Mobile apps might be the most popular type of applications, having reached the number of almost 9 million, according to a new report from RiskIQ. However, when it comes to the security of users, they are not so highly favored.

The security vulnerability of mobile apps is closely connected to how they are distributed — mainly through marketplace app stores. It makes them public clients, and therefore they can not be trusted to receive a credential to authenticate with. …

The world is different, time for something new?

Jacob Ideskog, CTO @ Curity (

The Past

For centuries, proving identity and allowing access to certain information, crossing borders, or gaining permission for a certain activity was a matter of official certifications, identity cards, passports, and special seals that proved who and what was allowed.

The internet revolution demands new ways of communicating, accessing information, and identifying the same who and what. The need for digital identity management was born and evolved through standards such as SAML, user directories, passwords, and then the introduction of more challenging authentication methods.

A particularly…

10 things you need to know about JWTs in questions and answers
10 things you need to know about JWTs in questions and answers

JWTs are JSON web tokens that are widely utilized in OAuth and OpenID Connect. In fact, their application is so popular that the main principles of their use are quite often overlooked. However, the basics should not be forgotten.

So, that is why we decided to brush some dust off the fundamentals of JWTs. What are JWTs? How should they be used? Are they really secure?

1. What are JWTs?

There are three basic things that you absolutely need to know about JWTs:

· JWT stands for “JSON web token” and is pronounced as jot. It is not a protocol but a format. …

We’ve outlined some key things to keep in mind when designing and building APIs.

Today we are witnessing the rise of the API economy, where APIs play an essential role in business success. However, this development raises new challenges. In 2017, Gartner predicted that by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications. 2020 — with its digital pandemic, “as insidious as Covid-19” — has provided more than enough additional arguments to support that prognosis. Therefore, it is as topical as ever to ensure the security of web APIs.

With this…

Neo-security Architecture
Neo-security Architecture

And why should it be a consideration when mapping out your security architecture?

Neo-Security Architecture is a modular and open-standard-based security architecture that aims to secure and assert legitimate access to APIs and services as well as web and mobile applications.

The Neo Security architecture is intended to be used as a roadmap, to be ready when new needs arise. It provides a blueprint architecture that can be used to map new and existing systems against the functions needed to scale securely.

A centralized system for managing Identities, Token issuance, Federation, and so on is critical to building a secure and scalable API platform.

The main design principle is “Separation of Concern,” where…

Authentication API
Authentication API

Jacob Ideskog — CTO @

Ever since the OAuth 2.0 specification was finalized, we have dealt with the limitations of the Resource Owner Password Flow (ROPC). It was intended as a flow to support legacy applications that did not have a browser available, or to be used as a last resort for legacy use-cases. The authors of the specification clearly signal that this flow is not recommended, and should be avoided.

At Curity, we agree with this sentiment. The ROPC flow presents an anti-pattern that is in conflict with the spirit of the OAuth specification as a whole —…

Computer systems built today have very little in common with what we built only a few years ago. Systems have evolved from classic client-server solutions, into distributed systems that span over many data centers and geolocations. DevOps teams are now able to build applications that scale up and down effortlessly, and even build serverless applications that can spin up a server just to serve a single request. It’s pretty impressive.

However, one requirement has stayed the same over the years. The system still needs to know who the caller is, or at least know a little something about the caller…

A guide on using Apigee Edge with Curity Identity Server

An API Gateway, or an advanced reverse proxy, is a key function in an API management system. When used in a token-based architecture, for instance with OAuth 2.0, the gateway often includes functionality to issue and not only verify tokens. From a high level perspective, it could seem natural to issue and verify tokens in the same computer system, but there are several good reasons to separate these two, inherently different services. Issuance of tokens (done in the OAuth server) involves gathering information from many sources, directories and databases in a well-defined format that allows back-end services and APIs to…

Strong authentication without user identity validation will render PSD2* a failure. Why? It’s simple. Passwords never equal identity!

One may say that the big debate, and misconception, around the “strong authentication” concept — what it is, to whom it applies, how to implement it in modern enterprise architectures etc. — started with the PSD2 regulation pushed forward by the European Union. We would argue that it is actually a natural concern, in line with the advancements of the web and the tidal wave demanding easier yet more secure access to data and information. …


Curity is the leading supplier of API-driven identity management, providing unified security for digital services. Visit or contact

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store