The RFC recommends to use PKCE for web (public client)/native apps. It’s not stated that Dynamic Client Registration (DCR) is bad but it’s not stated as an alternative either. I am wondering if there is any negative aspect of the DCR that i am overlooking.
I would say that the biggest difference between the two is the fact that PKCE is much easier to implement with less bookkeeping while offering about the same protections as DCR.
Looking through the use cases defined in the DCR specification, it looks like the use case of native app or SPA app is included.
Is there a reason why is not included in the best practices? Which use case is ideal to use the DCR?
The Diceware method of password generation is simple, secure and easy to use
When registering an account on a website
- Why do websites not suggest to their users to use the diceware method?
- Why do websites not include a diceware based password generator?
- What other reasons make this a bad idea?
I’m talking about Online activation. My current workflow is:
- User pays via paypal (without registration)
- Paypal performs a request to my API.
- My API returns a serial key to the user.
- Then the user is able to register using this serial key.
Is a “pay to register then use” and not a “register then pay to use”.
So the question is:
- Should I generate (let’s say 100) keys and store them in DB then pick the first one available when someone pays via paypal? Isn’t this vulnerable to “guess” attacks?
- Should I generate 1 random key each time a user pays via paypal? Can’t this approach generate 2 equal keys? I mean I have no info from the user except what paypal tells me so I should somehow use a random function OR loop the entire table comparing the serial keys.
In our mobile application, users need to register first before they can use it. After successful registration, they an now login and use features of the app. Now we will have a feature in our application where all users who have records in the active directory and “master” database but not yet registered in the app would be sent sms with a registration link. The details are the ff.
A static link is sent (not the usual dynamic ones where a token is appended to the url)
When that link is clicked, an authentication page would show up in the machines internet browser and show a page where it asks for the user’s email address and birthday. When the entered information is valid, a one time password is sent via sms and if valid, the user can now proceed with registration
The question is, is this kind of process secure? there was a debate within our team whether the link sent via sms should be dynamic or static? what are the possible vulnerabilities of this kind of process? doesn’t seem to violate any OWASP standard.
I ran into this site today
and this site queries some of the top social sites to see if your user name is registered.
Whats cool about this is, most of the sites are PR6 and higher. The profile pages allow Do Follow URL's and some even have fields for Deep linking.
Just wanted to let you know.
This is a UI question for all you e-commerce design experts out there.
Is there a generally accepted standard for which address to capture first from new registrations on a typical online shopping site. Should you fist ask the new customer for:
1. their billing address. or
2. their delivery address?
In my humble view we should first ask for their delivery address. My reasoning is this: since they are probably in the middle of checking out, and we don't want to slow down this process any…
Registration form – Delivery or Billing Address first?
I’m working on an ecommerce using woocommerce. I need to implement the registration, for the customers who decide to buy, did I need to activate something inside wordpress, I can only see the login screen for now but no registration form or link. Another issue, I have used the
wp_is_mobile function to check if an user is from mobile or tablet / desktop, this will show a banner on the top of the login screen, I’ve noticed that the banner isn’t displayed on android mobile phones,tablet and iPad but I want to display it also for tablet. Is there a fix for this?
I work on an application where users are sent a unique registration code in the post. They use this, along with other personal information known to the user, to confirm the identity of the user upon creating a new account.
Does the unique registration code sent in the post need an expiry time (like after 30 days)?
The argument that has been made to me is that if there is no expiry then a fraudster has longer to collate the personal information about the intended user to confirm identity. Therefore, they argue that adding an expiry decreases the likelyhood of fraudsters creating an account posing as the intended user.
However, if that’s the case, I would imagine that having an expiry would make no difference. If a fraudster has intercepted this mail then the individual has been personally targeted and the fraudster would be able to obtain the personal information to request another code?
What is the cheapest site to go on to get car insurance? Preferably with the lowest deposit possible. First time driver