![\"WP-credential-stuffing\"](\"/5643412c7b1884dac14f7a6115dfc5a1/WP-credential-stuffing.webp\")
The current COVID-19 times have given rise to extensive phishing scams all around the world. According to the IBM study, the costs for data breaches were found to be $4.24 million per incident. Also, credential phishing was the most common method used by attackers.
\nCredential phishing scammers are now targeting corporate businesses to carry out their attacks. Many businesses around the world lose millions to direct and indirect costs of credential phishing attacks every year.
\nIn this blog, we will understand more about credential phishing and debunk five myths about credential phishing.
\nIn today's digital workplace, businesses are leveraging technology and innovation to improve their business processes, work operations, and culture.
\nBusiness operations are simplified by innovative software to deliver the best to customers as well as employees.
\nFor example, using employee engagement software and digital signatures to deliver an excellent employee experience, using email marketing software to deliver the right messages to customers, or using a digital adoption platform to help your customers with product walk-throughs.
\nRegistering for the software by creating an account is the first step towards building a successful workplace. Having a secure login system thus becomes the need of the hour.
\nAttackers usually send targeted emails, often impersonating a trusted individual to engage with the victim while having a sense of urgency. They convince the victim to provide credentials or extract their login details via digital manipulation.
\nCredential phishing attacks are usually targeted attacks that are backed by extensive research about the target. It always contains a link to a fake login page hosted on a spoof domain or disguised URLs. Once the victims click on the link, they are directed to the phishing website for stealing the credentials.
\nThe victims' credentials are then used to carry out secondary attacks like fraudulent funds transfer, stealing company data, identity fraud, and other fraudulent activities.
\n
Most of us think that we can easily spot a phishing email and would not fall prey to fraudulent activities. However, it is not true. Let us have a look at the five myths about credential phishing.
\nOne of the biggest misconceptions of phishing attacks is tech-savvy individuals do not fall prey to credential phishing. All phishing emails are very similar to the normal emails you would receive from your colleagues. That is why it is difficult for anyone to ascertain at the first glance if the email received is genuine or not.
\nAttackers are fine-tuning their messages based on the data available on social media and other platforms, thereby increasing the chances of the victims clicking on their links.
\nThe best approach would be to make the employees aware of the phishing emails and use security awareness solutions to perform analysis of emails on a timely basis.
\nPhishing is generally regarded as a consumer-based threat. However, reports suggest that attackers are also targeting organizations to gain access to financial systems and commit fraud.
\nFor example, attackers commit insurance fraud by stealing employee information from the database of the organization.
\nCorporate email accounts are an excellent target for credential phishing because attackers can use just one account as a foothold to carry out more phishing operations.
\nFor example, eBay was once attacked by phishers who managed to display a malicious web page within eBay's website. This invasion was not noticed by any of the users as it came out to look legitimate. The attackers have complete access to users' accounts, credit card information, and other details.
\nAnother instance of phishing is Epsilon. Epsilon, one of the largest corporate email providers, was a victim of phishing in the year 2011. The attackers had obtained the customer data via this attack.
\nPhishing is not just restricted to sending messages via email. Communicating via SMS and social media are also targeted to gather personal information.
\nAttackers go the extra mile to design and compile a message that looks genuine by
\ncopying the same messaging format, logo, and signature. They project urgency in their messages to push the victims into taking immediate action.
\nFor example, this is a new email intercepted by MailGuard that seems like an auto-generated notification about password expiry.
\n![\"ss-1\"](\"/06b46ef7251a2d74365afc0eea2e120b/ss-1.webp\")
Here are some tips to recognize phishing emails.
\nMost of the time, a phishing attack aims to get the victim to click on a link. Attackers mask malicious links to make them look like genuine ones.
\nUsers can refrain from clicking on the links in the emails thus minimizing the
\nrisks of giving out information. Hovering over the hyperlink will help you see the URL and know whether it is a legitimate website or not.
\nFor example, some links could be misspelled domain names or subdomains.
\nFurthermore, you can train your employees to identify such links and report the same to the respective team accordingly. This will help in the early detection of spammy emails.
\nAntivirus software does help in detecting phishing messages but they can not completely stop them from coming altogether. You can set up filters in your email inbox to filter out spam messages.
\nInvesting in an anti-phishing tool can help in detecting phishing attempts and blocking
\nthem before they land in your email inbox.
\nRegardless of how secure your email systems are or how well you train your employees, credential phishing can happen in any organization. Understanding the impact of phishing on your organization and adopting the required technology is necessary to combat these attacks. It can help you defend your organization against phishing, malware, and other malware threats.
\nWe are sure the information shared in this post will help keep your organization safe from such attacks.
\n![\"book-a-free-demo-loginradius\"](\"/8fce571f703a5970dbb1359a2fe0e51a/book-a-demo-loginradius.webp\")
Protecting customer data is paramount to every business organization. Even though businesses deploy the most stringent security measures to safeguard data, malicious actors somehow find security shortcomings to access network systems and cause data breaches, compromising the confidentiality, integrity, and availability of information.
\nCybersecurity firms like Okta, which provides identity management solutions and deals in authentication space, make the backbone of an organization's cybersecurity posture. Okta serves 15000+ customers worldwide. The Okta data breach by Lapsus$ is a recent example of what can happen if business organizations depend on third-party solution providers who show laxity in implementing robust cybersecurity strategies, frameworks, and controls.
\nIt is also a cautionary tale for cybersecurity MSPs (Managed Services Providers) and ITSPs (IT Solution Providers) to ensure that they have the best of security controls in place to prevent incidents like this.
\nOkta is an identity platform and offers identity and access management solutions such as Single sign-on (SSO), Multi-Factor Authentication (MFA), etc., for an organization's customers and employees.
\nOkta’s CSO (Chief Security Officer) David Bradbury recently published an official statement about a support engineer whose computer was accessed by malicious actors for five days in mid-January (between January 16 to 21, 2022) and said they detected the unsuccessful attempt early on.
\nOkta has now confirmed that malicious actors had access to one of its employees' laptops for five days in January 2022 but maintained there has been no data breach and remains fully operational. However, they concede that around 2.5% of its customers (about 366) might have been affected.
\nHere is how the attack happened.
\nNews reports show that a group of unscrupulous actors identifying themselves as Lapsus$ in their Telegram channel was behind this Okta breach. They were aided by a customer support engineer working for a third-party service provider whose laptop was accessed by these hackers to gain vital information. Lapsus$ is also known as a notorious threat actor group — DEV-0537. This group has a history of taking over individual user accounts to drain their crypto holdings at cryptocurrency exchanges.
\nThe forensics report cited by Okta's CSO did not state how the hackers managed to gain access to the support engineer’s laptop, but the fingers point towards negligence by the engineer. However, the hackers claim to have had access to Okta's systems for more than a month before the January 2022 incident. If these claims are valid, it indicates a significant security breach at Okta's network center.
\nThe Okta breach exposed the security frailties of the Okta network system and put 15,000 Okta customers’ data at risk. However, Okta stated it had contacted the affected 2.5% of customers, appraising them of the matter. Okta further noted that the customers need not take any precautionary measures as their data is safe.
\nThe CSO blog post went on to add that the damage was restricted to the access that support engineers have, such as Jira tickets and lists of users. Though customer support engineers facilitate password resetting and MFA, the hackers did not seem to have obtained this information. The CSO also confirmed that customer service engineers could not create or delete users.
\nNotably, Okta's customers include high-profile enterprises like FedEx Corporation and Moody's Corporation. Hence, Okta's shares plunged 11% immediately after hackers claimed the breach that has put thousands of Okta customers at risk.
\nLimiting access and permissions to the employees is the first step to take. Employees and contractors should only be provided access on a 'need-to-know' basis and must be provided on a ‘least privilege’ basis (minimum access needed to perform a task or job). For example, support engineers shouldn't be able to access internal HR, accounting, or payroll systems. At the same time, marketing personnel should not have access to network configuration or applications that they do not use.
\nIn an increasing multi-cloud and hybrid-cloud environment, it's paramount to understand the s IT ecosystem, third-party APIs (Application Programming Interfaces) and applications, and Software as a Service (SaaS) solutions deployed. Requesting SOC reports from vendors and contractors can help understand how their information systems are maintained and secured.
\nImplementing robust processes around Identity and Access Management (IAM) and Privileged Access Management (PAM) can help strengthen the cybersecurity posture by making it almost impossible for attackers to barge into the organization’s periphery.
\n'People' are the most valuable asset for any organization but can also be the weakest link in the cybersecurity chain. Therefore, organizations must regularly review the processes around training and educating employees, vendor-contractors, customers, and users to follow basic cyber hygiene.
\nOrganizations must continue to monitor and audit the control environments. Leveraging automated monitoring and alerting tools can help overcome many challenges SOC teams face.
\nOrganizations should perform internal audits and review the systems and monitor the traffic and access permission more frequently. It is also advisable to engage third-party audit firms to get an external and independent view of the cybersecurity posture.
\nIn case of a security incident, it is essential to be transparent to the employees, customers, vendors, and regulators and communicate with them immediately about the incident. Organizations should also provide specific guidance on how to safeguard the information assets.
\nThe Okta breach shows that no business organization is 100% safe from malicious attacks. One simplest security issue is sufficient for malicious actors to wreak havoc.
\nIn this specific example, the hackers accessed the laptop of one of Okta's customer service engineers to gain vital insights into the company's customer data. Such incidents prove that customers can never be sure that their information is safe and leak-proof.
\nHowever, it offers a valuable learning experience that business entities should not ignore the minutest of details regarding network security. It surfaces the adage that ' A chain is only as strong as its weakest link.'
\n
To create secure applications, you need a way to authenticate and authorize your users. In this tutorial, you will learn to authenticate users in your NestJS apps using LoginRadius Authentication API.
\nAuthentication and authorization are often seen as similar concepts, but they are not. Authentication is the process of verifying that a user is who they claim to be, while authorization is verifying which resources the user has access to.
\nAuthentication always comes first before authorization since you first need to identify the user before determining what level of access to give them.
\nYou can either choose to implement your own authentication strategy or leverage the benefits of a third-party identity platform. A do-it-yourself solution is prone to security errors, takes up a lot of time, and can increase the complexity of your application.
\nWith a third-party solution, you get access to multiple authentication methods, advanced security features, and you write less code.
\nLoginRadius is a no-code identity platform offering authentication, authorization, account security, and privacy solutions.
\nThe Authentication API provided by LoginRadius allows you to authenticate a user using an email and a password. Once the user is verified, LoginRadius responds with an access token. The user will, in turn, use the access token to send requests to protected endpoints.
\nNestJS is a Node.js framework built on Express.js with an Angular-like architectural structure. It is used to build scalable and modern server-side applications. The following sections will guide you in creating a simple NestJS application with authentication.
\nCreate a new NestJS project by running the following commands
\n// Install NestJS CLI\nnpm i -g @nestjs/cli\n\n// Create a new project\nnest new nest-loginradius-auth\n\ncd nest-loginradius-authTo authenticate a user using LoginRadius in NestJS, you need credentials: an API key and an API secret.
\nGet your account credentials by creating a free LoginRadius account and head over to the dashboard.
\nCreate an app and select configuration and then get your app's credentials from the API credentials panel.
\nSince the API key and API secret from the LoginRadius dashboard are sensitive, you will store them in the .env file.
You will need the dotenv module to access the your environment variables. Run the following command to install it.
\nnpm install dotenvAdd the API key, API secret, and Secure One Time Token(SOTT) to the.env file.
\nAPP_NAME=<your app name>\nAPI_KEY=<your api key>\nAPI_SECRET=<your api secret>\nSOTT= <your sott>In this project, you will be authenticating the user using their email and password. The following are the major steps you will be following:
\nGenerate an auth module, controller, and service by running the following code.
\nnest generate module auth\nnest generate controller authTo create a user, you need to create a signup route that will accept the email and password.
\nSince you are using TypeScript, define the DTO (Data Transfer Object) schema to validate the user data passed in the request body.
\nIn the auth folder, add the dto folder and create a UserDTO class in the user.dto.ts file.
export class UserDto {\n email: string;\n password: string;\n}Next, inside the AuthController, import the DTO to be used to validate the request body.
import { Injectable } from '@nestjs/common';\nimport { UserDto } from './dto/user.dto';\n\n@Injectable()\n@Controller('auth')\nexport class AuthController {\n @Post('signup')\n async signup(@Body() registerUserDto: UserDto) {\n // Register user\n }\n}A service file is used to abstract the business logic away from the controller. You will be handling the actual authentication and authorization process in this file.
\nGenerate a service for auth by running the following command.
\nnest g service authNext, populate the auth.service file by adding the signup method.
\nimport { Injectable } from '@nestjs/common';\nimport { UserDto } from './dto/user.dto';\nimport * as LRAuthPrrovider from 'loginradius-sdk'\n\n@Injectable()\nexport class AuthService {\n async signup(registerUserDto: UserDto) {\n console.log('sign up')\n }\n}Note that you are also importing the user DTO and the loginradius-sdk at the top of the file.\nTo execute the signup method in the signup route, inject it in the auth.controller.ts file.
import { Injectable } from '@nestjs/common';\nimport { UserDto } from './dto/user.dto';\nimport { AuthService } from './auth.service';\n\n@Injectable()\n@Controller('auth')\nexport class AuthController {\n constructor(private readonly authService: AuthService) { }\n\n @Post('signup')\n async signup(@Body() registerUserDto: UserDto) {\n let response = await this.authService.signup(registerUserDto)\n return response\n }\n}Before registering the user, validate if the email is already in use.\nFirst, install loginradius-sdk using the following command.
npm i loginradius-sdkNext import loginradius-sdk and configure it and since you will be using variables from the .env file, remember to also configure dotenv.
import * as dotenv from 'dotenv';\ndotenv.config()\nimport * as LRAuthPrrovider from 'loginradius-sdk'\n\nlet config = {\n apiDomain: "api.loginradius.com",\n apiKey: process.env.API_KEY,\n apiSecret: process.env.API_SECRET,\n siteName: process.env.APP_NAME,\n apiRequestSigning: false,\n proxy: {\n host: "",\n port: "",\n user: "",\n password: "",\n },\n };\nlet lrv2 = LRAuthPrrovider(config);\n\nlet sott = process.env.SOTTNext, check if the email is already in use.
\n@Injectable()\nexport class AuthService {\n async signup(registerUserDto: UserDto) {\n try {\n const response = await lrv2.authenticationApi\n .checkEmailAvailability(registerUserDto.email)\n if (response.isExist) {\n return "Email already in use"\n }\n catch(error) {\n return error\n }\n }\n}If the email is not already in use, register the user.
\n@Injectable()\nexport class AuthService {\n async signup(registerUserDto: UserDto) {\n try {\n // check if email is already in use\n const response = await lrv2.authenticationApi\n .checkEmailAvailability(registerUserDto.email)\n if (response.isExist) {\n return "Email already in use"\n }\n // create registration model\n let authUserRegistrationModel = {\n email: [\n {\n type: "primary",\n value: registerUserDto.email,\n },\n ],\n password: registerUserDto.password,\n };\n // register user\n let user = await lrv2.authenticationApi\n .userRegistrationByEmail(authUserRegistrationModel, sott)\n if(user) {\n return "Sign up successful"\n }\n } catch (error) {\n return error\n }\n }\n}In the above code, you register a new user by passing in the user data to the authentication API. The authUserRegistrationModel object defines how the email and password will be stored in the database.
To log in the user, pass in the email and password to the authentication API of LoginRadius.
\nIn auth.service.ts, add the login function.
@Injectable()\nexport class AuthService {\n async signup(registerUserDto: UserDto) {\n // register user\n }\n async login(loginUserDTO: UserDto) {\n // login user\n }\n}Since you are expecting the same type of data from the request body, i.e., the email and password, like in the signup route, you can reuse the user DTO.
\nNext, add the login functionality.
\n@Injectable()\nexport class AuthService {\n async signup(registerUserDto: UserDto) {\n // register user\n }\n async login(loginUserDTO: UserDto) {\n try {\n let emailAuthenticationModel = {\n email: loginUserDTO.email,\n password: loginUserDTO.password,\n };\n let user = await lrv2.authenticationApi\n .loginByEmail(emailAuthenticationModel)\n return {\n accessToken: user.access_token,\n }\n } catch (error) {\n return error\n }\n }\n}In the above code, you are logging in the user through loginradius-sdk. If successful, send back the accessToken in the response body. The user will use the access token to access protected routes.
Inject the login method in the auth.controller.ts file to use it in the login route.
import { Injectable } from '@nestjs/common';\nimport { UserDto } from './dto/user.dto';\nimport { AuthService } from './auth.service';\n\n@Injectable()\n@Controller('auth')\nexport class AuthController {\n constructor(private readonly authService: AuthService) { }\n\n @Post('signup')\n async signup(@Body() registerUserDto: UserDto) {\n // register user\n }\n async login(@Body() loginUserDto: UserDto) {\n // login user\n }\n}For protected routes, like accessing a user dashboard, the user will need to send the access token with the request. The access token will then be verified, and if valid, the application will be granted access.
\nThe user will need to store the accessToken. In this tutorial, you will be storing the token in the authorization header as a bearer token. Another alternative would be to use HTTP-only cookies.
In NestJS, guards are responsible for handling authorization. They determine whether a request will be handled by the route.
\nIn auth.guard.ts, add the following code.
import {AuthService } from './auth.service';\nimport { Request } from 'express';\n\n@Injectable()\nexport class AuthGuard implements CanActivate {\n\n constructor(\n private readonly authService: AuthService,\n ) {}\n\n async canActivate(context: ExecutionContext): Promise<boolean> {\n const request: Request = context.switchToHttp().getRequest();\n\n // Extract the access token from the authorization header\n const authheader = request.header('Authorization');\n const token = authheader && authheader.split(" ")[1];\n try {\n let authorizedMsg = await this.authService.authenticate(token);\n // Attach the authorized message to the request. You could also attach the user information.\n request['isAuthorized'] = "Authorized"\n return true;\n } catch (error) {\n throw new UnauthorizedException();\n }\n }\n}In the above code, you define the auth guard that will be used to decorate the protected routes. The token is extracted from the request authorization header and passed to the authenticate method defined in AuthService. This method will be responsible for verifying the token.
In auth.service.ts, create the authenticate method. This method will send the access token to LoginRadius for verification.
import { Injectable, UnauthorizedException } from '@nestjs/common';\nimport { UserDto } from './dto/user.dto';\nimport * as LRAuthPrrovider from 'loginradius-sdk'\n\n@Injectable()\nexport class AuthService {\n async signup(registerUserDto: UserDto) {\n // signup user\n }\n async login(loginUserDTO: UserDto) {\n // login user\n }\n async authenticate(accessToken: string) {\n try {\n const response = await lrv2.authenticationApi\n .authValidateAccessToken(accessToken)\n return response\n } catch (error) {\n throw new UnauthorizedException();\n }\n }\n}Now, create a protected route. In auth.controller.ts, add the following.
import { Controller, Get, Body, Post, UseGuards } from '@nestjs/common';\nimport { UserDto } from './dto/user.dto';\nimport { AuthService } from './auth.service';\nimport { AuthGuard } from './auth.guard';\n\n@Controller('auth')\nexport class AuthController {\n constructor(private readonly authService: AuthService) { }\n\n @Post('signup')\n async signup(@Body() registerUserDto: UserDto) {\n // signup user\n }\n @Post('login')\n async login(@Body() loginUserDto: UserDto) {\n // login user\n }\n @UseGuards(AuthGuard)\n @Get('protected')\n async protected() {\n return "Access granted"\n }\n}Now, every route you add UseGuards to will require a valid access token.
Use Postman or any other REST client of your choice to test the routes you have created.
\nFirst, create a test user by sending a POST request to the signup endpoint. Remember to include the email and password of the user in the request body.
\nPOST http://localhost:3000/auth/signupYou should receive a \"Sign up successful\" message if the request is successful.
\n![\"Create](\"/c629b0b9f9d7c2a9babd4c29934fd9aa/signup-route.webp\")
Next, log in the user by sending the login credentials to the login endpoint of your application.
\nPOST http://localhost:3000/auth/loginIf successful, you should receive the access token.
\n![\"Sign](\"/8c2450f6f8cd95eadbd9d5ef63256c06/login-route.webp\")
Finally, use the access token to access the protected route. Add the token to the authorization header.
\nGET http://localhost:3000/auth/protected![\"Sign](\"/c06de4f99d2b0cda2772852de3a873a6/protected-route.webp\")
In this tutorial, you have learned how to implement NestJS authentication using the LoginRadius Authentication API. You have seen how to log in a user and use an access token to protect specific routes.
\nYou can find the source code used in this tutorial on Github.
\nLearn more about the LoginRadius Authentication API from the documentation files. It has more identity management features than discussed in this tutorial. You can use these features to further enhance authentication as you need in your NestJS projects.
\n","frontmatter":{"date":"March 23, 2022","updated_date":null,"description":"Want to authenticate users on your NestJS app? Follow this tutorial to learn how to authenticate users using a password and perform authorization using access tokens.","title":"NestJS User Authentication with LoginRadius API","tags":["NestJS","Node.js","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/ff122b5b50ce0f2b3f855935f99838f6/58556/coverimage.webp","srcSet":"/static/ff122b5b50ce0f2b3f855935f99838f6/61e93/coverimage.webp 200w,\n/static/ff122b5b50ce0f2b3f855935f99838f6/1f5c5/coverimage.webp 400w,\n/static/ff122b5b50ce0f2b3f855935f99838f6/58556/coverimage.webp 800w,\n/static/ff122b5b50ce0f2b3f855935f99838f6/99238/coverimage.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Mary Gathoni","github":null,"avatar":null}}}},{"node":{"excerpt":"Introduction The verification email is a common type of identity validation within the CIAM concept. Even though it is a fundamental…","fields":{"slug":"/growth/best-practices-verification-emails-effective/"},"html":"The verification email is a common type of identity validation within the CIAM concept. Even though it is a fundamental practice, with this authentication step, a company starts communicating with the customer.
\nIt means that, despite the security role, it can also provide some benefits for the brand's perception and customer journey. Moreover, it is in the company's interests to avoid spam traps, greet a customer and finish the authentication process.
\nThe blog will highlight the role of such emails and offer ideas on how to make them reach the inbox and add to the customer journey.
\nVerification email, also referred to as validation email, is a way to verify a user action, like authentication or registration on the website or app. Such an email relates to the message that the business party sends to the customer's inbox.
\nIn terms of the CIAM concept, it ensures the ground for building relationships and establishing multi-factor authentication, passwordless login, and profiling. At the same time, validation emails add to the marketing efforts, opening the door for email marketers to the customer's inbox. From there, they would invite stakeholders to different stages of the sales funnel.
\nAs a result, the verification email can impact:
\nIt is clear now that the verification emails can contribute to the overall relationships with the customer. To make them effective, or at least be pleasing to the customer, you take the subsequent actions:
\nSometimes the messages get under the spam filters set by Internet providers and hit the spam section instead of the inbox. To customers, it brings confusion that can result in failure to get the subscriber. What are the possible issues? They refer to the domain, message, or the specific filter the provider sets. That's why, to avoid the trap, you should consider the following:
\nIt is crucial for the brand to start the email with the tone of voice reflecting your brand principles and making a specific impression. The choice of words is vital, especially when you want your customers to listen. The safest option for verification email would be a technical, neutral, and concise message.
\nNonetheless, choosing this way means you pick not to contribute to your marketing efforts and show why you are different. Depending on your marketing strategy, you can insert various elements, like informal greetings, fun facts, or images. The ultimate goal of such actions is to add integrity to your brand's actions.
\nPersonalization seems to be crucial for any action related to building customer relationships. For instance, around 70% of customers only engage with personalized messages. In this regard, including at least a name in the verification email is a fundamental thing.
\nAt the same time, based on the information customers give and special software, the email marketers can devise a system that will automatically provide the emails to the customers where personalization is a key.
\nLastly, if you decide to create your confirmation letter that will contribute to the customer journey, you need to consider how to attract their attention. The best email verification practices contemplate using:
\nBesides, doing a fair amount of research and testing is vital to connect with customers. For instance, if you want to get facts or advice from industry leaders, you may want to contact experts in the niche and interview them. For it, you can use an email extractor plugin that allows getting information from other people from LinkedIn. Such a scenario can be very effective for B2B brands.
\nVerification emails can be different. However, they all reflect the general practice that refers to the subject lines. The most common are the following:
\nBesides, the examples of validation emails often have information regarding their product and possible support.
\nHere is an example of how Discord used fun facts in their validation emails in 2019:
\n![\"discord-example\"](\"/4e35610ff65608a462fe0860ba6c6368/discord-example.webp\")
While these examples show the usage of call to action buttons and tone of voice to produce additional value when engaging with customers:
\n![\"typform-example\"](\"/d942840d61d7b3437ca0bbbf8337bd27/typform-example.webp\")
The first case illustrates how the brand uses colors to create a space and underline non-intrusive elements. The particular template is pretty straightforward and suits its purpose.
\n![\"harry-potter-example\"](\"/82648f8a4fa16cc366e43ca5a5263dc7/harry-potter-example.webp\")
The second example has more to offer with regard to fonts, colors, and tone of voice. The portal uses words that reflect the experience “fan club” offers to the subscribers.
\nThe goal of the particular article is to convince you that verification emails should not necessarily be basic and boring. They can add to the marketing strategy and be a starting point for your engagement with the customer.
\n
The use of passwords as the primary means of authentication has been under scrutiny for as long as they have been in existence. Passwords are meant to be used by authorized users only, but they are easily compromised by malicious actors, and thus, they have increasingly become a larger security risk.
\nThis article discusses some common security issues found in password-based login systems and how to avoid them.
\nPasswords are one of the most vulnerable forms of user authentication. We can see this in practice when we look at how they're put to use.
\nOftentimes users may reuse the same password across multiple websites, which means that if an attacker manages to break into one of their accounts, they can compromise all of them. It's not uncommon for users to even have the same password for their email as they do for their online banking.
\nBeyond the lack of uniqueness in passwords, there are other security issues with them as well. If a user doesn't update their password regularly, it can be easier for an attacker to crack it over time. Not only that, but it's also common for users to choose weak passwords that contain no numbers or special characters and include simple words (such as \"password\" itself).
\nSome of the most common security issues in password-based login include:
\nA brute force attack is a method of hacking that uses trial and error to crack passwords (e.g., login credentials and encryption keys) by attempting a large amount of combinations for them. It is a simple yet reliable tactic that is often used when the attacker has only a limited amount of information about its target, such as a username or when they know the general structure of the password, but not its specific content.
\nConsequences of brute force attacks
\nHow to prevent brute force attacks?
\nA phishing attack is a common type of cyber attack, where the hackers send fraudulent communications through email that appears to come from a reputable source. Using this method, hackers try to steal sensitive data like credit cards and login information. Sometimes hackers do this to install malware on the victim’s device and obtain employee login information or other details for an attack against a specific company.
\nTypes of phishing attacks
\nHow to avoid phishing attacks?
\nCredential stuffing is a type of cyber attack in which attackers use credentials obtained through a data breach on one service to log in to another unrelated service.
\nIf an attacker has a list of usernames and passwords obtained from a breach of a popular department store, he uses the same login credentials to try and log in to the site of a national bank. The attacker knows that some customers of that department store are the customers of that particular bank too. They can withdraw money if any customers use the same usernames and passwords for both services. But these attacks are known to have a low success rate.
\nThe \"Digital Shadows Photon Research\" states that the number of stolen username and password combinations currently available on the dark web is more than twice the number of humans on the planet.
\nHow to prevent credential stuffing?
\n![\"GD-to-RBA\"](\"/801da6af3b32c69be7197a9381fe67b9/GD-to-RBA.webp\")
A dictionary attack is a type of brute-force attack in which the hacker attempts to break the encryption or gain access by spraying a library of terms or other values. This library of terms includes words in a dictionary or number sequences. Poor password habits such as updating the passwords with sequential numbers, symbols, or letters make dictionary attacks easier.
\nCommon dictionary attack vulnerabilities
\nHow to prevent dictionary attacks?
\nThe problem is that the current digital environment exposes authentication systems to more vulnerabilities than ever before, and those vulnerabilities are growing at an exponential rate.
\nThe tips discussed in this blog can help you avoid the pitfalls that come with password-based login systems.
\n
Today, every business is jumping on the digital transformation bandwagon to ensure it stands ahead of the curve. And data is undeniably the essential fuel that keeps businesses up and running in this technologically driven world.
\nHowever, not every business understands the importance of the customer or user data, and they’re still relying on basic information about their potential customers. As a result, they lag behind their competitors.
\nYes, understanding your potential customers’ exact needs and offering the same is the key to business success.
\nHere’s where LoginRadius’ Customer Segmentation insights comes into play!
\nWith a world-class CIAM (consumer identity and access management), businesses can leverage the true potential of customer data that helps drive business growth and enhance sales.
\nLet’s understand how LoginRadius CIAM helps businesses scale and stay ahead of their competition even in the most unpredictable times.
\nLoginRadius customer segmentation allows you to segment your customers based on hundreds of variables such as demographics, engagement, and social to get an in-depth understanding of your market.
\nBusinesses can go deeper with their segmentation analysis by applying multiple filters to their customer base.
\nMarketers can use the workflows to create segments of your customer base that can be fed into your marketing platforms. Furthermore, the database can be broken down by hundreds of segments to filter only the customers you need to analyze.
\nThe LoginRadius segmentation feature displays the number of customers that meet your criteria and provides you filtered data instantly, so there’s no waiting around for significant exports.
\nFor businesses in growth mode that wish to optimize their marketing strategies, customer segmentation and profiling are valuable tools that can streamline marketing efforts and optimize intelligent data so their business can scale.
\nIf your website or mobile application isn’t generating revenues, it doesn’t necessarily mean that you don’t have visitors!
\nThe visitor to conversion ratio is something that brands should immediately work upon.
\nAs per recent stats, 2.17 percent of global e-commerce website visits were converted into purchases. This means that roughly two visitors out of 100 would be converted on your platform.
\nSo how could a business enhance conversions? Or what’s the best way to analyze visitors and monitor their behavior to figure out what needs to be done?
\nWell, here’s where a CIAM like LoginRadius comes into play.
\nWith LoginRadius CIAM, you can successfully target your customer base with data collected and organized in the Admin Console. The LoginRadius Identity Platform makes complex customer analytics easy to understand via detailed graphs and customer insights.
\nMoreover, you can leverage the power of data with over 30 charts within customizable date ranges. Expand your understanding of customer activity over different periods of your sales or season cycles.
\nThis helps you understand your visitors and eventually makes it easier to plan your marketing around aspects that promote conversions.
\nYou can Book a Quick 30-Minutes Demo to know how LoginRadius would specifically empower your eCommerce business.
\nLoginRadius allows you to create and save customer segments to view or change at any time using filters on the Admin Console. You can quickly gain insights through the most up-to-date user data analysis and insight.
\nApart from this, marketers can eventually export the entire customer segments from the Admin Console with a single click or integrate with third-party applications to complete a connected digital ecosystem.
\nHence, businesses can prepare better marketing campaigns to target potential customers and enhance conversions.
\nLoginRadius helps businesses understand their customers and improve their marketing return on investment (ROI) by defining distinct customer segments based on collected data.
\nMarketers and sales professionals can formulate better marketing plans and encourage product development suited to the needs and interests of their customer base. Be more granular with your data selection with new field filters like country, age, gender, city, and state.
\nBusinesses can’t ignore the importance of user insights that can help them understand their target audience and craft winning marketing strategies/campaigns.
\nLoginRadius helps businesses transform the way they approach their marketing by taking the guesswork out of their efforts. One can quickly segment their customers and get specific about their population right from the LoginRadius Admin Console.
\n
Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences.
\nWe’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way.
\nThe goal? Having them spend less time searching and more time building.
\nLoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible.
\nHere’s a closer look at what’s new and why it’s important:
\n![\"This](\"/f46881583c7518a93bb24e94c32320de/a-developer-friendly-dark-theme.webp\")
Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference.
\nThe new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter.
\nSo, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient.
\n![\"This](\"/e5358b82be414940f3fb146013845933/capabilities.webp\")
We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need:
\nThis structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem.
\n![\"This](\"/a8c155c2b6faf3d5f4b4de4e2b14d763/developers-menu.webp\")
We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available.
\nThe new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions.
\n![\"This](\"/b2f9a964a2da0ea83e2f8596b833bba7/we-support-your-tech-stack.webp\")
Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs.
\nOur platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks.
\nCheck out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications.
\nDo not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!
\n","frontmatter":{"date":"February 21, 2025","updated_date":null,"description":"LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve redesigned our website interface, making navigation more intuitive and reassuring that essential resources are easily accessible.","title":"Revamped & Ready: Introducing the New Developer-First LoginRadius Website","tags":["Developer tools","API","Identity Management","User Authentication"],"pinned":true,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7857142857142858,"src":"/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp","srcSet":"/static/80b4e4fbe176a10a327d273504607f32/61e93/hero-section.webp 200w,\n/static/80b4e4fbe176a10a327d273504607f32/1f5c5/hero-section.webp 400w,\n/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp 800w,\n/static/80b4e4fbe176a10a327d273504607f32/99238/hero-section.webp 1200w,\n/static/80b4e4fbe176a10a327d273504607f32/7c22d/hero-section.webp 1600w,\n/static/80b4e4fbe176a10a327d273504607f32/1258b/hero-section.webp 2732w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.webp"}}}},"pageContext":{"limit":6,"skip":294,"currentPage":50,"type":"///","numPages":164,"pinned":"ee8a4479-3471-53b1-bf62-d0d8dc3faaeb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}