders, product managers, and investors to gain a frame of reference. You can also use the user segmentation stats (outlined above) to strike an ideal balance for user stickiness. For example, you don’t want users signing up too quickly, not understanding your core value propositions, and ultimately dropping off. 4. Tracking analytics are simpler than they seem. If you’re unfamiliar with tracking, there a few main concepts you can latch onto to get started: The identify call is how you capture personal data when users first sign up for your product and initiate your onboarding. From a technical standpoint, it’s a couple of lines of code that you insert in your sign up flow, including any data points you think are relevant — like email address or job title. The track event is the equivalent of a tag in Google Analytics. Basically, it’s a line of code that records if and when a user takes a specific action in your product — like clicking a certain button. Web to product analytics reconcile data on how and when users traveled from your site to your product. Most tracking tools have well-crafted documentation in place to help you through this. Finally, it’s important to balance your desire for information against your users’ desire for low-friction flows. There’s a limit on how much you can ask at onboarding, and a good rule of thumb is to keep it to 2 screens and 2-3 questions — especially if you can capture this data in other ways. Also, make sure you’re providing a backdoor for users to skip questions if they wish, so they’re not just entering random answers (and skewing your data) to move forward. The key takeaway here? First-party data can yield some surprising and fruitful results — and help you enhance your sign up and onboarding flows for greater conversions and engagement. For example, June found that adding sharing options to the beginning of an onboarding flow, when users are still very excited about a new product, led to around a 15% uptick in user invites and an overall stickier organizational relationship. Ultimately, data means knowledge, and knowledge means power over your UX, so you can build secure and frictionless flows that sustain and grow your business. Want to learn more about optimizing your B2B SaaS sign up flow? You can contact our panelists by emailing Reed at reed@stytch.com or reaching out to Enzo via LinkedIn. You can also watch a full recording of the webinar on YouTube — including a lively Q&A that addresses “aha moments” in onboarding, the build-versus-buy auth debate, and how to prioritize (and eventually monetize) the features your users want. If you’re interested in learning other B2B SaaS best practices, check out our larger B2B Auth School series. --- # An engineer's guide to mobile biometrics: event- vs result-based Source: https://stytch.com/blog/biometrics-event-vs-result-based/ An engineer's deep dive into mobile biometrics, part two: looking at the implications of event- vs result-based architecture. At Stytch, we uncovered a variety of interesting challenges and oft-overlooked choices when building our mobile biometrics product. Each problem required us to think deeply about security implications, architecture, and mobile development patterns. We discovered, unsurprisingly, that when it comes to mobile biometrics, the devil really is in the details. This is the second post of a three-part series on mobile biometric authentication. We’ll share what we learned and experienced throughout the development process. This content is intended for engineers or folks interested in diving deeper into mobile biometrics implementation. In this post, we’ll cover different types of mobile biometric architectures and the significant security implications that come with them. Part one | An engineer's guide to mobile biometrics: step-by-step Part two | An engineer's guide to mobile biometrics: event- vs result-based Part three | An engineer's guide to mobile biometrics: Android Keystore pitfalls and best practices Table of contents What is the application sandbox Event-based vs. result-based architecture Why event-based architecture is less secure Security implications and tradeoffs Security without the hassle What is the application sandbox For local storage, most mobile applications today rely on the application sandbox. The application sandbox is a per-app, isolated system environment that separates and protects each app's filesystem, manages access to system resources, etc. It allows mobile apps to store information between app lifecycles (aka between killing an app and starting it again, or between phone reboots). This data, in an ideal world, is only accessible via that application, and allows the app to maintain state across lifecycles. Because access to the data is scoped exclusively to an application, apps should be able to store sensitive data in the application sandbox in order to persist user sessions, and perform other sensitive actions that improve user experience. Read about the app sandbox for iOS and Android Why does the application sandbox matter for biometrics? It matters because nearly every implementation of native biometrics in a mobile application is going to rely on local storage to some degree in order to store and access credentials to authenticate. The requirement for local storage plays a crucial part in assessing the security of mobile biometric architectures. Event-based vs. result-based architecture While there are many nuances to how a developer can implement a biometric authentication system, there is one important decision to be made from a binary set of options: will the architecture be event-based or result-based? Event-based biometrics Event-based biometric authentication is an if-else gate that depends on whether or not the user can pass an agnostic biometric prompt. The application raises a biometric challenge, and after a “success” response, authenticates the user using some data (such as a long lived session token or even username/password) stored locally in the application. Result-based biometrics Result-based biometric authentication relies on hardware-backed biometric APIs to generate cryptographic keys that are only accessible via biometric authentication. These keys are not only stored in the application sandbox, but also gated behind a biometric challenge the operating system enforces. The application must pass a biometric challenge in order to gain access to the cryptographic keys. The application can then authenticate the user in a number of ways: Use the unlocked key to decrypt and send locally stored credentials (such as a long lived session token or username/password) to the application’s backend. Use the key to sign a cryptographic challenge generated by a pre-registered public key, which is derived from the biometrically-protected secret key on the device (similar to a WebAuthn flow). Either way, user authentication within the application depends on access to the cryptographic key stored on-device that is only accessible via biometric authentication. Result-based biometrics open source code in Stytch’s Android SDK Why event-based architecture is less secure Event-based biometric authentication is less secure primarily due to its returning a boolean value. By acting as a simple pass or fail gate, the implementation logic creates two vulnerabilities: It can be spoofed and bypassed by injecting the “success” code or by changing the return value. It stores sensitive information somewhere in local storage insecurely without proper encryption: whether that is a long-lived session token, user credentials, or even a secret key used for cryptographic data signing. Result-based biometric authentication, on the other hand, is inherently encrypted. In order to breach it, a much more sophisticated attack is required – for example, injecting into the app right after the cryptographic key has been decrypted into application memory – as opposed to simply reading from the application’s local storage like with event-based architecture. Security implications and tradeoffs Are the security vulnerabilities exposed by event-based biometric flows critical vulnerabilities for any app? Only you can decide what security requirements and risks are acceptable for your application. Let’s further dissect and weigh the tradeoffs and pros and cons between result-based and event-based architecture. MASVS L1 and L2 security levels If a biometrics implementation is event-based, it means that some kind of sensitive data is being stored insecurely on the device. However, that data is theoretically still exclusively scoped to a single application because of the application sandbox. So, in what scenarios does event-based architecture truly result in a security vulnerability? This includes but is not limited to attacks such as: Data extraction via forensics software Data extraction via iTunes or adb backup files Code instrumentation tools like Frida that are used to manually trigger the “success” flow A bad actor gains root access to the device The Open Worldwide Application Security Project (OWASP) defines multiple layers of security in the Mobile Application Security Verification Standard (MASVS). L1 (Standard Security) is recommended for all mobile applications. L2 (Defense in depth) is recommended for industries like healthcare, finance, and other applications that have access to user’s sensitive data. R (Resiliency Against Reverse Engineering and Tampering) is for institutions that need cutting-edge state-of-the-art security like banking and government agencies. OWASP MASVS verification levels (source) Event-based biometric architecture does meet L1 standards, as it only exposes sensitive data in the event of a second layer vulnerability – so event-based architecture itself does not pose a security vulnerability. But, only a result-based biometrics flow would be considered secure enough for mobile applications aiming to meet MASVS L2 security requirements – which is non-negotiable if your application handles sensitive user information. Adding new biometric factors Do you want to allow biometric factors added to the device after the initial biometric factor (either face or thumbprint) was enabled in-app to have access? With event-based architecture you can’t control this – you must allow all biometric factors registered with the device to have access, or none. With result-based architecture, you can decide whether or not future biometric factors added to the device can be used to authenticate in your application. Implementation Another element, ever-present in all engineering decisions, is ease of implementation. This is where event-based has the edge. There are a plethora of event-based biometric authentication libraries publicly available, and fewer complexities to consider when implementing. Result-based architecture on the other hand requires in-depth knowledge of iOS and Android mobile architecture, data encryption/decryption, and native biometric APIs to implement, and the solution is inherently more complex. Security without the hassle At Stytch, our customers trust us with their authentication and expect intuitive, frictionless application interfaces. Our internal mobile biometric solution is result-based, so developers can be sure that their application and users are receiving a higher degree of security. On top of that, implementing biometric authentication for your application is as simple as accessing a handful of methods exposed by Stytch’s mobile SDKs. Our customers get the sophisticated security of result-based architecture, but with the ease of implementation afforded by our dev kits. Next up in the series, we’ll walk you through building biometric authentication within the Android operating system. With such a large and diverse ecosystem, you need to consider all the pitfalls and gotchas in order to support a secure and stable mobile biometric implementation. Not ready to build mobile biometrcs from the ground up? Try Stytch’s mobile SDKs for iOS, Android, or ReactNative, and get started with mobile biometrics with just a few lines of code. Check out our career page if solving problems and reading topics like this interest you! --- # An engineer's guide to mobile biometrics: step-by-step Source: https://stytch.com/blog/biometrics-step-by-step/ An engineer's deep dive into mobile biometrics: how they work, how to implement them, and key decisions and pitfalls along the way. In 2013 Apple introduced TouchID, marking the first integration of biometric authentication into a major commercial product. Since then, biometric technology has rapidly accelerated. As of 2022, 80% of smartphones now have biometrics enabled. Today, biometric technology is the de facto standard for mobile authentication. At Stytch, we uncovered a variety of interesting challenges and oft-overlooked choices when building our mobile biometrics product. Each problem required us to think deeply about security implications, architecture, and mobile development patterns.  This is the first post of a three-part series on mobile biometric authentication. We’ll share what we learned and experienced throughout our development process. This content is intended for engineers or folks interested in diving deeper into mobile biometrics implementation. In this post, we’ll cover how mobile biometric authentication works end-to-end, how to build it with code examples, and what you need to consider during development. Part one | An engineer's guide to mobile biometrics: step-by-step Part two | An engineer's guide to mobile biometrics: event- vs. result-based Part three | An engineer's guide to mobile biometrics: Android Keystore pitfalls and best practices Table of contents What are mobile biometrics Why use mobile biometrics How mobile biometrics work as an auth factor How to build mobile biometric auth with example code What else you need to know A great authentication choice What are mobile biometrics? In the field of authentication, we generally talk about auth factors as breaking down into three categories: Something-you-know (SYK) Something-you-have (SYH) Something-you-are (SYA) Historically, digital authentication has relied heavily on something-you-know in the form of passwords and PINs. More recently, something-you-have has also become a common tool via the introduction of devices like YubiKeys and auth methods like TOTP. Though biometrics have existed in some form for a number of years now — think fingerprint readers, iris scanning tools, DNA testing — these “something-you-are” technologies were predominantly an expensive on-premise tool used for the highest levels of security or the futuristic props of sci-fi movies. But with the advent of smartphones, biometrics have become widely accessible to everyday technology users. A biometric fingerprint scan is used to get into one’s home in Total Recall (1990), a science fiction film If you want a comprehensive history and high-level overview of biometrics, also check out our All about biometrics post. Why use mobile biometrics? Biometrics are generally an ideal authentication tool for both companies and their users: they are fast, easy to use, and are highly resistant to attacks from bad actors. Users love the speed and ease of use as they allow them to do what they want quickly (vs. spending extra time authenticating) and without trying to remember the complex password they were forced to enter when signing up. Businesses, by the same token, want their users to spend time in their applications utilizing or purchasing their products and want to avoid the conversion issues associated with many other authentication factors. Both users and businesses appreciate the higher levels of security associated with biometrics. Not only are biometrics great in the ways listed above, they are also highly useful because users tend to have their smartphone (a portable biometric reader) everywhere they go. That said, as the general populace has used biometrics more often, minor inconveniences have become more obvious — namely the fact that, due to the nature of how this information is stored (more on this later), biometrics are limited to the specific device on which they’ve been registered. If a user switches from their iPhone to an unregistered device like their iPad or to their Macbook, they will have to authenticate through other means like username/password (yuck) and re-register biometrics on that device. In addition to its benefits, an engineer must account for all the pitfalls and inconveniences when implementing mobile biometrics for primary authentication. A note: passkeys provide the benefits of biometrics while circumventing the historic device-specific limitations of mobile biometrics, and as a result are gaining traction. How mobile biometrics work as an auth factor Biometrics on mobile devices work by locally storing a user’s biometric data, like a fingerprint or face scan. This is stored and managed by the operating system, and your biometric data never actually leaves the device. Because biometric data is never transferred over the wire, users needn’t be concerned about a man-in-the-middle attack wherein a bad actor could steal their biometric data and later use that to authenticate as that user. The operating system uses these scans to confirm “device ownership” at the time of need via a biometric prompt where the user’s face/finger is compared to the stored value. The system can use the result of this biometric check in one of two ways: To return a verdict of pass or fail, acting like a gatekeeper. To return some form of associated data like a credential or cryptographic key. This choice has major security architecture implications (which we will cover in depth in the next article of this series). In many cases, you’ll want to go with the second route of storing data behind the biometrics prompt (which is the route we’ve chosen here at Stytch), because it strengthens security by requiring additional user interaction in order to use the associated data. After making a decision, you must also determine what kind of data you want the system to store behind the prompt. Your options are generally between: Storing credentials themselves (username/password), or Storing an asymmetric key pair so the device can perform public key authentication with the server (challenge/signature). At Stytch, since we are an auth platform that offers customers myriad authentication options, we can’t guarantee that a user will consistently have credentials like a username and password. Because of this, we chose instead to provide the ability to register a public key for a given user and utilize public key authentication as the backing mechanism to power our biometrics product. In practice, the full end-to-end mobile biometric authentication flow looks something like this: How to build mobile biometric authentication with example code To implement biometric authentication on iOS, we can walk through the following example code step-by-step: The first thing you’ll need to do when you initiate authentication is retrieve the data stored with your key, in this case by calling 'keychainClient.get(privateKeyRegistration)'. In this example we’ve stored a single private key for biometric authentication behind a `.deviceOwnerWithBiometrics` access policy. This forces the system to challenge the user with a biometric prompt prior to returning the associated data. After we’ve retrieved the data, which is an array of bytes representing the private key, we can use that to derive the public key. 'cryptoClient.publicKeyForPrivateKey(privatekey)'. We can then send the public key to our server to allow the backend to look up the user associated with the public key and return a challenge for the client to sign. Upon receiving the challenge, we can sign it with the private key, 'cryptoClient.signChallengeWithPrivateKey(startResponse.challenge, privateKey)', and return the signature to our servers in a final `authenticate` call. Once the server can verify the signature is valid, it can issue a session for that user and return the session information in the response. What else you need to know Once you understand the overall mobile biometric auth flow, you’re ready to get into the weeds. To actually implement mobile biometrics, you’ll also need to factor in a few important decisions during development. 1. Choosing a signing algorithm When you’ve settled in on using public-key cryptography, you’ll notice there are many algorithms and curves to choose from, leaving you with yet another difficult choice. Generally the industry is moving away from RSA and DSA and toward misuse resistant and deterministic elliptical-curve-based signature schemes. These are not areas where you want to roll your own solution, so you should leverage hardened libraries provided by the system or by an industry supported vendor and maintainer. RFC sources for each signature family: RFC 4056, RFC 6979, and RFC 8709 For this reason, Stytch chose Ed25519 signatures, from the family of EdDSA signature schemes. We utilize the system-provided CryptoKit library on iOS andindustry-trusted BouncyCastle library on Android. 2. Falling back to the device PIN code As was mentioned above, the operating system treats biometrics as a means of determining device ownership. There is, however, an alternative way to confirm device ownership — namely falling back to the device PIN code. For the purposes of biometric authentication, we must choose whether we believe the PIN code is sufficient to access the data secured by biometrics. To explore this further, let’s think about certain scenarios a user might encounter: Imagine a user is on a roadtrip with friends and their phone is playing music for the car. The device owner may choose to share their PIN with their friend to allow them to adjust the music. They are likely OK with providing access to their music player; however, there’s a good chance they’d frown if that same PIN gave their friend full access to their banking app. You can imagine a similar situation with a parent providing their young child with the PIN to their phone — similarly, they would likely want to restrict their child from being able to make expensive purchases with their PIN. At Stytch, we’ve chosen to default to proof of device ownership with biometrics, with the ability to override this choice if it’s safe for their application to do so. We want our customers to make the safe choice by default and allow overriding that default only if they’ve explicitly decided that falling back to PIN is a safe choice for their data and their application. As general guidance here, access to financial, medical, and other sensitive info should almost certainly stick with the more secure default choice. In cases where an application is storing less sensitive data, and a streamlined fallback like device PIN is desirable for ease of use or conversion reasons, that may be a case where overriding the default is a good option to consider. 3. Local storage and operating systems Whether you are storing credentials or asymmetric key pairs, the data stored in these transactions are sensitive and need to be persisted in some form of secure storage. The local storage options and details will be specific to the operating system your application is running on (or the framework you’re using as a go between); namely, iOS and Android, or React Native. iOS On iOS, this choice is straightforward: the Keychain is the tried and true method of securely storing small bits of data on behalf of the user. Not limited to just passwords, the Keychain can not only save information a user explicitly cares about, such as credit card information, but also items the user needs but may not be aware of, like the cryptographic keys we need to enable secure communication for our mobile biometric authentication flow. ANDROID On Android, however, the choice is a bit more complicated. The Android landscape is much more fragmented since there are multiple options for storage (flat file stored in sandbox, preferences, or database). Some secure guarantees may not hold up on certain devices or versions of Android. A good option that works safely and consistently (and the option we’ve chosen here at Stytch) is to use SharedPreferences in conjunction with the Keystore. You can generate and use a key from the Keystore to encrypt the data stored in shared preferences, and can manage access to encryption Keystore keys to ensure they are secured via biometrics. REACT NATIVE React Native, given it covers both iOS and Android, has to consider both of the scenarios described above. You may be able to utilize existing libraries which abstract these concerns, though if these don’t meet your needs, you can also create your own “native module” and handle platform-specific code in a more custom manner. At Stytch, we decided to go down this path and to leverage slightly-modified versions of our iOS and Android solutions in a custom native module. A great authentication choice When it’s all said and done, it’s difficult to come up with an authentication flow use case where biometrics would not be a good choice for your application. It’s convenient, easy to use, and is both safe and trusted by consumers. Next up in the series, we’ll break down the two different mobile biometric architectures that use the application sandbox. This choice of architecture, which we alluded to earlier in the How mobile biometrics work as an auth factor section, has a major security impact on mobile biometrics. Not ready to build mobile biometrics from the ground up? Try Stytch’s mobile SDKs for iOS, Android, or React Native, and get started with mobile biometrics with just a few lines of code. Check out our career page if solving problems and reading topics like this interest you! --- # Introducing B2B Authentication Source: https://stytch.com/blog/introducing-b2b-authentication/ Introducing B2B Authentication Today, Stytch is excited to introduce our authentication suite for business-to-business (B2B) companies, complete with SSO (both OIDC and SAML), built-in organization-based tenancy, and platform staples our business-to consumer (B2C) platform is known for like breach-resistant passwords and passwordless auth options like email magic links, SMS one-time passcodes, and OAuth. The importance of authentication for B2B applications Authentication is a critical requirement for B2B applications to successfully grow their customer base. The authentication and authorization requirements that your business customers need only grow in number and complexity as you move upmarket and sell to larger customers. Enterprise customers require more advanced controls and capabilities to manage provisioning of user accounts, control user access and permissions, and mitigate any security risks tied to their users’ accounts. When a business has a need for specific authentication features – whether it’s SSO, controlling how members can join an Organization, or something else – these are hard requirements that can become dealbreakers, especially for enterprise customers. B2B applications need to be able to support these authentication requirements in order to win these customers and scale successfully. Current challenges with B2B authentication When compared to B2C authentication, B2B is much more complex. It requires: More complicated data models that are built around organizations and members instead of users Handling provisioning/access/permissions for users across different organizations Providing unique authentication settings for each B2B customer while still ensuring security at scale These complexities mean that B2B auth is much more difficult and time-consuming to build in-house: to achieve even the basic requirements of B2B authentication, in-house developers need to build a multi-tenancy data model from the ground up, in addition to key infrastructure and features like SSO, organization auth settings, invitation management, and more. At the same time, existing solutions fall short: they lack the foundational data structures necessary to build scalable B2B authentication. In fact, until now, no B2B authentication solution on the market has offered organization tenancy (also known as “multitenancy”) built into their data architecture. Instead, they offer what is fundamentally a B2C architecture with a few B2B elements tacked on. Why is this such a big deal? By failing to build this structure into their B2B product from the beginning, the onus of building and maintaining this incredibly complex architecture falls to your eng team. Not only does this tax precious developer resources, it also often results in under-informed decisions that can have big downstream effects when new edge cases inevitably arise as your business grows and your authentication needs evolve. How companies handle things like org and member definition, onboarding and provisioning, or the relationship between email domains, Identity Providers, and organizations can each become big obstacles for your business. They ultimately require significant rebuilds as B2B companies take on bigger, more complex customers, each of whom will likely expect unique specifications / settings for their organization. Without an organization-first data model built in to your authentication architecture, these customizations will require custom code and constant painful revisions to your backend systems. Providers like Auth0 will tell you their solution simplifies the developer experience, but that simplicity is only skin-deep. Without an organization-first data model at the core of their product, they ultimately create pain points both for developers and end users that cost more time and money to resolve. At Stytch, we decided to do things differently. The only organization-first authentication solution In light of the gap in the current B2B authentication market, Stytch decided to build an organization-first authentication solution, with organization-based tenancy built directly into our data models. What this means is that our architecture is built with a membership model in mind – a critical requirement for building scalable, flexible B2B authentication. In contrast with a B2C data model, which is built entirely around the concept of an individual user, an org-first data model is built on the presumption that all users are members of an organization. Unlike a B2C app in which a user is the sole owner of the resources in their account, members of organizations must establish and verify not just their identity, but their membership in the organization. Apps must also orchestrate how members are invited to organizations, and how their permissions and accessible resources within that organization are governed. In case it’s not evident in the description, that’s a very different and more difficult data model to build, and it is fundamental to B2B authentication. What’s more, as many B2B companies find as they scale, their enterprise customers expect to be able to set custom member invitations, provisioning, and authentication factors that are unique to their app. Without an org-first data model, it’s impossible to offer these customizations without ripping out your data model and building it from scratch. Authentication capabilities that organizations often want to offer and customize include: Organization creation & onboarding Approved domains and login methods (including enterprise auth factors like passwords, OAuth, etc.) Setting up single sign on connections (both OIDC & SAML) Member creation settings (invitations, just-in-time provisioning, etc.) Session length Stytch’s org-first architecture makes all of these settings easy to customize and set by organization. This is incredibly important for companies that want to scale (and really, what company doesn’t?), because enterprise companies have more idiosyncratic, tailored demands of their vendors, especially when it comes to things like auth and SSO. Benefits of the org-first approach Without an org-first approach, developers who buy B2B auth from current market solutions like Auth0 still have to build the features described above themselves. With Stytch’s solution, they come out of the box: you simply have to integrate our solution and set up how your customers will leverage those features. Stytch enables all the key requirements for B2B authentication – organization management, invites, approved domains and logins, SSO, etc. – right from the start. No superfluous assembly required. By virtue of all the core B2B features an org-first architecture enables, we believe our approach to B2B auth uniquely delivers three outsized benefits to our customers: It saves valuable developer resources: An org-first data model not only saves your developers time in the short-term, it saves them headaches in the long run too. An org-first model can handle all the various auth requirements a B2B company may encounter with their customers. And as your business grows to take on more enterprise clients, the various edge cases and unique auth demands will only proliferate. Stytch’s data model is ready for any of these scenarios, making them incredibly easy and time-efficient to set-up. It offers more fine-grained customization and features: B2B auth is not a one-size-fits-all solution. Depending on their size, industry, end users, and any regulations they may be subject to, B2B customers have requirements for the end user experience and security they want to provide for their customers. An organization-first architecture allows your platform to build and offer enterprise-level customization for authentication so each organization can have fine-grained control over their authentication experience. It empowers developers to provide a better end user experience: By simplifying the work developers need to do on the backend, Stytch makes it easy to build a good B2B auth experience. With features like invitations, organization discovery,organization switching, and account deduplication built into our platform, our B2B solution avoids all the pitfalls and provides the key capabilities that help you deliver a delightful and effortless end user experience. In sum, Stytch’s org-first solution offers a vastly different product and developer experience than anything else on the market: an unparalleled depth and range of auth capabilities out of the box, greater flexibility so you can offer a tailor-made auth solution for your customers, and the ability to customize the exact experience you want for their end users. On top of all of this, our customers get the same great service we offer with our B2C product. Start building for free Interested in seeing how Stytch can accelerate your B2B product? Check out our docs and start building for free today. And if you have any questions, feel free to contact us at support@stytch.com or schedule a chat with a member of our team. --- # Stytch events with Orb: securing and pricing AI products Source: https://stytch.com/blog/stytch-orb-securing-and-pricing-ai-products/ Stytch got together with Orb to discuss the future of AI – how to build great products in this space, and how to protect them from fraud. As AI takes off, there’s a lot to be excited about. Incorporating AI is already allowing companies of all sizes to delight users, make their products stickier, and generate new revenue streams. However, as companies start to productionize AI, they also need to ensure their products are priced in a way that still allows for viable unit economics, and are secure against a quickly evolving threat landscape. In our recent fireside chat, Stytch co-founders Julianna Lamb and Reed McGinley Stempel sat down with Alvaro Morales, the CEO and co-founder of usage-based billing company Orb, to chat about some of the pricing and security challenges that companies need to consider when incorporating AI into their products. We’ve highlighted a few of our favorite takeaways from the discussion. 1. In the long run, you’ll need pricing that scales with your costs. "If you look at OpenAI, they charge ~$0.0004 per thousand API tokens, whereas Notion adds an $8 per member per month add-on to leverage all of their AI capabilities. In the long run, OpenAI’s pricing is better positioned to account for an increase of costs that come with scale, whereas Notion’s flat fee could leave them vulnerable to decreasing margins over time." If we look at typical industry benchmarks, most application-level software companies are expected to have around an 80 to 85% gross margin profile. Most infrastructure-level companies hover at around 70% or above margins. This makes sense if you're an application-level software company that can take advantage of capabilities like multi-tenancy: the marginal cost of delivering software is generally quite low. But AI has a rather unique cost structure that adds a few dimensions to cost: Models: First, there’s a cost that comes from the foundational models that you're leveraging to power these capabilities. This could be calls to the API where you're being charged on a token basis, or it could be the hosting cost of deploying an open source model. Training: AI companies also need to consider the cost of training and fine tuning their models. If you’re taking a powerful foundation model and adapting and tailoring it to your individual use case, that requires some significant compute costs. Operations: This is the DevOps analog in the AI space – something you might call “ML Ops” or “AI Ops.” AI companies need these operations to deliver an enterprise-grade, production-ready service over time, but it certainly doesn’t come free. Given these three cost factors, as an AI feature is adopted more and more, it will hurt a company’s margins if their pricing doesn’t adjust with scale. 2. In the short term, don’t be afraid to experiment with pricing. There can be a lot of anxiety around how to approach pricing in the new AI landscape. But we think a lot of this anxiety can be reduced if companies approach this initial phase with an attitude of experimentation, learning, and iteration. "It's a common pitfall in software that companies delay pricing changes for a long time. This often leads to a massive, painful change management effort to raise prices to catch up with the value being delivered. Instead, I believe it's more effective to make pricing an iterative and ongoing exercise. As you add new AI capabilities and the value of your product changes rapidly, you might want to start experimenting more." Alvaro Morales Co-founder and CEO, Orb If we look back to the Notion example, it makes sense that they’ve started with a relatively simple pricing model – the more interesting question is how they’ll evolve it. In this initial phase, they can learn a lot about the value they can derive from adding new AI capabilities. Based on customer engagement, they can examine how AI features impact customer retention, churn, and lifetime value, and experiment with the improvements and features that will make their AI features stickier. To get to the heart of these questions, it makes a lot of sense to start with pricing models that get customers on board as quickly as possible. The first six months to a year when companies introduce new AI features is not necessarily the best time to optimize for margins. Instead, it’s the time to study and experiment: as companies learn, they should not shy away from experimenting with their pricing alongside experiments in the product. 3. Be aware of new attack surfaces introduced by adding AI features. Introducing AI definitely introduces new potential revenue streams, but it also adds new attack surfaces to your products. One major risk is the threat of reverse engineering. For example, when working with customers like You.com and Hex, Stytch discovered the surprising economic incentives to reverse engineer apps that incorporate AI functionality. One example of this in action is GPT for Free, an open-source project on GitHub. It has gained over 30,000 stars, and it focuses on reverse engineering sites that offer AI capabilities. The motivation behind this attack is to fool the site into thinking that a bot is a real human user, thereby exploiting the valuable AI feature without paying for it. This is particularly relevant because serving AI features is expensive but relatively fungible, allowing attackers to monetize API endpoints and get free API usage. However, the most interesting attacks are carried out on sites not listed by GPT for Free, because they’re performed by individuals who haven't open-sourced their methods. For instance, one of Stytch’s clients recently discovered that 20% of their traffic, consisting of millions of fingerprints per day, was from headless browser automation. Even bot mitigation tactics like CAPTCHAs are easy to bypass with tools like anti-captcha.com. For attackers, it’s worth it to pay a small fee to get past a CAPTCHA, because they can extract significant value from reverse engineering AI APIs. This threat is quite technical, but often overlooked when organizations focus on product features and use cases, neglecting the adverse impacts and security risks associated with incorporating AI resources. Thankfully, there are tools that can help, like Device Fingerprinting. 4. Consider future security considerations around autonomous AI. Another trend to watch is the rise of autonomous AI agents, like the project AutoGPT. Unlike with Chat GPT, where you're always in the loop, AutoGPT allows the AI to prompt itself. This means that, given a broad directive, the AI agent can carry out the tasks independently. This new kind of AI potentially overhauls everything we’ve come to take for granted about user/computer interactions: what things should an AI agent be allowed to do on our behalf? How does that change depending on the service? Sure, you might let an AI agent book the best flights for you based on your schedule, but would you let it, say, refinance your mortgage? More importantly, how do those permissions get set and managed? Today, we have something called role-based access controls, or RBAC, that designates permissions and actions by user. But if every user is now comprised of one human being and one or several AI agents, that introduces new constraints these human-based systems need to account for. Although we're not seeing security pitfalls from this yet (the technology is still very new), we're intrigued by the underlying trend. It introduces some interesting ideas around authorization and fraud detection that will only become more prevalent as the technology catches on. Interested in learning more? If you’d like to dive deeper into AI, check out Stytch’s piece in TechCrunch about securing AI applications. You can also follow Stytch and Orb on Twitter to get a heads up about future events. About Stytch: Stytch is a developer-first authentication platform with solutions for B2C and B2B, including breach-resistant passwords, passwordless auth flows, MFA, SSO with SAML and OIDC, and fraud and risk protection. Learn more at stytch.com. About Orb: Orb is a modern pricing platform that helps companies automate billing for seats, usage-based consumption, and everything in between. Learn more at withorb.com. Our thanks to ChatGPT for drafting the initial version of this blog post from an AI-generated transcript. --- # An engineer’s guide to mobile biometrics: Android Keystore pitfalls and best practices Source: https://stytch.com/blog/android-keystore-pitfalls-and-best-practices/ In this article, we’ll show you the best practices and pitfalls when implementing mobile biometrics in the Android ecoystem. At Stytch, we uncovered a variety of interesting challenges and oft-overlooked choices when building our mobile biometrics product. Each problem required us to think deeply about security implications, architecture, and mobile development patterns. We discovered, unsurprisingly, that when it comes to mobile biometrics, the devil really is in the details. This is the third and final post of a three-part series on mobile biometric authentication. This content is intended for engineers or folks interested in diving deeper into mobile biometrics implementation. In this post, we’ll build on the result-based architecture concepts of the last post and look specifically at some of the idiosyncrasies of the Android ecosystem, and how to prepare for and build around those. Part one | An engineer's guide to mobile biometrics: step-by-step Part two | An engineer's guide to mobile biometrics: event- vs result-based Part three | An engineer's guide to mobile biometrics: Android Keystore pitfalls and best practices Table of contents Insecure mobile biometrics in the wild Context on the Android ecosystem Recap: result-based architecture and key configuration The CryptoObject Tink, BouncyCastle, and the Keystore Android Keystore support Empower the developer Concluding thoughts Insecure mobile biometrics in the wild Given how mature the Android ecosystem is, you might assume there would be a well-defined and easy-to-follow path to build secure authentication for mobile applications. You might also assume that most security-focused products (like banking applications!) would be using best practices to guard against common vulnerabilities and threats. But when it comes to authentication, the only way to validate your assumptions – of what is or isn’t secure – is by testing it yourself. As part of our research into the Android ecosystem when building our mobile biometrics product, we tested biometric authentication flows for dozens of popular mobile applications. Our testing focused on applications with large usership and a variety of use cases, including healthcare, social media, sportsbooks, insurance, trading, banking, and other high-security industries. We found that 50% of the Android apps we tested failed to meet OWASP’s AUTH-2 security standards. And according to F-Secure Labs, “about 70% of the assessed [Android] applications that utilized fingerprint authentication were unlocked without even requiring a valid fingerprint.” Context on the Android ecosystem Android biometric stack (source) You may still be wondering what makes Android so special as to warrant its own dedicated blog in our biometric series. The answer is – it’s fraught with pitfalls due to a complicated history. Unlike competitors like Apple, the Android ecosystem was initially designed to grow via open, fairly unregulated access. The thought was the easier Google made it for Original Equipment Manufacturers (OEMs) – think Samsung, Motorola, LG, OnePlus, etc. – to build on the Android OS, the quicker they could capture mobile market share. As a result, for the first decade or so of Android’s existence, what it meant to “be an Android” was a bit of a wild west. Each OEM could make significant software modifications and tweaks to suit their product line, with little oversight or regulation from Google. As a downstream effect of this open approach, whenever Google pushed a patch or over-the-air update (OTA), many OEMs couldn’t deploy them without significant adaptations and resourcing, creating a very uneven and unpredictable ecosystem with idiosyncrasies and bugs specific to each phone manufacturer. Around Android 8, Google began to crack down on the use of Android OS, creating tighter restrictions on what could be adapted and what could not. But the reality is for any devices still on Android 2-7, quirks still often abound. The Android Keystore Of these Android bugs and idiosyncrasies, our team was especially focused on those that affected the Android Keystore, the system that locally stores and handles cryptographic keys. It is an essential component of a secure, effective mobile biometric authentication flow. Android IssueTracker results for "keystore biometrics" But in a diverse, open source Android ecosystem, devices may not support the Keystore – which subjects all applications on that device to security vulnerabilities like account takeover. It’s impossible to prove or disprove that all Android phones will work reliably with the Keystore. Unfortunately, developers must factor this severe possibility into their application’s auth logic in order to be secure. We’ll show you the best practices on implementing mobile biometrics in both scenarios: with and without the Android Keystore. Recap: result-based architecture and key configuration In the previous post we discussed the differences between what we’re calling event and result-based biometric architectures. We’ve already established that a result-based architecture is more secure than an event-based version, but there’s slightly more to it than that. When using a result-based architecture, you also need to think about: How the key is configured. What you're doing with that key once the biometric prompt has passed. When configuring the secret key that you will be using to encrypt/decrypt sensitive information, you have the option of enforcing whether or not the key is authorized for use with or without user authentication. By default, the key is authorized to be used regardless of whether the user has been authenticated, but Android allows you to enable stronger behavior when configuring the KeyGenerator by setting a property called UserAuthenticationRequired. Android Keystore docs for KeyGenerator and UserAuthenticationRequired When UserAuthenticationRequired is set, there are some guarantees that the device makes in order to allow the key to be used: The key can only be generated if a lock screen is configured. At least one biometric must be enrolled (on Android 11 and greater). The use of the key must be authorized by the user after authenticating with secure lock screen credentials such as a password/PIN/pattern or biometric. The key will become irreversibly invalidated once the secure lock screen is disabled, or when the secure lock screen is forcibly reset, or (on Android 11 and greater) once a new biometric is enrolled or all biometrics are deleted. It’s this step where many widely used mobile applications, mentioned at the beginning of this post, failed to implement secure mobile biometrics. Without UserAuthenticationRequired, they lack the strong security guarantees around how their secret key is used, thus exposing their user bases to account takeover via mobile biometrics. Once you’ve configured your key to require user authentication, it’s also important to consider how you use that key. If you’re not performing a cryptographic operation on your private data with that key, and instead are just using the presence of a CryptoObject to assume user authentication, you’re no better off than if you were using an event-based approach. Both the event-based approach and the result-based-but-not-doing-cryptography-approach are susceptible to simple attacks like these: https://github.com/ax/android-fingerprint-bypass https://github.com/WithSecureLabs/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass-via-exception-handling.js The CryptoObject But what does it mean to use the CryptoObject to encrypt your private data? Well, once you’ve securely configured your key, and it’s only accessible after passing user authentication, the CryptoObject gives you one opportunity to perform a cryptographic operation (encryption or decryption), which you should use either to encrypt your private data before persisting it to device or decrypting your previously-encrypted private data. For Stytch’s biometric implementation, we use a public/private keypair to sign and verify challenges provided by our backend. What this means is that a string encoded with our public key can only be decoded by our private key, and we must safely persist our private key to the device for future usage. The CryptoObject brokers access between the stored, encrypted private key and the biometric prompt. When registering a new biometric authentication with Stytch, we: Generate a biometrically-secure key, as described above, in the Android Keystore. Generate an Ed25519 keypair (using BouncyCastle). Register the public key with our servers. Use the private key to sign a challenge string and authenticate that with our servers. Use the CryptoObject returned from the biometric prompt to access the biometrically-secure key, which we use our one cryptographic operation allowance to encrypt the private key. Encrypt the key again (with Tink), and persist it to SharedPreferences. Authenticating with biometrics follows a similar flow, but in reverse: Use Tink to decrypt the first-pass encryption of the private key from SharedPreferences. Use the CryptoObject returned from the biometric prompt to access the biometrically-secure key, which we use to decrypt the private key recovered in step 1. Derive the public key from the private key. Request a challenge from the Stytch servers. Use the decrypted private key to sign the challenge and authenticate that with our servers. When it comes to persisting your now-encrypted private data, you have a few options on Android: saving it to a file in internal/external storage, in a database, or to SharedPreferences (a simple key-value store). For our use, we’re simply storing an encrypted private key, so SharedPreferences makes the most sense; it avoids having to do any file and string parsing, and avoids the unnecessary overhead of a full database. On Android, we also encrypt all data before saving it to SharedPreferences (using Tink), so your private key is protected with two layers of encryption, using two different keys. This means that even if the SharedPreferences master key is compromised (more on that later), the Ed25519 private key is still encrypted by the biometrically-locked key. A high-level diagram of how our flow uses the Android Keystore and SharedPreferences looks something like this: Tink, BouncyCastle, and the Keystore As mentioned above, we use a library called BouncyCastle for generating Ed25519 keypairs and Tink for encrypting data in SharedPreferences. BouncyCastle and Tink are both industry standard, open source libraries for performing cryptographic operations. They can perform similar functions, but due to a limitation in Tink around support for our chosen public/private keypair implementation (Ed25519), we chose to augment our existing Tink infrastructure with BouncyCastle specifically for our biometrics product. Tink, which is a Google product, is a multi-language, cross-platform cryptography solution which integrates with both on-device (Android Keystore, iOS Keychain) and online (Amazon KMS, Google Cloud KMS) keystores. From the beginning of the Stytch Android SDK, we’ve used Tink to encrypt all data in SharedPreferences using an AES-256 key saved in the Android Keystore. When it came time to implement biometrics, we initially turned to our existing Tink implementation; but while Tink theoretically supports Ed25519 keypairs, that functionality is provided within a package that is not recommended for public consumption. Enter BouncyCastle. BouncyCastle is a 20+ year strong, actively supported cryptography library available for both Java and C#, and a stripped-down version comes natively bundled on Android devices. On early Android versions (pre-4.0), this caused a namespace conflict when trying to use full-or-newer versions within application dependencies, but is no longer a problem on our supported platforms (Android 6.0+). BouncyCastle officially supports generating and interacting with Ed25519 keypairs, and given its long track record, it was a no-brainer to choose for our biometrics product. Generating an Ed25519 keypair with BouncyCastle is easy: Once we have this keypair, we can Base64 encode it, register the public key with our servers, encrypt the private key with a biometrically-secured key from the Android Keystore, and save it to SharedPreferences, where it is encrypted a second time by Tink. On authentication flows, we make one decryption pass to load the private key from SharedPreferences (using Tink), then decrypt it again using the biometrically-secured key from Android Keystore. Once we have the unencrypted private key byte array, we can derive the public key from it, like so: Now that we have a public key and a private key, we can request the code challenge from the Stytch servers (with the public key), and sign and authenticate it (with the private key). Android Keystore support There is one big GOTCHA when it comes to Tink and the Android Keystore that we need to discuss: some devices may not have a functioning Keystore, and in those cases, Tink deactivates the Keystore and stores its keys in the application sandbox. From the Tink documentation: "When Android Keystore is disabled or otherwise unavailable, keysets will be stored in cleartext. This is not as bad as it sounds because keysets remain inaccessible to any other apps running on the same device. Moreover, as of July 2020, most active Android devices support either full-disk encryption or file-based encryption, which provide strong security protection against key theft even from attackers with physical access to the device." Tink has a self-test that it runs at runtime to determine whether or not the Keystore is “reliable”, and exposes a helper method to indicate whether or not it is using the Keystore. In order to fully secure an encryption key behind a biometric authentication, we have to use the Android Keystore, and do so directly, regardless of whether or not Tink is using it. And it’s that key, which is always saved in the Keystore, that is used as the first-pass encryption of the private key. Since we only use Tink for encrypting the already-encrypted private key bytes, even if the application sandbox were compromised, and the Tink master key were extracted, all an attacker would gain would be an encrypted string that cannot be decrypted unless they also were to break the Android Keystore itself.  Empower the developer But the Keystore being potentially unreliable is still concerning, since we need the Keystore to biometrically secure that first-pass encryption key/second-pass decryption key.  So what do we do if the Keystore isn’t available? Empower the developer with the information to make a choice. First and foremost, developers need to know of the security and functionality implications laid out above. To support that, we make it easy with our SDK to tell if a device passes the self-test and force developers to opt-in to using biometrics on a device without a reliable Keystore. First off, developers can call the StytchClient.biometrics.isUsingKeystore() method to determine if the Keystore is reliable. If this returns false, the safest thing to do is disable biometric registrations for that device. Second, when attempting a biometric registration we internally make the same check to determine Keystore reliability and, by default, reject the registration flow before doing anything with a NOT_USING_KEYSTORE error. If a developer still wants to attempt biometric registration, they must explicitly set allowFallbackToCleartext to true in the Biometrics.RegistrationParameters. If allowFallbackToCleartext is set to true, then the methods will succeed regardless of the device’s access to the Keystore. If the parameter is set to false, then the SDK will verify that the device has a working implementation of Keystore before proceeding. If it does not, then the attempt to register or authenticate with biometrics will fail. The SDK exposes mechanisms for developers to only show biometric options if the Keystore is working, and defaults allowFallbackToCleartext to false so that developers must intentionally opt in if they are allowing this functionality. We believe that providing options and cautious defaults empower developers to make the best decisions for their applications, while encouraging the safest practice. Concluding thoughts on building mobile biometric authentication Users are becoming more and more comfortable securing their accounts with biometrics and expect it in a wider variety of applications. Biometrics are a quick, trusted feature that reduces friction around authentication. With this blog series, we hope we’ve helped you understand the many steps involved in building mobile biometrics, the implications of choosing an event- or result-based architecture, and the Android-specific considerations to take regarding key generation and persistence. If you were to take away just four main lessons on biometrics from this series, we’d want those to be the following: 1. Biometric implementation is complex, but is a worthwhile investment for your app From choosing an encryption algorithm, to deciding on the appropriateness of fallback authentication, to understanding the options available to you for persisting your secure data, every choice you make impacts the overall security of your biometric implementation. That said, every application will have unique choices to make based on the sensitivity of the data they handle, its value to potential hackers, and the types of user experience that matters most to your customers. But once you understand these intricacies enough to make informed decisions, it’s difficult to come up with an authentication flow use case where biometrics would not be a good choice for your application. 2. The choice between event- vs. result-based architecture is one of the most impactful decisions you’ll make in your build One of the most important things we’ve learned in the auth business is how to think through worst-case scenarios. So while superficially event- and result-based architectures may not seem all that different, a closer look at potential breach scenarios revealed to us that result-based was by far and away preferred, even if it took a bit more time to implement. We also felt it was our job as an auth provider to make that added security more easily attainable for our customers, which is why we’ve built it into our mobile SDKs. 3. The mobile OS ecosystem is diverse, and Android in particular includes pitfalls that require some extra vigilance and due diligence The Android ecosystem is generally diverse and historically unregulated, so whenever building anything for this OS developers need to do some homework on legacy issues.  For biometrics in particular, this means carefully considering your options when generating your biometrically-secure Key and the steps you take to persist your secure data to the device. Specifically, we recommend ensuring that your keys are generated with the UserAuthenticationRequired flag, and that you use that key to encrypt/decrypt your secure data. You also need to be aware that some Android devices may not have a reliable Keystore and that, in those instances, the best solution is to not allow biometric registrations at all. We’ve enabled that by default, but as always, the choice is yours. 4. When in doubt… When it comes to building any product in auth, either in-house or like in Stytch’s case for our customers, we really stick to two basic principles: Developer friction and user experience should always be weighed against the risk that is specific to your product. There are of course standards and general best practices one must follow, but every app has unique needs for security and UX. Take the time to evaluate your app on its own terms.  When building for developers, always inform them when they need to make an important choice. There should be no scary default behaviors, risky edge cases or quirks they’re left to discover on their own. Build defaults for the best practice in your view, and inform them of the tradeoffs. That way, you both maximize your protection while empowering them with choice. Our goal with this series was to offer visibility into the decisions that went into our own biometric product, whether you’re looking to build or buy. But we’re proud to have built what we’ve found is an easy, safe-by-default option for bringing biometric authentication to applications without having to worry about the nitty-gritty details explored in this blog series. So if you’re not ready to build mobile biometrics from the ground up, try Stytch’s mobile SDKs for iOS, Android, or ReactNative, and get started with just a few lines of code. Check out our careers page if solving problems and reading topics like this interest you! About Latacora A big thank you to Latacora for helping us with our research.  Latacora bootstraps security practices for startups. Instead of wasting your time trying to hire a security person who is good at everything from Android security to AWS IAM strategies to SOC2 and apparently has the time to answer all your security questionnaires plus never gets sick or takes a day off, you hire us. We provide a crack team of professionals prepped with processes and power tools, coupling individual security capabilities with strategic program management and tactical project management. Other awesome resources to check out: Using BiometricPrompt with CryptoObject: how and why How secure is your android keystore authentication How you should secure your Android’s app biometric authentication A closer look at the security of React Native biometric libraries Audit: Biometric authentication should always be used with a cryptographic object Android Biometric API: Getting Started Android Keystore BiometricPrompt CipherObject Tink BouncyCastle --- # The top 10 password cracking techniques – and how to outmaneuver them Source: https://stytch.com/blog/top-10-password-cracking-techniques/ Learn about today’s most-used password cracking techniques, and the technologies that can help protect you From brute force attacks to phishing scams, learn what to look out for and how to protect your app against today's sneakiest password attacks We've said it before, and we'll definitely say it again: traditional passwords are the weakest link in the cybersecurity chain. In fact, 82% of all data breaches come down to avoidable human errors — like easily guessable passwords and other poor security practices that can put a user's online accounts, data, and assets at risk. The good news is that the cybercriminals behind "password cracking" attacks tend to follow predictable patterns and resort to the same methods time and again to ensnare unsuspecting users and developers. By brushing up on the most common attack vectors and learning which red flags to watch out for, you can stay one step ahead of the hackers and keep your app (and your users) safe. In this post, we cover the basics of password attacks, review ten of the most popular password cracking tools and tactics, and share expert tips to ensure they don't work on you. What is password cracking? Password cracking, also known as password hacking, is any type of cyber attack that involves intercepting or otherwise compromising user passwords. The ultimate goal is to "crack" (or successfully guess) the passwords that are used to protect sensitive accounts. Hackers can then use stolen credentials to breach or take over a user's account and gain access to sensitive data, confidential business records, and other valuable online assets. They may do this for material gain, for an ideological cause, or even just for fun. How a password hack works Password cracking can be divided into two categories: online and offline attacks. In an online password attack, a hacker attempts to enter the correct password on an app's login page, directly on the server. Online password attacks can be challenging to carry out, as they're limited by the speed of the network. They're also relatively easy to detect, due to the web noise generated by constant login requests. On the other hand, offline password attacks provide hackers with more time and flexibility. In an offline password attack, a hacker intercepts one or more password hashes — algorithms used to encrypt passwords, converting plaintext passwords into unintelligible strings of letters, numbers, and symbols, so they're harder to read and recognize when stored in a database. The hacker can then take these password hashes offline and unencrypt them using a password cracking tool. Common password cracking techniques There are many types of online and offline strategies cybercriminals use to crack user passwords. Ten of the most common include: 1. BRUTE FORCE ATTACK In a brute-force password attack, a hacker tries to access a secure user account through trial and error. This typically involves systematically entering every possible combination of letters, numbers, and symbols into a password field until one works. Today, almost all brute force attacks are carried out by bots, or automated software that can be programmed to carry out repetitive, predetermined tasks. Among other actions, bots can randomly generate passwords and quickly enter them into an app or website. This eliminates a lot of the time and hassle required to mount a brute force attack, making it a much more efficient and attractive method for hackers. Simple cybersecurity measures — like account lockout systems, which block entry to certain IP addresses after a certain number of incorrect login attempts — can thwart a basic brute force attack. That's why, in recent years, hackers have developed the more sophisticated brute force methods outlined below. 2. PASSWORD SPRAYING A password spray attack is a type of brute force attack in which, rather than trying many random passwords against a single account, a hacker tries the same password against many user accounts at once. This allows them to get around rudimentary security measures like account lockouts. To maximize the impact of password spraying, hackers often employ weak or commonly used passwords (such as "password" or "123456") in their attacks, which they can source from public reports like NordPass's annual list of the 200 most common passwords. 3. CREDENTIAL STUFFING Credential stuffing is another brute-force technique. In a credential stuffing attack, hackers use compromised credentials (which they've purchased from the dark web or obtained from a data breach) to log in to other, unrelated user accounts. Unlike a traditional brute force attack, credential stuffing attacks aren't entirely random, as they rely on known username and password pairs. Since users tend to recycle the same credentials across multiple accounts, it's likely that one breached password will appear again on one of the other apps or websites that they use. 4. DICTIONARY ATTACK In a dictionary attack, a hacker systematically enters common words and word variations from a specific, preselected list — kind of like a hacker "dictionary." A dictionary attack can be tailored to a specific group or region that a hacker is targeting. For example, a hacker might use terms and phrases related to local businesses, landmarks, and sports teams when mounting a dictionary attack against a particular company or city. While custom dictionary attacks can be dangerously effective, they tend to only work when users employ ordinary, everyday terms as passwords. That means enforcing strict password rules — like requiring users to create strong passwords with unique, randomized strings of characters — can be enough to prevent a dictionary attack. 5. MASK ATTACK A mask attack is similar to a dictionary attack, but it's a far more targeted brute-force technique. In a mask attack, a hacker analyzes recognizable password creation patterns and/or password hashes they've picked from known data breaches and uses them to apply a filter (or "mask") to their dictionary list of possible passwords. This dramatically reduces the total number of password guesses they must make for a given account, resulting in a much more efficient attack. 6. SPIDERING Spidering is also intended to support a dictionary attack and similarly requires some dedicated effort on the part of the hacker. In a spidering attack, a hacker gets to know their intended victim — generally, a larger, more established company — by studying their internal and external communications. This can include social media posts, web content, employee handbooks, product manuals, and even marketing style guides. From there, the hacker can compile a list of identifying information and common keywords and business/product terms that are unique to the company. They can use these terms to generate a shortlist of possible credentials, which makes guessing passwords on key corporate accounts that much easier. 7. MAN-IN-THE-MIDDLE (MitM) ATTACK Man-in-the-middle (MitM) attacks involve eavesdropping on or otherwise intercepting sensitive communications between the app or website a user is connected to and another, separate platform. MitM attacks can take active or passive form. Active MitM attacks often manifest as session hijacking, where a hacker spies on web traffic over a given network, identifies active session IDs, and then uses the attached session tokens to breach a user's account. In a passive MitM attack, a hacker might create a free, public wifi hotspot, like the kind offered at airports, cafes, and public parks. They then get a full view of all of the online activities and data exchanges carried out by unsuspecting users who join their fraudulent network. 8. RAINBOW TABLES Rainbow tables are comprehensive directories that use a password hash algorithm to list out every possible plaintext version of an encrypted password. Think of it like a hacker "cheat sheet" that allows cybercriminals to skip the work of actually having to hack passwords or a password hash themselves. In a rainbow table attack, a hacker consults this directory and matches the list of solved password hashes to encrypted passwords they find in a breached database, allowing them to successfully sign in to a user's account. 9. PHISHING A phishing attack is less about cracking passwords and more about getting users to share them voluntarily, albeit through deceitful means. Essentially, phishing is a form of social engineering. In a typical phishing attack, a hacker sends their intended victim a persuasive message via email or text, hoping to trick them into sharing their credentials or other sensitive information. This can happen by way of a fraudulent link that, when clicked, downloads malicious software on a user's device, or via a spoofed website that gets the user to type their credentials into a fake login screen. Phishing attacks can be random, or they can target specific individuals or organizations. A common example of a random phishing attack involves an email scam, in which the author pretends to be the executor of a will, which they claim comes from a recipient's (fictional) long-lost relative. This fake executor promises to transfer a large sum of inheritance money to the recipient, but claims they need the recipient's bank account credentials in order to wire the funds. Of course, if the recipient provides these credentials, the hacker behind the scheme will simply breach their account and quickly drain their balance. A more targeted phishing attack, on the other hand, might mimic the messages a certain company sends to help users reset passwords. By clicking an embedded reset-password link and/or entering their credentials, a user is actually giving a hacker access to their account or allowing them to install dangerous programs on their device. 10. MALWARE Malware, short for "malicious software," refers to programs that are designed specifically for stealing passwords and other private information from a device where they have been (often unknowingly) installed. Malware can piggyback on a link embedded within a phishing text or email, or it can hide within attachments, files, or websites that a user is tricked into opening or downloading. Malware can take many different forms and work in a number of ways. Two categories of malware that can be used to crack passwords are: Spyware: Spyware hides on a user's system and secretly gathers information about their internet activity and behaviors, including any passwords, pins, and payment information they enter on an app or website. Keyloggers: Keyloggers are a specific type of spyware that monitors and records a user's keystrokes, or everything a user types into their device. That makes it easy for hackers to track and recognize common typing patterns, like a user's password for a given app or website. Password cracking tools Password cracking tools help hackers, well, crack passwords. They're especially useful in offline password attacks, where there might be thousands or even millions of possible plaintext combinations for each of the password hashes uncovered in a database breach. In this case, the right cracking tool can do all the computational work, applying strategic algorithms and machine learning to unencrypt each hash. Some of the most popular password cracking tools include: JOHN THE RIPPER John the Ripper (JTR) is one of the oldest and most well-known password crackers on the market. It's a command-based app that works in Linux and Mac OS environments, and it can automatically detect and support a wide range of hash types and ciphers. While John the Ripper's basic platform comes as free, open-source software, there is also a "pro" version of the app that includes a more extensive wordlist, as well as support for specific operating systems. CAIN AND ABEL Another leading password cracker is Cain and Abel (frequently shortened to just Cain). It's available for Windows only, and it uses a graphical user interface (GUI) format, which makes it particularly attractive to amateur or beginner hackers. Much like John the Ripper, Cain and Abel can recover passwords using a variety of password cracking and decrypting methods, including through brute-force and dictionary attacks. OTHER PASSWORD CRACKING TOOLS While JTR and Cain are the two most common password cracking tools, they are far from the only available options. There are many other password crackers on the market, including platforms like Ophcrack, Hashcat, and THC Hydra, all of which can pose a significant threat to your app and your users. What makes a password easy to hack? There are many categories of "bad" passwords, but they all have one thing in common: they make a hacker's job easy. Here are some of the many ways users actually give cybercriminals a leg up: Creating weak passwords Simply put, a weak password is any password that's easy to guess or crack. It's estimated that around 30% of internet users have fallen victim to a data breach because of a subpar password. A password can be weak for various reasons. Users might keep the default passwords they're given to set up an account and then forget to upgrade to a more secure password once they're logged in. Or they might resort to simple words and phrases (the kind that end up in the NordPass list mentioned above) or familiar, meaningful terms (like their dog's name) because they find more complex passwords difficult to remember. For reference, nearly a quarter (24%) of internet users admit to using common passwords like "abc123" and "Qwerty," while 59% have included a family member's name or birthday in their credentials. That's not great. Reusing the same password across different accounts Users are opening more and more accounts online, and they're finding it difficult to keep track of their proliferating passwords. Many end up recycling the same credentials across many different sites and apps, rather than using unique passwords for every new account. Recent studies have found that password reuse is very common. In fact, 52% of surveyed users report reusing the same password across multiple apps and websites, and 13% use the same credentials across all of their online accounts. That means, if a hacker gets hold of one set of credentials using any of the above password cracking techniques, they have everything they need to break into some or all of that user's other accounts. Connecting via an insecure network As mentioned, users will sometimes connect to free, unsecured wireless hotspots when using their device in a public place like a park or cafe. In some cases, these are not legitimate wifi networks, but hackers mounting a man-in-the-middle attack to spy on unsuspecting users, which can leave their passwords (and their data) vulnerable. How to protect against password cracking attacks When it comes to traditional passwords, there's no bulletproof security measure that will prevent every single password cracking attempt. But there are some steps you can take to make a password attack much more challenging and inconvenient to carry out. Some simple best practices include: Enforce and support secure passwords Creating strong passwords (as a user) and enforcing strict password policies (as a developer) can help thwart basic brute-force attacks. This might include: LUDS REQUIREMENTS The LUDS system requires all users to include one or more lowercase letters (L), uppercase letters (U), digits (D), and special characters (S) when creating a new password. This increases the number of permutations a hacker would need to try to successfully mount a brute-force attack. You can also choose to reject any password containing a recognizable word or phrase, protecting against targeted dictionary, masking, and spidering attacks. As we’ve covered in our approach to strong passwords, though, LUDS has a few big shortcomings: There are still many potential passwords that meet all of the required characteristics, but still use a simple pattern that can be easily cracked, like “A1b2C3d4”. LUDS can still allow passwords that technically contain all of the required characteristics, but only because it uses common substitutions that are weak – like “p@ssword.” From a user perspective, LUDS passwords are very hard to remember! Did you choose “Sp0tisagoodboy,” “sPotisag00dboy!,” or “$pOt!s@goodboy”? Who the heck can keep track!? ZXCVBN Given the weaknesses in the LUDS system, Stytch suggests services like zxcvbn, a flexible strength assessment based on how resistant a password is to modern password guessing techniques. Named after the same keyboard area as “qwerty” (just two rows down), it’s designed to make picking a strong password easy for humans to generate and hard for robots to guess. Zxcvbn works by first searching for matches to your user’s password in a list of common passwords, common names, common words, etc. If a match is found, it returns a score based on the match’s dictionary and pattern rank. There are many different ways to use it, but typically it’s implemented on the application side of a product, and not as commonly for individual users. The zxcvbn library is available in a variety of programming languages, including JavaScript, Python, Go, PHP, Ruby, and more. (You can also use an API like Stytch, which incorporates the zxcvbn method into our Passwords product.) HAVEIBEENPWNED HaveIBeenPwned offers both an individual-friendly website and a developer-targeted API that both monitor the web for stolen credentials in order to alert users and companies of those credentials’ insecurity. You can search for compromised emails, phone numbers, domains, passwords, and websites, and can even sign up for email notifications to notify you if one of your accounts has been compromised. While you can use HaveIBeenPwned as an individual user, you can also integrate it into your product via their API, which checks whether a user’s email address or password has been exposed in a data breach. If it has, the API will return a list of the data breaches in which the user’s information was compromised. This is what Stytch has done in our breach-resistant password solution. PASSWORD MANAGERS A password manager is software that helps users manage their passwords by encrypting them and saving them locally on a user's device. Stored passwords are then automatically pulled up whenever a user wants to log in to the associated account. Some password managers, like Google Password Manager, will even suggest a strong password at signup, ensuring secure practices are built into every stored credential. While password managers are effective tools, as a developer you can’t assume your users are using them. Adoption remains low, and growth in adoption still rather modest. SALTING A password "salt" is a random string of 32 or more characters that's added to a password before hashing. Salting makes it nearly impossible for hackers to comb through a database and recognize a hashed password in order to mount an offline attack or apply a password cracking tool. As we’ve pointed out in our article on hashing, though, salting on its own is not that great a protection. Only when combined with the best hashing algorithms does salting really have a significant effect on password security. EDUCATION Finally, educating users about different password attacks can help them avoid falling victim to common schemes — especially when it comes to social engineering tactics like phishing. Education is also a great precedent to set if you’re interested in gradually transitioning your users to a passwordless authentication solution. We’re strong advocates for this at Stytch where it makes sense for our customers, and if customers aren’t ready a great place to begin is through friendly, approachable education that helps make your users more auth-savvy. Add fraud and bot protection to your authentication flow Adding extra steps to your signup and login flows can help you differentiate between a legitimate user and automated bot traffic. At Stytch, we offer and see the benefits in two main approaches to bot detection: device fingerprinting and StrongCAPTCHA. DEVICE FINGERPRINTING Device fingerprinting is a way to identify devices that are accessing a website or application. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID. Unlike cookies, which are stored client-side, device attributes and IDs are stored in a server-side database, which the website or app can then use to check against future behavior from their users. Note though that not all device fingerprinting solutions are created equally: a large part of their efficacy depends on the kinds of attacks a given app or service is suffering from, the sophistication of their attackers, and how their auth flow responds to possible fraud without creating undue friction for their users. Fingerprint attributes like IP address are easy to detect but are also easy to fake or obscure through VPNs – the best fingerprinting solutions combine a multitude of factors, and also allow for a range of escalation procedures to further investigate the identity of a user. If you’re interested in learning more, check out Stytch’s own Device Fingerprinting solution. STRONGCAPTCHA The most common bot-detection technology is the CAPTCHA test, which has users pick out objects like motorcycles and crosswalks from a lineup of images to prove they're human before they can access their account. While traditional CAPTCHAs have recently fallen prey to a cottage industry of CAPTCHA fraud, next-generation versions — like Stytch's Strong CAPTCHA solution — have emerged to bridge this security gap. Implement multi-factor authentication (MFA) Multi-factor authentication (MFA), which includes two-factor authentication (2FA), takes a layered approach to auth, requiring two or more identity credentials before a user can access their account. This might include a traditional username-and-password pair (factor 1), plus a security question (factor 2) and a one-time passcode sent via text or email (factor 3). These factors can all be front-loaded at initial login, or they can be interspersed throughout the user journey, with extra auth steps (and thus, extra friction) introduced only for especially sensitive actions — like if a user wants to change their payment details. This is known as "just-in-time" authentication. The best MFA flows today are unphishable, meaning they avoid any type of auth factor that can be intercepted by a determined hacker. Go passwordless When it comes down to it, the only surefire way to stave off a password attack is to eliminate passwords altogether. Today, there are many secure, frictionless, and completely passwordless authentication solutions that are easy to implement and to use, from one-time passcodes and embeddable email magic links to seamless biometric factors and WebAuthn. As adopting such passwordless solutions gets even easier — slowly becoming the norm for online life — we'll finally make password cracking a thing of the past. How Stytch can help Stytch is committed to fighting any and all password cracking methods that can put your app and your users at risk. That's why we offer a full suite of modern passwordless products — as well as Breach-Resistant Passwords that build strength assessment, breach detection, and account deduplication measures into every signup and login flow. To learn more about our platform, get in touch with one of our cybersecurity experts — or register for a free account to try our solutions first-hand. --- # The journey to ISO 27001 certification Source: https://stytch.com/blog/iso-27001-certification/ A step-by-step guide to our journey to ISO 27001 certification – what it is, why it matters, and how to do it. In today's digital age, where data breaches and cyber threats have become an unfortunate reality, the need for robust information security practices has never been more critical. As technology evolves, so do the risks associated with storing and managing sensitive information. That's why we are thrilled to announce our achievement of the ISO 27001 certification (in addition to maintaining our SOC 2 report), a testament to our commitment to protecting our clients and their users as well as ensuring the highest standards of information security. Today we'll cover: What ISO 27001 is How to prepare for certification What's involved in the audit process How to maintain certification FAQs Stytch's top three takeaways from our own certification What is ISO 27001? ISO 27001 is an internationally recognized standard for information security management systems (ISMS) that defines a set of requirements a company’s ISMS must meet. It provides a systematic and proactive approach to managing sensitive company and customer information by identifying potential risks, implementing security controls, and continuously improving processes. History of ISO 27001 certification Though the official ISO 27001 standard was minted in 2005, its history dates back to the early 1990s in the U.K. Rapid advancements in information technology prompted the government to request a set of standards for evaluating the security of IT systems and products from the Department of Trade and Industry's Commercial Computer Security Centre (CCSC). The CCSC created a code of best practices called DISC PD003, which by the late 90s they organized into two major components: BS7799-1, which outlined controls and control objectives, and BS7799-2, which outlined a formal standard for information security management systems. By 2000, the International Organization for Standardization had adopted and re-christened the former as the ISO/IEC 17799 standard (or what would become ISO 27002). In 2005, they formally adopted the latter as ISO 27001. Why does this history matter? Once the CCSC's standards were adopted by the International Organization of Standardization, they gained a level of international legitimacy that is near unrivaled in the world of standardizations. The ISO is in fact an international, non-governmental body that issues standardizations across industries. 168 of the world's 195 countries are members. This means if you attain ISO 27001 certification, you literally open borders for your business by creating massive opportunities for scale. Why is ISO 27001 important for an information security management system? An information security management system is by default charged with one of the most important tasks on the internet: protecting the integrity of the information of people and companies. When that is your main function, an ISO 27001 certification is one of the surest way to accomplish the following: Ensures enhanced information security The ISO 27001 certification demonstrates our unwavering commitment to safeguarding our customers and their users. By implementing a comprehensive information security management system, we have put in place measures to protect sensitive information from unauthorized access, disclosure, alteration, or destruction. Attests to compliance with regulatory requirements ISO 27001 certification helps us meet and exceed legal and regulatory requirements related to data security. It ensures that our information security practices align with industry standards and best practices, providing peace of mind to our clients and stakeholders. Offers competitive advantage In today's competitive landscape, organizations that prioritize information security gain a competitive advantage. ISO 27001 certification sets us apart from the competition by showcasing the maturity of our information security program and our dedication to maintaining the confidentiality, integrity, and availability of customer information. Earns customer trust and confidence Data breaches can have far-reaching consequences, eroding customer trust and damaging a company's reputation. By achieving ISO 27001 certification, we provide our clients with the assurance that their information is in safe hands, building trust and fostering long-lasting relationships. ISO 27001 certification vs. compliance Technically, companies can be ISO 27001 compliant without being certified. If you're ISO 27001 certified, that means that an external auditor has gone through a specific set of evaluations and audits to confirm that you're ISO 27001 compliant. Generally, when companies request or refer to ISO 27001 for a vendor they're considering, they'll want that external certification, not just documentation that proves you're compliant. Preparing for ISO 27001 certification ISO 27001 certification is granted upon successfully completing stage 1 and 2 ISO 27001 certification audits, but there's a lot of preparatory work companies need to do before the audit takes place to make sure they're ready. Before engaging external auditors, a company should make sure to: 1. Scope and implement an information security management system or framework This may sound like a no-brainer, but some companies, especially new ones, may have a hodge podge of different practices and protocols they use to protect information security at their company without having an explicit management system or framework. This includes delegated employees whose job it is to maintain that management system, oversee its quality and efficacy, and monitor its compliance with standards like ISO 27001. 2. Conduct a risk assessment, and mitigate any found risks with a clearly documented risk treatment plan Any company looking to receive ISO 27001 certification needs to conduct regular, well-documented risk assessments followed by treatment plans with necessary controls and policies. Both for the sake of internal efficiency and a smooth certification, companies should remember that more does not necessarily mean better when it comes to controls. Controls are only as useful as they eliminate security risks without undue burden or friction on internal processes. Because of that, any control or policy should clearly dock to your company's use case and priorities. 3. Document all relevant systems and processes ISO 27001 certification has many requirements, but companies do not need to meet every requirement to get certified. Instead, you should carefully evaluate their specific use case to understand which of these requirements apply to their business. Your ISO 27001 documentation should make it easy for both internal stakeholders and external auditors to assess whether or not their information security management system meets those requirements. This documentation should also clearly and succinctly show their approach to risk assessment and risk management. The more thoroughly you show your work, i.e., document all your company has done and regularly does to maintain a compliant ISO 27001 service, the better. Note that without careful management and systems in place, this can get unwieldy, difficult to organize, and/or create bloat. Be very mindful of how you organize your risk assessments, your processes, and findings in ways that are usable to your internal stakeholders and accessible and clear for external auditors. 4. Conduct an internal audit & resolve any nonconformities Every company applying for ISO 27001 certification is required to do an internal audit before an external audit or review – and hold regular internal audits in order to maintain their certification. This "internal" audit is intended to surface any nonconformities with the ISO 27001 standard, raise them to the relevant stakeholders at a company so they can be resolved before the external audit. Though this final step is called "internal," companies can either choose someone who is in fact internal to their company, or hire an outside vendor to conduct this audit for them. That said, if you end up using someone in-house to conduct your internal audit, you must make sure they have no conflict of interest, i.e. are not responsible for implementing or maintaining any of the systems, controls, or policies they're evaluating. 5. Onto the external audit Once you've completed all of the necessary preparatory work, you can then solicit an external audit. The ISO 27001 certification external audit – what to expect While the most important legwork for your own team takes place in the lead-up to your audit, the audit itself is clearly the moment of truth for any company seeking certification. There are three important steps to completing the audit: choosing your auditor, and stages 1 and 2 of the audit itself. Choosing your ISO 27001 external auditor When choosing an external ISO 27001 auditor, there are a few key things to look for: 1. Accreditation Check an accreditation directory as your starting point. These directories do a fairly thorough job vetting for the auditors listed on their site, but it never hurts to do your due diligence and make sure the information listed in the directory corresponds to the auditor's website and own materials. 2. Industry alignment Though not required, you'll likely find it helps to have an auditor who knows your particular industry well. They're more likely to ask you the right questions, give nuanced and helpful guidance, and understand the constraints and demands on your information security management system better than someone outside your industry. 3. Bundled or additional certifications There are fewer more painful time-drains than vendor searches. If you know your company plans to scale at some point or have other security compliance certifications on your horizons, it could be nice to find an auditor that does more than one. Forming a strong relationship will make future certifications and audits smoother down the line. Furthermore, you can reduce your own audit fatigue by selecting an auditor to address multiple certifications/frameworks simultaneously. ISO 27001 certification audit – stage 1 The ISO 27001 audit takes place in two stages. In Stage 1, your auditor is basically making sure that you have all the necessary documentation and processes established to undergo a stage 2 audit. At this time they'll review what are referred to specific clauses from the ISO 27001 standard, specifically clauses 4-10. Together, these clauses cover all the requirements an information security management system needs to meet to get certified. They are: Clause 4: Context of the organization This covers the very foundation of your company's ISMS – its scope, why you need one, what information you handle, and who your key stakeholders are. Clause 5: Leadership Clause 5 covers the roles and responsibilities of your ISMS team and the policies they must abide by. Clause 6: Planning Clause 6 offers a clear-eyed overview how your organization will achieve its objectives especially as it relates to risk and opportunities. Clause 7: Support Clause 7 outlines the resources your company has devoted to maintaining its ISMS. Clause 8: Operation Clause 8 is where you discuss your risk assessment and treatment plans, and whatever controls you've put in to mitigate those risks and other information security requirements. Clause 9: Performance evaluation Clause 9 is where you document how you evaluate your performance, how and how often you conduct internal audits and reviews. Clause 10: Improvement Improvement covers any nonconformities you may have identified in your internal audit, and how you plan to address those. Upon reviewing your documentation to make sure all these requirements are accounted for, your auditor will either pass you on to stage 2, or will first raise what are called "areas of concern" you need to address in order to pass stage 2. ISO 27001 certification audit – stage 2 In ISO 27001 stage 2, your auditor moves on from reviewing your clauses to a second part of the ISO 27001 standard called Annex A. While Clauses 4-10 address the requirements for an ISO 27001 certified company, Annex A covers the possible security controls a company could use to meet those requirements. As mentioned before, no company is expected to implement all controls. You are simply expected to have the necessary controls in place for your context and industry, and for the goals and measurements you've outlined in your own ISMS. Maintaining ISO 27001 certification Achieving ISO 27001 certification is not a one-time accomplishment. It requires continuous monitoring, assessment, and improvement of the ISMS. By establishing a framework for monitoring and reporting security incidents, conducting regular audits, carrying out management reviews, and continually improving, you can ensure the effectiveness of our ISMS on a recurring basis. As part of maintaining your certification, you'll also need to undergo what are called surveillance audits, which are regular (generally annual) audits to make sure your company is still adhering to ISO 27001 standards. This is another reason why the systems, documentation, and controls you set up during your prep work are so crucial: ISO 27001 is not just a box to check, it is a marathon you'll be running for the rest of your company's life! Dedicating the regular ISO 27001 certification – FAQs How many companies are ISO certified today? According to the ISO 2021 Survey, nearly 60,000 companies worldwide had attained ISO 27001 certification. That may seem like a lot, but consider that the U.S. alone is home to over half a million technology companies. While not every one of those companies may need ISO 27001 certification to do their business securely, it does show what a differentiator this certification can mean in the global market for an information security management system. How long does it take to get ISO 27001 certification? The amount of time required to get ISO 27001 certified can range depending on many factors, like: How established your company's ISMS was before beginning the process Your industry and use case, with its particular risks, information, and intellectual property to protect The resources you have available already, vs. how much headcount you may need to pull of other tasks to complete your prep work Whether the stakeholders involved at your company are familiar with the process or not Generally, however, most small to mid-sized companies are able to finish the preparatory work for the audit within four to six months. How much does it cost to complete ISO 27001 certification? While some sources may give ballpark figures for an ISO 27001 certification process, the reality is it's highly dependent on many different factors that could influence the end costs. Some of which are: whether your internal audit is in-house or not, the specific audit firm you select, the scope of your assessment, and whether other frameworks are being simultaneously audited. Best practice is to get quotes based on each of these factors so your company can budget appropriately. Our take Looking back on our own ISO 27001 certification process, we have a few learnings we think would be useful for companies considering this for themselves: Lesson 1: Define the scope early