Authentication news and developer summaries

In the US, companies often deactivate digital credentials instantly during layoffs to mitigate security risks. The case of the Akhter brothers, who deleted 96 government databases and engaged in extensive credential stuffing and unauthorized access after being fired, illustrates the severe threats posed by disgruntled former employees with access to sensitive systems.

Val Town transitioned from Clerk to Better Auth due to significant challenges with rate-limiting, data synchronization, and system reliability. By using a third-party for user management and session handling, Val Town experienced outages beyond their control. Better Auth offers a more sustainable, open-source approach, keeping session management internal while mitigating vendor risk.

Users are reporting a persistent authentication failure in the Volkswagencarnet Home Assistant integration. While the official Android app and browser portals remain functional, the integration fails to authorize sessions, displaying an error message despite users confirming valid credentials and terms acceptance on the VW platform.

Cross-Site Scripting (XSS) can turn passkeys into a major security liability. Without hardware attestation, malicious JavaScript can silently register attacker-controlled passkeys or hijack legitimate registration flows. While passkeys are essential for phishing defense, organizations must secure them by implementing step-up authentication for new passkey registrations, strict Content Security Policies, and Permissions Policy to restrict API access.