Blog

engineering

Auth for B2B SaaS: it's not like auth for consumer software

Auth for business software (B2B) shouldn’t look the same as auth for consumer software (B2C). In many cases, it actually can’t work the same way.

Ned O'LearyNed O'Leary
Engineering

eyJaafCsubstantially: cramming English words into JSON web tokens (JWTs)

A lot of modern software uses JSON Web Tokens, which encode data in Base64. It turns out that you can force the Base64 encoding to include certain long words.

Ned O'LearyNed O'Leary
Engineering

I designed some more user-friendly methods for multi-factor authentication.

People really don't like the way multi-factor authentication (MFA) works. It's a bad user experience. I designed some new, user-friendly MFA techniques.

Ned O'LearyNed O'Leary
Engineering

The Nevada, Indiana, and Florida DMVs have unusually bad login pages.

I visited the login pages for each state’s Department of Motor Vehicles. Here are the worst ones.

Ned O'LearyNed O'Leary
Engineering

XML Signatures are a bad idea executed even worse

2000s XML mania continues to hold modern software back. But there are lasting lessons we can still learn from it.

Ulysse CarionUlysse Carion
Engineering

What a developer needs to know about SCIM

If you're selling business software, you'll likely run into a customer that wants something called "SCIM." Here's what you need to know.

Ned O'LearyNed O'Leary
Engineering

Australia/Lord_Howe is the weirdest timezone

Timezones are weird. But only finitely so. Here's the exact conceptual model you should have of them.

Ulysse CarionUlysse Carion
Engineering

Ruby-SAML pwned by XML signature wrapping attacks

GitLab and others are affected. The blame lies in the SAML specification, and in credulous engineers that implement it.

Ulysse CarionUlysse Carion
Engineering

A Gentle Introduction to SAML

The SAML spec is an absolute beast. We've each read it multiple times. Here's a simpler explanation.

Ned O'LearyNed O'Leary
Newsletter
Resources
Company
Social