Atlas — web authentication & security concepts
The grounding glossary. Every concept the portal covers, grouped by the eight capabilities from the Capability Map. One line each; marked concepts expand into full pages as the portal grows.
Legend: ★ deep-dive page · ▶ interactive demo · ⚑ regulatory touchpoint
0. Foundations — the OAuth/OIDC substrate
- OAuth 2.0 ★ — delegated authorization: how an app gets permission to call an API for a user.
- OpenID Connect (OIDC) ★ — identity layer on OAuth; adds the ID token (who the user is).
- Authorization Code flow ★▶ — the only flow FAPI 2.0 allows; see Sender-Constrained Tokens for the full sequence.
- Access / refresh / ID tokens — the API credential, its renewal, and the identity assertion.
- Scopes & claims — what access is granted, and the facts about the user/session.
- JWT / JWS / JWE ★▶ — signed or encrypted token; try the JWT decoder.
- JWK / JWKS — public-key format and the endpoint that publishes keys.
- Client: public vs confidential ★ — can it keep a secret? Drives the BFF question.
1. User Authentication — C1
- WebAuthn ★▶⚑ — the browser API behind passkeys.
- FIDO2 ★ — WebAuthn + CTAP; phishing-resistant auth.
- Passkeys: synced vs device-bound ★ — convenience vs assurance.
- Platform vs roaming authenticator — built-in (Face ID) vs external key.
- Relying Party / RP ID — the origin binding that kills phishing.
- Attestation — proof of what made the key.
- SCA ★⚑ — PSD2: two factors + dynamic linking for payments.
- Passwordless / OTP / TOTP — the weaker fallbacks and why.
2. Device Binding & Request Integrity — C2
- Bearer token ★▶ — “whoever holds it, spends it”; the core web weakness.
- Sender-constrained / PoP token ★ — bound to a key the client must prove it holds.
- DPoP (RFC 9449) ★▶ — app-layer proof-of-possession; the heir to the mobile hash. Deep dive.
- mTLS-bound token (RFC 8705) ★ — transport-layer PoP via client certificate.
- Token binding claims (cnf, jkt, x5t) — how the token records its bound key.
- WebCrypto + non-extractable keys ★▶ — the browser’s closest thing to a secure enclave; try the keygen demo.
- Anti-replay (jti, nonce, iat) ▶ — stopping a captured proof being reused; see the DPoP proof builder.
- Dynamic linking ★⚑ — PSD2: bind the specific amount + payee.
- PKCE (RFC 7636) ★▶ — proves the app that started the flow finishes it; PKCE lab.
3. FAPI & Request Protection
- FAPI 1.0 vs 2.0 ★ — old two-tier profiles vs the single attacker-model-driven 2.0. Deep dive.
- FAPI 2.0 Security Profile ★⚑ — the bank-grade rulebook.
- PAR (RFC 9126) ★▶ — push the auth request to the back channel first; walk it in the FAPI flow demo.
- iss parameter (RFC 9207) — kills mix-up attacks.
- private_key_jwt (RFC 7523) ★ — asymmetric client auth, no shared secret.
- Redirect-URI exact matching — closes open-redirect exfiltration.
4. Browser-Side Security — C3 (declarative)
- TLS 1.3 / HSTS ★ — encrypted transport; stop downgrade.
- CSP ★▶ — controls what can load; primary XSS defense.
- CORS ★ — cross-origin access rules; commonly misconfigured.
- SameSite / Secure / HttpOnly cookies ★ — blunt CSRF and token theft.
- X-Frame-Options / frame-ancestors ★▶ — the clickjacking defense.
- Clickjacking ★▶ — invisible iframe over a decoy tricks the click.
- CSRF ★▶ — forging a request on the victim’s ambient session.
- XSS: stored / reflected / DOM ★▶ — injecting attacker script; the highest-frequency bug.
5. Client-Side Code Integrity — C3 (code)
- Formjacking ★ — injected script skims form fields as typed.
- Magecart / supply-chain JS ★ — one poisoned third-party script bleeds every site.
- Subresource Integrity (SRI) ★▶ — hash-pin third-party scripts.
- RASP / anti-tamper / obfuscation ★ — runtime self-protection for client code.
6. Anti-Phishing — C4
- Phishing / pharming — fake site or poisoned DNS harvesting credentials.
- Homograph / look-alike domains ▶ — visually confusable domains.
- AiTM / reverse-proxy phishing ★ — real-time proxy that steals the session; defeats OTP, not passkeys.
- Why passkeys resist phishing ★ — origin binding won’t release the credential to the wrong domain.
- DMARC / DKIM / SPF ★⚑ — email authentication against brand spoofing.
7. Gateway / API Edge — C5
- API gateway ★ — the single policy-enforcement point.
- Channel-aware policy ★ — different token rules for web vs mobile, same downstream APIs.
- WAF — signature/rule-based filtering.
- Bot management ★ — separating humans from scripted traffic.
- Rate limiting / velocity — blunt brute-force and stuffing.
8. Fraud, Malware & Device Intelligence — C6 / C7
- RAT (Remote Access Trojan) ★ — malware giving live control of the victim’s session.
- Overlay attack — fake UI over the real app to capture input.
- Device fingerprinting ★ — a stable device identity from browser/hardware signals.
- Behavioral biometrics ★ — keystroke/mouse/touch as a continuous signal.
- Account Takeover / credential stuffing ★ — reusing breached credentials at scale.
- ThreatMetrix — the incumbent device-intelligence vendor.
9. Risk Decisioning & Adaptive Response — C8
- Risk-based / adaptive authentication ★ — vary the challenge by real-time risk.
- Step-up authentication ★▶ — escalate when risk crosses a threshold; try the simulator.
- Continuous authentication — re-evaluate trust through the session.
- TRA exemption ⚑ — PSD2’s low-risk skip-SCA clause.
- Signals fusion / risk engine ★ — combine device, behavioral, fraud signals into one decision.
10. Standards & Regulation ⚑
- PSD2 / SCA / RTS ★ — the EU/UK payment-authentication regime.
- GDPR ★ — data protection; biometrics are special-category.
- eIDAS2 / EU Digital Identity Wallet — the coming EU identity framework.
- UK DIATF / DVS — the UK digital-identity trust framework.
- OWASP ASVS / Top 10 ★ — the application-security baseline.
~95 concepts · ~40 deep-dive pages planned · ~15 interactive demos. Phase 1 shipped the FAPI/DPoP spine; Phase 2 added the browser-side threat cluster, front-door auth, and the standards thread; Phase 3 added the risk layer (C6–C8), the BFF-vs-SPA architecture question, and the demos that make sender-constraining tangible — a real non-extractable WebCrypto key and a real, verifiable DPoP proof. The long tail of remaining ★ entries fills in incrementally, not as a blocking phase.