Module 02 · Who are you, really?

Authentication & Identity

The system that decides whether you are who you say you are. Twenty years ago this was a username and a password. Today it is a stack: passwords, second factors, passkeys, single sign-on, federation, OAuth, JWTs — each layer fixing a flaw in the one below it, and each adding new ways to get it wrong.

7

Reference Pages

02

Module

1

Hands-On Lab

Authentication answers "who are you?". Authorization (a separate problem) answers "what are you allowed to do?". This module is about the first question. The rule that ties the pages together: every layer of identity assumes the layer below it works, and almost every authentication breach is a story about that assumption being wrong.

02.A

Reference Pages

The original credential. Why entropy matters, the four attack families (brute force, dictionary, credential stuffing, rainbow tables), and the defenses (salts, peppers, KDFs) that try to make the stolen database useless. Live entropy calculator.

Multi-Factor Authentication

Something you know, have, are. The factor menagerie (SMS, TOTP, push, hardware tokens, biometrics) ranked by phishing resistance, with the real-world incidents that explain the ranking.

Passkeys (FIDO2 / WebAuthn)

The replacement for passwords, finally. Public-key authentication scoped to a domain. Why origin binding makes passkeys structurally phishing-resistant. Where credentials live, how they sync across devices.

Single Sign-On (SSO)

One login, many apps. The IdP / SP model, the SSO redirect dance, session lifetimes, and the trade-off this module's most important sentence captures: SSO concentrates risk along with convenience.

Federated Identity

SSO across organizational boundaries. SAML and OIDC compared. How "Sign in with Google" actually works under the hood, why federation requires standing trust relationships, and what attackers look for in misconfigured federations.

The authorization framework that almost every modern federation rides on. Four grant types, what each is for, why the implicit grant is dead, why PKCE matters, and the redirect_uri pitfalls that keep producing CVEs.

JSON Web Tokens (JWT)

The signed token format every federated flow eventually hands you. Header, payload, signature. Common claims (iss, sub, aud, exp). The validation rules every JWT verifier must check, and what happens to apps that skip them.

02.B

Hands-On Lab

JWT Tampering Lab

Decode a real JWT, change the algorithm to none, swap the role from user to admin, watch a deliberately weak server accept the forged token. Then flip on proper validation and watch the same payload get rejected.

Passkey vs Password Phishing

Side-by-side phishing demo. Watch a lookalike site steal a password. Watch the same attack fail against a passkey because the browser refuses to sign for the wrong origin. The cryptographic reasoning is laid out beneath the demo.

OAuth redirect_uri Attack Lab

Five scenarios. The legitimate flow, plus four real-world misconfigurations — wildcard allow-list, prefix match, no validation, subdomain takeover. Each one shows exactly how an attacker steals the authorization code and what the fix is.

Password Attack Racer

Four attacks (brute force, dictionary, credential stuffing, rainbow tables) race against passwords of different strengths and storage methods. Watch which finishes first — and which one was never the threat you thought.

JWT Key Confusion (Bonus)

The bonus level of the JWT lab. Server expects RS256 signatures. Library accepts the alg field from the token. Forge a token signed with HS256 using the RSA public key as the HMAC secret — and watch the server accept it.