A no-password approach is better for increased security, but who needs it, and how and when should an organization go passwordless? Passwords remain the default method of user authentication, but the question is for how long? It is becoming more or less an established fact that passwords are insufficient to…

Enable developers to operate in a more business-aligned way with design patterns that enable your company to run the best security everywhere. These days, developer experience (DX) is a term used frequently but is often misunderstood. The truth is that a poor developer setup can negatively affect the time to…

Different tokens have different purposes and should be used appropriately for each use case. When building security solutions using OAuth and OpenID Connect (OIDC), we frequently discuss tokens. Sometimes these systems are even referred to as token-based architectures. Tokens play a core role in authorizing access to applications, services and…

A few years back, I wrote the article “8 Vital OAuth Flows and Powers” for Nordic APIs. Since then, a lot has happened around the OAuth and OpenID specifications. Some flows have been updated, others have been deprecated and some new ones have been added. …

What is the most important lesson we can learn regarding API security? Apart from that, it should be of paramount concern for all modern enterprises, it’s my view that API security should revolve around identity. …

Mobile apps are ubiquitous these days, and unsurprisingly, many require users to log in. Maybe an app needs to save the user’s preferences, access the user’s resources on a server or save the user’s data remotely. …

These days most software companies use cloud deployment with modern hosting capabilities that make everyone productive, from developers to DevOps and InfoSec staff. However, not all cloud deployments are the same, and you still need to make sound choices to meet your architectural requirements. In this article, I will explain…

If your business is scaling up, you may find that you deliver many more software applications and APIs than you did originally — all of which will most likely use sensitive and personal data. This data must, of course, be secured. …

Financial-grade security refers to a cybersecurity approach that deals with high-security requirements. These requirements are often the result of compliance with data regulations. Many data protection regulations now exist around the globe, such as Europe’s General Data Protection Regulation (GDPR), Australian Privacy Principles (APPs), Brazil’s General Personal Data Protection Act…