If you happen to follow the feed for my blog, sorry for the spam, I’m helping debug some issues with micropub & indieath in WordPress. 🐛
{
"type": "entry",
"published": "2018-05-27T17:57:42-04:00",
"url": "https://miklb.com/blog/2018/05/27/3902/",
"syndication": [
"https://twitter.com/miklb/status/1000858623382380544"
],
"content": {
"text": "If you happen to follow the feed for my blog, sorry for the spam, I\u2019m helping debug some issues with micropub & indieath in WordPress. \ud83d\udc1b",
"html": "<p>If you happen to follow the feed for my blog, sorry for the spam, I\u2019m helping debug some issues with micropub & indieath in WordPress. \ud83d\udc1b\n</p>"
},
"author": {
"type": "card",
"name": "Michael Bishop",
"url": "https://miklb.com",
"photo": "https://aperture-media.p3k.io/pbs.twimg.com/7736d92a9e8a680f77ca45b7c3d499fabbc09d1d4c664ba493e60870b133e023.jpg"
},
"_id": "368893",
"_source": "42",
"_is_read": true
}
Micropub update test. This text should be replaced if the test succeeds.
{
"type": "entry",
"published": "2018-05-27T17:55:00-04:00",
"url": "https://miklb.com/blog/2018/05/27/3895/",
"content": {
"text": "Micropub update test. This text should be replaced if the test succeeds.",
"html": "<p>Micropub update test. This text should be replaced if the test succeeds.\n</p>"
},
"author": {
"type": "card",
"name": "Michael Bishop",
"url": "https://miklb.com",
"photo": "https://aperture-media.p3k.io/pbs.twimg.com/7736d92a9e8a680f77ca45b7c3d499fabbc09d1d4c664ba493e60870b133e023.jpg"
},
"_id": "368882",
"_source": "42",
"_is_read": true
}
Micropub test of creating a basic h-entry
{
"type": "entry",
"published": "2018-05-27T14:09:27-04:00",
"url": "https://miklb.com/blog/2018/05/27/3881/",
"content": {
"text": "Micropub test of creating a basic h-entry",
"html": "<p>Micropub test of creating a basic h-entry\n</p>"
},
"author": {
"type": "card",
"name": "Michael Bishop",
"url": "https://miklb.com",
"photo": "https://aperture-media.p3k.io/pbs.twimg.com/7736d92a9e8a680f77ca45b7c3d499fabbc09d1d4c664ba493e60870b133e023.jpg"
},
"_id": "368389",
"_source": "42",
"_is_read": true
}
Micropub test of creating a basic h-entry
{
"type": "entry",
"published": "2018-05-27T14:03:56-04:00",
"url": "https://miklb.com/blog/2018/05/27/3880/",
"content": {
"text": "Micropub test of creating a basic h-entry",
"html": "<p>Micropub test of creating a basic h-entry\n</p>"
},
"author": {
"type": "card",
"name": "Michael Bishop",
"url": "https://miklb.com",
"photo": "https://aperture-media.p3k.io/pbs.twimg.com/7736d92a9e8a680f77ca45b7c3d499fabbc09d1d4c664ba493e60870b133e023.jpg"
},
"_id": "368383",
"_source": "42",
"_is_read": true
}
Excited to announce that @GoDaddy is our newest sponsor of @IndieWebSummit, and that @sdepolo and @no will be joining us there next month! 🎉 https://2018.indieweb.org
{
"type": "entry",
"published": "2018-05-27T10:20:15-07:00",
"url": "https://aaronparecki.com/2018/05/27/5/indieweb-summit",
"category": [
"indiewebsummit",
"indieweb"
],
"syndication": [
"https://twitter.com/aaronpk/status/1000788799658409984"
],
"content": {
"text": "Excited to announce that @GoDaddy is our newest sponsor of @IndieWebSummit, and that @sdepolo and @no will be joining us there next month! \ud83c\udf89 https://2018.indieweb.org",
"html": "Excited to announce that <a href=\"https://twitter.com/GoDaddy\">@GoDaddy</a> is our newest sponsor of <a href=\"https://twitter.com/IndieWebSummit\">@IndieWebSummit</a>, and that <a href=\"https://twitter.com/sdepolo\">@sdepolo</a> and <a href=\"https://twitter.com/no\">@no</a> will be joining us there next month! <a href=\"https://aaronparecki.com/emoji/%F0%9F%8E%89\">\ud83c\udf89</a> <a href=\"https://2018.indieweb.org\">https://2018.indieweb.org</a>"
},
"author": {
"type": "card",
"name": "Aaron Parecki",
"url": "https://aaronparecki.com/",
"photo": "https://aperture-media.p3k.io/aaronparecki.com/2b8e1668dcd9cfa6a170b3724df740695f73a15c2a825962fd0a0967ec11ecdc.jpg"
},
"_id": "368302",
"_source": "16",
"_is_read": true
}
{
"type": "event",
"name": "Homebrew Website Club Baltimore",
"published": "2018-05-27T12:24:36-04:00",
"start": "2018-05-29 19:30-0400",
"url": "https://martymcgui.re/2018/05/27/122436/",
"category": [
"event",
"HWC",
"IWC",
"IndieWeb",
"HWCBaltimore"
],
"location": [
"https://martymcgui.re/venues/digital-harbor-foundation-tech-center/"
],
"syndication": [
"https://upcoming.org/event/homebrew-website-club-baltimore-xams3wv29l",
"https://www.facebook.com/events/972150109606246/"
],
"refs": {
"https://martymcgui.re/venues/digital-harbor-foundation-tech-center/": {
"type": "card",
"name": "Digital Harbor Foundation Tech Center",
"url": "https://martymcgui.re/venues/digital-harbor-foundation-tech-center/",
"photo": null
}
},
"_id": "368254",
"_source": "175",
"_is_read": true
}
{
"type": "entry",
"published": "2018-05-26T18:53:32+00:00",
"url": "https://notiz.blog/2018/05/26/ein-indieweb-podcast/",
"name": "Ein IndieWeb Podcast",
"content": {
"text": "David Shanske und Chris Aldrich hosten seit ein paar Monaten einen ganz charmanten IndieWeb Podcast. David hat bei so ziemlich jedem IndieWeb-WordPress-Plugin mit gearbeitet und \u00fcbernimmt die Rolle des \u201eErkl\u00e4rers\u201c und Chris ist Poweruser und versucht den Podcast zu moderieren und die Komplexit\u00e4t etwas heraus zu nehmen.\n\nBisher entstanden 5 Folgen und ein Teaser:\n\nEpisode 0\n\tEpisode 1: Leaving Facebook\n\tEpisode 2: IndieAuth\n\tEpisode 3: Syndication\n\tEpisode 4: Webmentions and Privacy\n\tEpisode 5: IndieWeb Summit and More\ufeff\nIch muss zugeben, ich h\u00e4tte ja schon auch mal wieder Lust zu podcasten\u2026",
"html": "<p><a href=\"https://david.shanske.com/\">David Shanske</a> und <a href=\"https://boffosocko.com/\">Chris Aldrich</a> hosten seit ein paar Monaten einen ganz charmanten IndieWeb Podcast. David hat bei so ziemlich jedem <a href=\"https://profiles.wordpress.org/dshanske#content-plugins\">IndieWeb-WordPress-Plugin</a> mit gearbeitet und \u00fcbernimmt die Rolle des \u201eErkl\u00e4rers\u201c und Chris ist Poweruser und versucht den Podcast zu moderieren und die Komplexit\u00e4t etwas heraus zu nehmen.</p>\n\n<p>Bisher entstanden 5 Folgen und ein Teaser:</p>\n\n<ul><li><a href=\"https://david.shanske.com/2018/03/18/an-indieweb-podcast-episode-0/\">Episode 0</a></li>\n\t<li><a href=\"https://boffosocko.com/2018/04/17/an-indieweb-podcast-episode-1-leaving-facebook/\">Episode 1: Leaving Facebook</a></li>\n\t<li><a href=\"https://david.shanske.com/2018/04/18/an-indieweb-podcast-episode-2-indieauth/\">Episode 2: IndieAuth</a></li>\n\t<li><a href=\"https://boffosocko.com/2018/04/30/an-indieweb-podcast-episode-3-syndication-2/\">Episode 3: Syndication</a></li>\n\t<li><a href=\"https://david.shanske.com/2018/05/08/an-indieweb-podcast-episode-4-webmentions-and-privacy/\">Episode 4: Webmentions and Privacy</a></li>\n\t<li><a href=\"https://david.shanske.com/2018/05/13/an-indieweb-podcast-episode-5-indieweb-summit-and-more/\">Episode 5: IndieWeb Summit and More\ufeff</a></li>\n</ul><p>Ich muss zugeben, ich h\u00e4tte ja schon auch mal wieder <a href=\"http://openwebpodcast.de\">Lust zu podcasten</a>\u2026</p>"
},
"author": {
"type": "card",
"name": "Matthias Pfefferle",
"url": "https://notiz.blog/author/matthias-pfefferle/",
"photo": "https://aperture-media.p3k.io/secure.gravatar.com/f5d84b0517f531c4a44e54d7161bfdbbde767f34806674337f6d5c56e87f8e34.jpg"
},
"_id": "367207",
"_source": "206",
"_is_read": true
}
{
"type": "entry",
"published": "2018-05-26T18:40:00-07:00",
"url": "https://aaronparecki.com/2018/05/26/31/indieweb-summit",
"category": [
"indieweb",
"indiewebsummit"
],
"name": "You're Invited to IndieWeb Summit!",
"content": {
"text": "IndieWeb Summit is soon, and is shaping up to be an exciting event! We're hosting IndieWeb Summit the same week as the (final) Open Source Bridge, in case you needed another reason to visit Portland! IndieWeb Summit will be Tuesday-Wednesday June 26-27th, with a pre-party the Monday evening before.\n\nIf you're at all interested in taking back ownership of your online data, decentralizing the web, independent blogging, or any aspect of having a website, you should consider joining us for this event!\n\nAs gRegorLove said so well:\n\n\n It\u2019s a really friendly, collaborative group of people and it is always inspiring to see what people are making.\n \n You don\u2019t need to be a programmer! In fact, I would love to see more non-programmers attending. We need writers, graphic artists, designers, UX engineers, and anybody that wants to reclaim some of their online presence with a personal website.\n\n\nKeynotes\n\nOne of the distinguishing features of IndieWeb Summit compared to the IndieWebCamp events we run in many other cities throughout the year is we begin day 1 with a few keynote presentations to help set the stage for the two days. This year we're featuring a few special guests during the keynotes.\n\nManton Reece will give a talk about how Micro.blog works with open standards to encourage people to own their data while also making a service that is incredibly fun and easy to use.\n\nWilliam Hertling, the author of Kill Process, a book that features the IndieWeb, will talk about his inspiration for writing the book and where he sees the future of the IndieWeb heading.\n\nWe've been seeing some exciting progress with IndieWeb readers over the last few months, between my reader Monocle, Eddie's iOS app \"Indigenous\", and Jonathan and Grant's app \"Together\". We'll be sharing the latest developments along that front as well!\n\nRelated Events\n\nIn addition to IndieWeb Summit, the whole week will be a great lineup of events!\n\nMonday, June 25th 5:30pm - Pre-summit meetup at Pine Street Market\nTuesday, June 26th 9am-5:30pm - IndieWeb Summit Day 1 - Keynotes and Discussions\nTuesday evening 6:30pm - Donut.js\n\nWednesday, June 27th 9am-5:30pm - IndieWeb Summit Day 2 - Create, Hack, Demos!\nFriday, June 29th - Open Source Bridge unconference and party\nI hope to see you there! You can register now at 2018.indieweb.org!",
"html": "<p><a href=\"https://2018.indieweb.org/\">IndieWeb Summit</a> is soon, and is shaping up to be an exciting event! We're hosting IndieWeb Summit the same week as the (final) <a href=\"http://opensourcebridge.org/blog/2018/04/celebrate-10-years-of-open-source-bridge-with-a-1-day-unconference-and-party/\">Open Source Bridge</a>, in case you needed another reason to visit Portland! IndieWeb Summit will be Tuesday-Wednesday June 26-27th, with a pre-party the Monday evening before.</p>\n\n<p>If you're at all interested in taking back ownership of your online data, decentralizing the web, independent blogging, or any aspect of having a website, you should consider joining us for this event!</p>\n\n<p>As <a href=\"https://gregorlove.com/2018/05/an-invitation-to-indieweb-summit/\">gRegorLove said so well</a>:</p>\n\n<blockquote>\n <p>It\u2019s a really friendly, collaborative group of people and it is always inspiring to see what people are making.</p>\n \n <p>You don\u2019t need to be a programmer! In fact, I would love to see more non-programmers attending. We need writers, graphic artists, designers, UX engineers, and anybody that wants to reclaim some of their online presence with a personal website.</p>\n</blockquote>\n\n<h2>Keynotes</h2>\n\n<p>One of the distinguishing features of IndieWeb Summit compared to the IndieWebCamp events we run in many other cities throughout the year is we begin day 1 with a few keynote presentations to help set the stage for the two days. This year we're featuring a few special guests during the keynotes.</p>\n\n<p><a href=\"http://manton.org\">Manton Reece</a> will give a talk about how <a href=\"https://micro.blog\">Micro.blog</a> works with open standards to encourage people to own their data while also making a service that is incredibly fun and easy to use.</p>\n\n<p><a href=\"http://www.williamhertling.com/\">William Hertling</a>, the author of <a href=\"http://www.williamhertling.com/books/\">Kill Process</a>, a book that features the IndieWeb, will talk about his inspiration for writing the book and where he sees the future of the IndieWeb heading.</p>\n\n<p>We've been seeing some exciting progress with IndieWeb readers over the last few months, between my reader <a href=\"https://aaronparecki.com/2018/04/20/46/indieweb-reader-my-new-home-on-the-internet\">Monocle</a>, <a href=\"https://eddiehinkle.com\">Eddie</a>'s iOS app \"<a href=\"https://indieweb.org/Indigenous\">Indigenous</a>\", and <a href=\"https://cleverdevil.io\">Jonathan</a> and <a href=\"https://grant.codes\">Grant</a>'s app \"<a href=\"https://indieweb.org/Together\">Together</a>\". We'll be sharing the latest developments along that front as well!</p>\n\n<h2>Related Events</h2>\n\n<p>In addition to IndieWeb Summit, the whole week will be a great lineup of events!</p>\n\n<ul><li>Monday, June 25th 5:30pm - Pre-summit meetup at Pine Street Market</li>\n<li>Tuesday, June 26th 9am-5:30pm - <a href=\"https://2018.indieweb.org/\">IndieWeb Summit</a> Day 1 - Keynotes and Discussions</li>\n<li>Tuesday evening 6:30pm - <a href=\"https://donutjs.club\">Donut.js</a>\n</li>\n<li>Wednesday, June 27th 9am-5:30pm - IndieWeb Summit Day 2 - Create, Hack, Demos!</li>\n<li>Friday, June 29th - <a href=\"https://ti.to/stumptown-syndicate/open-source-bridge-10-year-celebration\">Open Source Bridge</a> unconference and party</li>\n</ul><p>I hope to see you there! You can register now at <a href=\"https://2018.indieweb.org\">2018.indieweb.org</a>!</p>"
},
"author": {
"type": "card",
"name": "Aaron Parecki",
"url": "https://aaronparecki.com/",
"photo": "https://aperture-media.p3k.io/aaronparecki.com/2b8e1668dcd9cfa6a170b3724df740695f73a15c2a825962fd0a0967ec11ecdc.jpg"
},
"_id": "366943",
"_source": "16",
"_is_read": true
}
I wish there was a place where I could read the story of a person. Everybody’s journey is so different and beautiful; each one leads to who we are. It would be the anti-LinkedIn. And because you wouldn’t “engage with brands”, it would be the anti-Facebook, too. Instead, it would be a record of the beauty and diversity of humanity, and a thing to point to when someone asks, “who are you?”
{
"type": "entry",
"published": "2018-05-26T15:33:46Z",
"url": "https://adactio.com/links/13926",
"category": [
"human",
"indieweb",
"sharing",
"resum\u00e9s",
"achievements",
"personality"
],
"bookmark-of": [
"https://werd.io/2018/what-youre-proud-of"
],
"content": {
"text": "What you\u2019re proud of\n\n\n\n\n I wish there was a place where I could read the story of a person. Everybody\u2019s journey is so different and beautiful; each one leads to who we are. It would be the anti-LinkedIn. And because you wouldn\u2019t \u201cengage with brands\u201d, it would be the anti-Facebook, too. Instead, it would be a record of the beauty and diversity of humanity, and a thing to point to when someone asks, \u201cwho are you?\u201d",
"html": "<h3>\n<a class=\"p-name u-bookmark-of\" href=\"https://werd.io/2018/what-youre-proud-of\">\nWhat you\u2019re proud of\n</a>\n</h3>\n\n<blockquote>\n <p>I wish there was a place where I could read the story of a person. Everybody\u2019s journey is so different and beautiful; each one leads to who we are. It would be the anti-LinkedIn. And because you wouldn\u2019t \u201cengage with brands\u201d, it would be the anti-Facebook, too. Instead, it would be a record of the beauty and diversity of humanity, and a thing to point to when someone asks, \u201cwho are you?\u201d</p>\n</blockquote>"
},
"_id": "365721",
"_source": "2",
"_is_read": true
}
Man, CoreData can be a pain! CoreData funkiness is currently the biggest thing holding back me getting the next beta of Indigenous for iOS out. Hopefully I can fix it soon so it doesn’t hold up 1.0 for the IndieWeb Summit 😞
{
"type": "entry",
"published": "2018-05-26T00:06:25-04:00",
"summary": "Man, CoreData can be a pain! CoreData funkiness is currently the biggest thing holding back me getting the next beta of Indigenous for iOS out. Hopefully I can fix it soon so it doesn\u2019t hold up 1.0 for the IndieWeb Summit \ud83d\ude1e",
"url": "https://eddiehinkle.com/2018/05/26/1/note/",
"category": [
"indieweb",
"indigenous",
"tech"
],
"content": {
"text": "Man, CoreData can be a pain! CoreData funkiness is currently the biggest thing holding back me getting the next beta of Indigenous for iOS out. Hopefully I can fix it soon so it doesn\u2019t hold up 1.0 for the IndieWeb Summit \ud83d\ude1e",
"html": "<p>Man, CoreData can be a pain! CoreData funkiness is currently the biggest thing holding back me getting the next beta of Indigenous for iOS out. Hopefully I can fix it soon so it doesn\u2019t hold up 1.0 for the IndieWeb Summit \ud83d\ude1e</p>"
},
"author": {
"type": "card",
"name": "Eddie Hinkle",
"url": "https://eddiehinkle.com/",
"photo": "https://aperture-media.p3k.io/eddiehinkle.com/cf9f85e26d4be531bc908d37f69bff1c50b50b87fd066b254f1332c3553df1a8.jpg"
},
"_id": "364878",
"_source": "226",
"_is_read": true
}
@Chronotope I'm curious what your thoughts were on @dsearls article: http://blogs.harvard.edu/doc/2018/05/12/gdpr/
Is there a better way for publishers to own their own adtech in a more decentralized #IndieWeb sort of way? What would that look like?
{
"type": "entry",
"published": "2018-05-25T18:08:15+00:00",
"url": "http://stream.boffosocko.com/2018/chronotope-im-curious-what-your-thoughts-were-on-dsearls-article",
"category": [
"IndieWeb"
],
"syndication": [
"https://twitter.com/ChrisAldrich/status/1000076129838002176"
],
"in-reply-to": [
"https://twitter.com/Chronotope/status/1000072108431593473"
],
"content": {
"text": "@Chronotope I'm curious what your thoughts were on @dsearls \u200farticle: http://blogs.harvard.edu/doc/2018/05/12/gdpr/\n\nIs there a better way for publishers to own their own adtech in a more decentralized #IndieWeb sort of way? What would that look like?",
"html": "<a href=\"https://twitter.com/Chronotope\">@Chronotope</a> I'm curious what your thoughts were on <a href=\"https://twitter.com/dsearls\">@dsearls</a> \u200farticle: <a href=\"http://blogs.harvard.edu/doc/2018/05/12/gdpr/\">http://blogs.harvard.edu/doc/2018/05/12/gdpr/</a><br />\nIs there a better way for publishers to own their own adtech in a more decentralized <a href=\"http://stream.boffosocko.com/tag/IndieWeb\" class=\"p-category\">#IndieWeb</a> sort of way? What would that look like?"
},
"author": {
"type": "card",
"name": "Chris Aldrich",
"url": "http://stream.boffosocko.com/profile/chrisaldrich",
"photo": "https://aperture-media.p3k.io/stream.boffosocko.com/d0ba9f65fcbf0cef3bdbcccc0b6a1f42b1310f7ab2e07208c7a396166cde26b1.jpg"
},
"_id": "363411",
"_source": "192",
"_is_read": true
}
{
"type": "entry",
"author": {
"name": "Kh\u00fcrt Williams",
"url": "https://islandinthenet.com/",
"photo": null
},
"url": "https://islandinthenet.com/does-gdpr-apply-to-eu-citizens-in-the-united-states/",
"published": "2018-05-25T01:36:13+00:00",
"content": {
"html": "Read <a href=\"https://www.compliancejunction.com/does-gdpr-apply-to-eu-citizens-in-the-united-states/\">Does GDPR apply to EU citizens in the United States</a> by GDPR News<em> (Compliance Junction)</em>\n<blockquote><p>If they deal with a business or organization in one of the non-EU countries they may be in, any personal data they provide is not covered by the GDPR rules, as they are not located within the EU at the time. It is not the citizenship of the person that is important, but where they are situated.</p>\n<p>Looking at another example helps to further illustrate who the GDPR applies to. A US citizen is temporarily residing or travelling in France, which is an EU country. They make a purchase from a local store and provide personal information during the transaction. This personal information is covered by GDPR as the person is located within the EU as the purchase takes place.</p>\n<p>From these examples you can see that the personal data of an EU citizen residing in the US, for example, would be dealt with according to individual data protection laws within the US and would not be subject to GDPR compliance, whereas the personal data of a US citizen residing in the EU would be subject to GDPR regulations.</p></blockquote>\n\nShort answer. It depends but ordinarily \u2026 NO!\n<p>IANAL but the information in this <a href=\"https://www.compliancejunction.com/does-gdpr-apply-to-eu-citizens-in-the-united-states/\">Compliance Junction article</a> seems legit. Two staff members from Pivoti covered PCI DSS and GDPR at last nights ( and at times contentious) <a href=\"https://islandinthenet.com/pci-dss-gdpr-compliance-event-with-isc2-new-jersey-chapter/\">GDPR and Privacy Event</a> of the <a href=\"https://isc2chapternj.org/about/\">New Jersey Chapter</a> of the <a href=\"https://www.isc2.org/About\">ISC2</a>.</p>\n<p>So \u2026 hey Europeans. If you come to the USA and shop at the small local shops in my town, don\u2019t expect you\u2019re EU legal rights to be respected. The local coffee shop which has no presence in the EU and has no website that sells/service EU citizens is not subject to GDPR. If you are a local business, the local business association or chamber of commerce in your town may be the best place to get help. EU laws do NOT apply to natural persons or US only businesses doing business in the USA.</p>\n<blockquote><p>\n The primary determining factor is the location of the individual when considering whether GDPR rules apply. Any business or organization that processes the data of people living within the EU, no matter where the group is located, should comply with the GDPR stipulations or face being fined for non-compliance.\n</p></blockquote>\n<p><a href=\"https://boffosocko.com/2018/05/10/an-indieweb-podcast-episode-4-webmentions-and-privacy/\">Chris Aldrich</a> and <a href=\"https://david.shanske.com/2018/05/13/1927/\">David Shanske</a>, I think that you will be happy to know that Webmentions should meet the intentions of the GDPR if:</p>\n<ul><li>they have a privacy policy in place that lists articulates the information their website collects,</li>\n<li>if they disable any sort of analytics,</li>\n<li>and have a way to remove/anonymise IP addresses in their database and logs,</li>\n<li>provide a way for users to remove ordinary comments (or move those to Disqus) since Webmentions already support deletion.</li>\n</ul><p>I am leaning toward using the open-source <a href=\"https://posativ.org/isso/\">Isso</a> on this website.</p>",
"text": "Read Does GDPR apply to EU citizens in the United States by GDPR News (Compliance Junction)\nIf they deal with a business or organization in one of the non-EU countries they may be in, any personal data they provide is not covered by the GDPR rules, as they are not located within the EU at the time. It is not the citizenship of the person that is important, but where they are situated.\nLooking at another example helps to further illustrate who the GDPR applies to. A US citizen is temporarily residing or travelling in France, which is an EU country. They make a purchase from a local store and provide personal information during the transaction. This personal information is covered by GDPR as the person is located within the EU as the purchase takes place.\nFrom these examples you can see that the personal data of an EU citizen residing in the US, for example, would be dealt with according to individual data protection laws within the US and would not be subject to GDPR compliance, whereas the personal data of a US citizen residing in the EU would be subject to GDPR regulations.\n\nShort answer. It depends but ordinarily \u2026 NO!\nIANAL but the information in this Compliance Junction article seems legit. Two staff members from Pivoti covered PCI DSS and GDPR at last nights ( and at times contentious) GDPR and Privacy Event of the New Jersey Chapter of the ISC2.\nSo \u2026 hey Europeans. If you come to the USA and shop at the small local shops in my town, don\u2019t expect you\u2019re EU legal rights to be respected. The local coffee shop which has no presence in the EU and has no website that sells/service EU citizens is not subject to GDPR. If you are a local business, the local business association or chamber of commerce in your town may be the best place to get help. EU laws do NOT apply to natural persons or US only businesses doing business in the USA.\n\n The primary determining factor is the location of the individual when considering whether GDPR rules apply. Any business or organization that processes the data of people living within the EU, no matter where the group is located, should comply with the GDPR stipulations or face being fined for non-compliance.\n\nChris Aldrich and David Shanske, I think that you will be happy to know that Webmentions should meet the intentions of the GDPR if:\nthey have a privacy policy in place that lists articulates the information their website collects,\nif they disable any sort of analytics,\nand have a way to remove/anonymise IP addresses in their database and logs,\nprovide a way for users to remove ordinary comments (or move those to Disqus) since Webmentions already support deletion.\nI am leaning toward using the open-source Isso on this website."
},
"name": "Does GDPR apply to EU citizens in the United States?",
"_id": "362726",
"_source": "242",
"_is_read": true
}
going to IndieWeb Summit 2018! June 26-27th at the Elliot Center in Portland, Oregon!
This will be the #indieweb #openweb #dweb event of the year. RSVPs limited to 100 total, sign-up before tickets sell-out: https://2018.indieweb.org/
{
"type": "entry",
"published": "2018-05-24 18:18-0700",
"rsvp": "yes",
"url": "http://tantek.com/2018/144/t1/indieweb-summit",
"category": [
"indieweb",
"openweb",
"dweb"
],
"in-reply-to": [
"https://2018.indieweb.org/"
],
"content": {
"text": "going to IndieWeb Summit 2018! June 26-27th at the Elliot Center in Portland, Oregon!\nThis will be the #indieweb #openweb #dweb event of the year. RSVPs limited to 100 total, sign-up before tickets sell-out: https://2018.indieweb.org/",
"html": "going to IndieWeb Summit 2018! June 26-27th at the Elliot Center in Portland, Oregon!<br />This will be the #indieweb #openweb #dweb event of the year. RSVPs limited to 100 total, sign-up before tickets sell-out: <a href=\"https://2018.indieweb.org/\">https://2018.indieweb.org/</a>"
},
"author": {
"type": "card",
"name": "Tantek \u00c7elik",
"url": "http://tantek.com/",
"photo": "https://aperture-media.p3k.io/tantek.com/acfddd7d8b2c8cf8aa163651432cc1ec7eb8ec2f881942dca963d305eeaaa6b8.jpg"
},
"refs": {
"https://2018.indieweb.org/": {
"type": "entry",
"url": "https://2018.indieweb.org/",
"name": "2018.indieweb.org\u2019s post"
}
},
"_id": "360927",
"_source": "1",
"_is_read": true
}
{
"type": "entry",
"author": {
"name": null,
"url": "https://strugee.net/blog/",
"photo": null
},
"url": "https://strugee.net/blog/2018/05/going-to-indieweb-summit-2018",
"published": "2018-05-23T18:14:52+00:00",
"content": {
"html": "<p>Once again, I'll be attending the <a href=\"https://2018.indieweb.org/\">IndieWeb Summit</a> this year. Probably I'll work on <a href=\"https://github.com/strugee/lazymention\">lazymention</a> and the <a href=\"https://github.com/strugee/strugee.github.com/tree/social-stream\"><code>social-stream</code> branch</a> of this website. Maybe I'll work on <a href=\"https://stratic.js.org/\">Stratic</a> too! I'm super excited.</p>",
"text": "Once again, I'll be attending the IndieWeb Summit this year. Probably I'll work on lazymention and the social-stream branch of this website. Maybe I'll work on Stratic too! I'm super excited."
},
"name": "Going to IndieWeb Summit 2018",
"_id": "356797",
"_source": "227",
"_is_read": true
}
{
"type": "entry",
"rsvp": "yes",
"url": "https://strugee.net/blog/2018/05/going-to-indieweb-summit-2018",
"category": [
"personal"
],
"in-reply-to": [
"https://2018.indieweb.org/"
],
"name": "Going to IndieWeb Summit 2018",
"content": {
"text": "Once again, I'll be attending the IndieWeb Summit this year. Probably I'll work on lazymention and the social-stream branch of this website. Maybe I'll work on Stratic too! I'm super excited.",
"html": "<p>Once again, I'll be attending the <a href=\"https://2018.indieweb.org/\" class=\"u-in-reply-to\">IndieWeb Summit</a> this year. Probably I'll work on <a href=\"https://github.com/strugee/lazymention\">lazymention</a> and the <a href=\"https://github.com/strugee/strugee.github.com/tree/social-stream\"><code>social-stream</code> branch</a> of this website. Maybe I'll work on <a href=\"https://stratic.js.org/\">Stratic</a> too! I'm super excited.</p>"
},
"author": {
"type": "card",
"name": "AJ Jordan",
"url": "https://strugee.net/",
"photo": null
},
"_id": "356796",
"_source": "207",
"_is_read": true
}
Registration (on the microformats wiki) works fine. I just tried it and created a new account. If you are having trouble understanding the microformats wiki, whether with registration or anything, please state the problem as a question and check the FAQ accordingly: http://microformats.org/wiki/faq
Recommend closure of issue #3704, works for me, no changes to HTML Standard needed.
{
"type": "entry",
"published": "2018-05-23 18:34-0700",
"url": "http://tantek.com/2018/143/t6/",
"category": [
"3704"
],
"in-reply-to": [
"https://github.com/whatwg/html/issues/3704"
],
"content": {
"text": "Registration (on the microformats wiki) works fine. I just tried it and created a new account. If you are having trouble understanding the microformats wiki, whether with registration or anything, please state the problem as a question and check the FAQ accordingly: http://microformats.org/wiki/faq\n\nRecommend closure of issue #3704, works for me, no changes to HTML Standard needed.",
"html": "Registration (on the microformats wiki) works fine. I just tried it and created a new account. If you are having trouble understanding the microformats wiki, whether with registration or anything, please state the problem as a question and check the FAQ accordingly: <a href=\"http://microformats.org/wiki/faq\">http://microformats.org/wiki/faq</a><br /><br />Recommend closure of issue #3704, works for me, no changes to HTML Standard needed."
},
"author": {
"type": "card",
"name": "Tantek \u00c7elik",
"url": "http://tantek.com/",
"photo": "https://aperture-media.p3k.io/tantek.com/acfddd7d8b2c8cf8aa163651432cc1ec7eb8ec2f881942dca963d305eeaaa6b8.jpg"
},
"refs": {
"https://github.com/whatwg/html/issues/3704": {
"type": "entry",
"url": "https://github.com/whatwg/html/issues/3704",
"name": "issue 3704 of GitHub project \u201chtml\u201d"
}
},
"_id": "356629",
"_source": "1",
"_is_read": true
}
{
"type": "entry",
"published": "2018-05-23T19:18:06+00:00",
"url": "http://stream.boffosocko.com/2018/judell-dangillmor-i-wonder-if-palewire-chronotope-jeffjarvis-or-ricmac",
"category": [
"journalism",
"annotations",
"indieweb"
],
"syndication": [
"https://twitter.com/ChrisAldrich/status/999368905503145986"
],
"in-reply-to": [
"https://twitter.com/judell/status/999362310463414272"
],
"content": {
"text": "@judell @dangillmor I wonder if @palewire, @Chronotope, @jeffjarvis, or @ricmac are playing in these sandboxes or know others who are?\n#journalism #annotations #indieweb\nhttps://indieweb.org/Indieweb_for_Journalism#Annotations",
"html": "<a href=\"https://twitter.com/judell\">@judell</a> <a href=\"https://twitter.com/dangillmor\">@dangillmor</a> I wonder if <a href=\"https://twitter.com/palewire\">@palewire</a>, <a href=\"https://twitter.com/Chronotope\">@Chronotope</a>, <a href=\"https://twitter.com/jeffjarvis\">@jeffjarvis</a>, or <a href=\"https://twitter.com/ricmac\">@ricmac</a> are playing in these sandboxes or know others who are?<br /><a href=\"http://stream.boffosocko.com/tag/journalism\" class=\"p-category\">#journalism</a> <a href=\"http://stream.boffosocko.com/tag/annotations\" class=\"p-category\">#annotations</a> <a href=\"http://stream.boffosocko.com/tag/indieweb\" class=\"p-category\">#indieweb</a><br /><a href=\"https://indieweb.org/Indieweb_for_Journalism#Annotations\">https://indieweb.org/Indieweb_for_Journalism#Annotations</a>"
},
"author": {
"type": "card",
"name": "Chris Aldrich",
"url": "http://stream.boffosocko.com/profile/chrisaldrich",
"photo": "https://aperture-media.p3k.io/stream.boffosocko.com/d0ba9f65fcbf0cef3bdbcccc0b6a1f42b1310f7ab2e07208c7a396166cde26b1.jpg"
},
"_id": "354909",
"_source": "192",
"_is_read": true
}
🔖 Bookmarked http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php
IASC: The Hedgehog Review - Volume 20, No. 1 (Spring 2018) - Tending the Digital Commons: A Small Ethics toward the Future -
“It is common to refer to universally popular social media sites like Facebook, Instagram, Snapchat, and Pinterest as “walled gardens.” But they are not gardens; they are walled industrial sites, within which users, for no financial compensation, produce data which the owners of the factories sift and then sell. Some of these factories (Twitter, Tumblr, and more recently Instagram) have transparent walls, by which I mean that you need an account to post anything but can view what has been posted on the open Web; others (Facebook, Snapchat) keep their walls mostly or wholly opaque. But they all exercise the same disciplinary control over those who create or share content on their domain.”
{
"type": "entry",
"published": "2018-05-22T10:34:23-04:00",
"url": "https://martymcgui.re/2018/05/22/103423/",
"category": [
"domain-of-ones-own",
"IndieWeb",
"silos"
],
"bookmark-of": [
"http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php"
],
"content": {
"text": "\ud83d\udd16 Bookmarked http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php\n \n \n \n IASC: The Hedgehog Review - Volume 20, No. 1 (Spring 2018) - Tending the Digital Commons: A Small Ethics toward the Future -\n \n \n\u201cIt is common to refer to universally popular social media sites like Facebook, Instagram, Snapchat, and Pinterest as \u201cwalled gardens.\u201d But they are not gardens; they are walled industrial sites, within which users, for no financial compensation, produce data which the owners of the factories sift and then sell. Some of these factories (Twitter, Tumblr, and more recently Instagram) have transparent walls, by which I mean that you need an account to post anything but can view what has been posted on the open Web; others (Facebook, Snapchat) keep their walls mostly or wholly opaque. But they all exercise the same disciplinary control over those who create or share content on their domain.\u201d",
"html": "\ud83d\udd16 Bookmarked <a class=\"u-bookmark-of\" href=\"http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php\">http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php</a>\n \n \n \n <a class=\"u-url p-name\" href=\"http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php\">IASC: The Hedgehog Review - Volume 20, No. 1 (Spring 2018) - Tending the Digital Commons: A Small Ethics toward the Future -</a>\n \n <blockquote class=\"p-summary\">\n<p>\u201cIt is common to refer to universally popular social media sites like Facebook, Instagram, Snapchat, and Pinterest as \u201cwalled gardens.\u201d But they are not gardens; they are walled industrial sites, within which users, for no financial compensation, produce data which the owners of the factories sift and then sell. Some of these factories (Twitter, Tumblr, and more recently Instagram) have transparent walls, by which I mean that you need an account to post anything but can view what has been posted on the open Web; others (Facebook, Snapchat) keep their walls mostly or wholly opaque. But they all exercise the same disciplinary control over those who create or share content on their domain.\u201d</p>\n</blockquote>"
},
"author": {
"type": "card",
"name": "Marty McGuire",
"url": "https://martymcgui.re/",
"photo": "https://aperture-media.p3k.io/martymcgui.re/4f9fac2b9e3ae62998c557418143efe288bca8170a119921a9c6bfeb0a1263a2.jpg"
},
"refs": {
"http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php": {
"type": "entry",
"summary": "\u201cIt is common to refer to universally popular social media sites like Facebook, Instagram, Snapchat, and Pinterest as \u201cwalled gardens.\u201d But they are not gardens; they are walled industrial sites, within which users, for no financial compensation, produce data which the owners of the factories sift and then sell. Some of these factories (Twitter, Tumblr, and more recently Instagram) have transparent walls, by which I mean that you need an account to post anything but can view what has been posted on the open Web; others (Facebook, Snapchat) keep their walls mostly or wholly opaque. But they all exercise the same disciplinary control over those who create or share content on their domain.\u201d",
"url": "http://www.iasc-culture.org/THR/THR_article_2018_Spring_Jacobs.php",
"name": "IASC: The Hedgehog Review - Volume 20, No. 1 (Spring 2018) - Tending the Digital Commons: A Small Ethics toward the Future -"
}
},
"_id": "349115",
"_source": "175",
"_is_read": true
}
{
"type": "entry",
"published": "2017-12-05T12:30:51-08:00",
"url": "https://aaronparecki.com/2017/12/05/8/indieauth",
"category": [
"indieweb",
"indiewebchallenge",
"indieauth",
"oauth2",
"oauth"
],
"name": "Announcing the IndieAuth Spec!",
"content": {
"text": "It's been a long time coming, but I've finally published a proper IndieAuth spec!\nIndieAuth has been around for years, and is even referenced by the Micropub\u00a0spec. But until now, there wasn't a canonical version of the spec all in one place. Previously it existed as a series of how-to guides on the IndieWeb wiki. Arguably it's actually more useful that way, since the whole point of specs is to communicate a consistent way of implementing something. But it did make it awkward to refer to it formally.\nSo I'm happy to say that there is finally a spec for IndieAuth, at\u00a0https://indieauth.net/spec/\nThis document captures the current state of what has been implemented, and incorporates much of the feedback we've gathered over the years. Most of the document is split up into authentication and authorization sections, for when you are trying to just identify users for sign-in in vs when a Micropub client is trying to get an access token to post to the user's site. Formally it's an extension to OAuth 2.0, and makes several decisions that were left un-specified in the OAuth 2.0 core spec.\nIf you've implemented any part of this spec, or are thinking about it, I'd appreciate any feedback! Feel free to comment on this post, file an issue on GitHub, or drop a note in the IndieWeb chat!",
"html": "<p>It's been a long time coming, but I've finally published a proper <a href=\"https://indieauth.net/spec/\">IndieAuth spec</a>!</p>\n<p>IndieAuth has been around for years, and is even referenced by the <a href=\"https://www.w3.org/TR/micropub/\">Micropub</a>\u00a0spec. But until now, there wasn't a canonical version of the spec all in one place. Previously it existed as a series of how-to guides on the <a href=\"https://indieweb.org/Category:IndieAuth\">IndieWeb wiki</a>. Arguably it's actually more useful that way, since the whole point of specs is to communicate a consistent way of implementing something. But it did make it awkward to refer to it formally.</p>\n<p>So I'm happy to say that there is finally a spec for IndieAuth, at\u00a0<a href=\"https://indieauth.net/spec/\">https://indieauth.net/spec/</a></p>\n<p>This document captures the current state of what has been implemented, and incorporates much of the feedback we've gathered over the years. Most of the document is split up into <a href=\"https://indieauth.net/spec/#authentication\">authentication</a> and <a href=\"https://indieauth.net/spec/#authorization\">authorization</a> sections, for when you are trying to just identify users for sign-in in vs when a Micropub client is trying to get an access token to post to the user's site. Formally it's an extension to <a href=\"https://oauth.net/2/\">OAuth 2.0</a>, and makes several decisions that were left un-specified in the OAuth 2.0 core spec.</p>\n<p>If you've implemented any part of this spec, or are thinking about it, I'd appreciate any feedback! Feel free to comment on this post, file an issue <a href=\"https://github.com/aaronpk/indieauth.net/issues\">on GitHub</a>, or drop a note in the <a href=\"https://chat.indieweb.org/dev\">IndieWeb chat</a>!</p>"
},
"author": {
"type": "card",
"name": "Aaron Parecki",
"url": "https://aaronparecki.com/",
"photo": "https://aperture-media.p3k.io/aaronparecki.com/2b8e1668dcd9cfa6a170b3724df740695f73a15c2a825962fd0a0967ec11ecdc.jpg"
},
"_id": "347472",
"_source": "16",
"_is_read": true
}
{
"type": "entry",
"published": "2017-10-04T19:03:28-07:00",
"url": "https://aaronparecki.com/2017/10/04/23/passwordless-logins",
"featured": "https://aaronparecki.com/2017/10/04/23/image-1.jpg",
"category": [
"okta",
"security",
"password",
"login"
],
"name": "Passwordless Logins for Your Website",
"content": {
"text": "Why Passwordless Logins?\nThere are many reasons passwords are terrible, especially passwords that you have to remember. There are also many situations in which it's not practical to enter a password, or it's not safe.\nWhen I travel for IndieWebCamps or other conferences, I often need to log in to my website to give demos of things. Sometimes I'm giving a demo in front of a bunch of people, or using a computer that isn't mine. I can't be sure that there isn't a keylogger on the computer I'm using, or that my typing isn't being recorded by cameras for the livestream. It would be great if there was a way to log in on a guest computer without having to type in my password manually.\nI was able to create a workflow where I replaced the password box on my website with a button which sends a login request to my phone. I then have to unlock my phone and confirm the login request from the device, and then the session on the desktop that requested the login is confirmed and I'm logged in.\nBut first, a bit of background.\nAuthentication Factors\nThere are generally three categories of authentication factors talked about in security.\nSomething you know (Knowledge): A knowledge factor is something you know, such as your password.\n Something you have (Possession): Possession factors are something you have, such as a Yubikey, a phone, or some other physical security token.\n Something you are (Inherence): An Inherence factor is something you are, usually a biometric characteristic such as a fingerprint, voice pattern or iris pattern.\nFor most of computing history, only a knowledge factor (a password) was used. If you never wrote down the password, then a password is strictly a knowledge factor.\nLately, more systems are now requiring two factors of authentication, such as asking you for your password (Knowledge) and also requiring that you insert a security key (Possession). Apple accomplishes two-factor authentication with a password (Knowledge) and your fingerprint (Inherence). This obviously provides better security, since an attacker now needs to compromise two things with very different attack surface areas.\nWith the advent of password managers, more people are now turning passwords (Knowledge factors) into Possession factors. It's worth thinking about this from the threat model perspective. If someone is trying to hack into my account that has only a password, then it is possible to brute force the account eventually. If the account requires just a possession factor to log in, then if someone steals the physical device they can log in to my account. Password managers end up converting a password into a Possession Factor, since if someone steals the device that is storing my passwords, they would be able to use the passwords. Because of this risk, most password managers protect the device with either a \"master password\" (Knowledge Factor) or a biometric aspect, such as using Apple's TouchID (an Inherence Factor). \nThe Passwordless Workflow\nNow that we have that out of the way, let's get into how I can use an iPhone app as the primary authentication factor for logging in to my website.\nThe workflow that I ended up using, and that I'll document in a future blog post, works as follows:\nGo to the website and, click \"sign in\"\n Enter my username, and press the \"log in\" button\n A notification on my phone pops up asking to confirm the login\n Tap \"approve\", and swipe my thumbprint\n The website sees that I've confirmed the login request and starts the session\nNo password is required for this flow! Instead, we require two factors: something you have (your phone), and something you are (your fingerprint). This means we are now even more secure than using just a password.\u00a0\nTo implement this on my website, I used the Okta Verify app, since they've gone to great lengths to create a secure iPhone app and they run servers that will handle that aspect of the security.\nIn addition to the server no longer accepting a brute-forceable password, we rely on the security provided by the Okta app and their servers to handle the multi-factor aspect of security.\u00a0\nWhy is this more secure than TOTP?\nTOTP is the spec used by Google Authenticator and other similar apps that ask you to enter a 6-digit code. Typically setting this up will involve scanning a QR code into an app, and then it will generate 6 digits that change every 30 seconds. You might be tempted to use this as a primary login factor, since ultimately the end user flow for this ends up looking similar to the Okta Verify flow outlined above. However, there are a couple reasons using TOTP as a primary factor isn't secure.\nThe TOTP spec, used by Google Authenticator and many others, is acceptable as a second factor of authentication. However it was not designed to be the primary factor.\nIf you try to use TOTP as the only factor, it is essentially a really bad password. Since the length and character set of the TOTP codes are known, an attacker only has to try guessing 6 digit passwords until they get in. Another attack vector is if someone can watch you enter a valid code, they could steal the code and log in on another device, since the codes can typically be replayed.\nBecause of these issues, TOTP is only acceptable as an additional factor after already confirming a first authentication factor such as a password.\nImplementing the Flow\nIn a future blog post, I'll outline the steps required to actually implement this flow using the Okta Verify app.\u00a0",
"html": "<img src=\"https://aperture-media.p3k.io/aaronparecki.com/ea30048d91bf44cc58c630dfdf87643b02223383efac09f2d49824a3d33ef1f5.jpg\" alt=\"\" class=\"u-featured\" /><h2>Why Passwordless Logins?</h2>\n<p>There are many reasons passwords are terrible, especially passwords that you have to remember. There are also many situations in which it's not practical to enter a password, or it's not safe.</p>\n<p>When I travel for IndieWebCamps or other conferences, I often need to log in to my website to give demos of things. Sometimes I'm giving a demo in front of a bunch of people, or using a computer that isn't mine. I can't be sure that there isn't a keylogger on the computer I'm using, or that my typing isn't being recorded by cameras for the livestream. It would be great if there was a way to log in on a guest computer without having to type in my password manually.</p>\n<p>I was able to create a workflow where I replaced the password box on my website with a button which sends a login request to my phone. I then have to unlock my phone and confirm the login request from the device, and then the session on the desktop that requested the login is confirmed and I'm logged in.</p>\n<p>But first, a bit of background.</p>\n<h2>Authentication Factors</h2>\n<p>There are generally three categories of authentication factors talked about in security.</p>\n<ul><li>Something you know (Knowledge): A knowledge factor is something you know, such as your password.</li>\n <li>Something you have (Possession): Possession factors are something you have, such as a Yubikey, a phone, or some other physical security token.</li>\n <li>Something you are (Inherence): An Inherence factor is something you are, usually a biometric characteristic such as a fingerprint, voice pattern or iris pattern.</li>\n</ul><p>For most of computing history, only a knowledge factor (a password) was used. If you never wrote down the password, then a password is strictly a knowledge factor.</p>\n<p>Lately, more systems are now requiring two factors of authentication, such as asking you for your password (Knowledge) and also requiring that you insert a security key (Possession). Apple accomplishes two-factor authentication with a password (Knowledge) and your fingerprint (Inherence). This obviously provides better security, since an attacker now needs to compromise two things with very different attack surface areas.</p>\n<p>With the advent of password managers, more people are now turning passwords (Knowledge factors) into Possession factors. It's worth thinking about this from the threat model perspective. If someone is trying to hack into my account that has only a password, then it is possible to brute force the account eventually. If the account requires just a possession factor to log in, then if someone steals the physical device they can log in to my account. Password managers end up converting a password into a Possession Factor, since if someone steals the device that is storing my passwords, they would be able to use the passwords. Because of this risk, most password managers protect the device with either a \"master password\" (Knowledge Factor) or a biometric aspect, such as using Apple's TouchID (an Inherence Factor). </p>\n<h2>The Passwordless Workflow</h2>\n<p>Now that we have that out of the way, let's get into how I can use an iPhone app as the primary authentication factor for logging in to my website.</p>\n<p>The workflow that I ended up using, and that I'll document in a future blog post, works as follows:</p>\n<ul><li>Go to the website and, click \"sign in\"</li>\n <li>Enter my username, and press the \"log in\" button</li>\n <li>A notification on my phone pops up asking to confirm the login</li>\n <li>Tap \"approve\", and swipe my thumbprint</li>\n <li>The website sees that I've confirmed the login request and starts the session</li>\n</ul><p>No password is required for this flow! Instead, we require two factors: something you have (your phone), and something you are (your fingerprint). This means we are now even more secure than using just a password.\u00a0</p>\n<p>To implement this on my website, I used the Okta Verify app, since they've gone to great lengths to create a secure iPhone app and they run servers that will handle that aspect of the security.</p>\n<p>In addition to the server no longer accepting a brute-forceable password, we rely on the security provided by the Okta app and their servers to handle the multi-factor aspect of security.\u00a0</p>\n<h2>Why is this more secure than TOTP?</h2>\n<p>TOTP is the spec used by Google Authenticator and other similar apps that ask you to enter a 6-digit code. Typically setting this up will involve scanning a QR code into an app, and then it will generate 6 digits that change every 30 seconds. You might be tempted to use this as a primary login factor, since ultimately the end user flow for this ends up looking similar to the Okta Verify flow outlined above. However, there are a couple reasons using TOTP as a primary factor isn't secure.</p>\n<p>The TOTP spec, used by Google Authenticator and many others, is acceptable as a second factor of authentication. However it was not designed to be the primary factor.</p>\n<p>If you try to use TOTP as the only factor, it is essentially a really bad password. Since the length and character set of the TOTP codes are known, an attacker only has to try guessing 6 digit passwords until they get in. Another attack vector is if someone can watch you enter a valid code, they could steal the code and log in on another device, since the codes can typically be replayed.</p>\n<p>Because of these issues, TOTP is only acceptable as an additional factor after already confirming a first authentication factor such as a password.</p>\n<h2>Implementing the Flow</h2>\n<p>In a future blog post, I'll outline the steps required to actually implement this flow using the Okta Verify app.\u00a0</p>"
},
"author": {
"type": "card",
"name": "Aaron Parecki",
"url": "https://aaronparecki.com/",
"photo": "https://aperture-media.p3k.io/aaronparecki.com/2b8e1668dcd9cfa6a170b3724df740695f73a15c2a825962fd0a0967ec11ecdc.jpg"
},
"_id": "347476",
"_source": "16",
"_is_read": true
}