- Home
- Skills
- Williamzujkowski
- Standards
- Authentication
authentication_skill
- Python
13
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill williamzujkowski/standards --skill authentication- SKILL.md25.2 KB
Overview
This skill codifies production-ready authentication security standards for modern applications. It covers OAuth2 flows (authorization code with PKCE and client credentials), JWT best practices (RS256, short expirations, refresh rotation), MFA options (TOTP and WebAuthn), session management, and mapping to NIST 800-63B controls for compliance.
How this skill works
The skill inspects authentication architecture and provides concrete implementation patterns and code snippets to enforce standards: PKCE for public clients, RS256-signed JWTs with strict audience/issuer checks, short-lived access tokens and rotating refresh tokens, and secure cookie-based sessions. It also includes MFA setup (TOTP provisioning, recovery codes) and WebAuthn registration/verification flows, plus session controls like absolute timeouts and concurrent session limits.
When to use it
- When bootstrapping a new service that requires secure user authentication
- When hardening an existing auth system for production or compliance (NIST 800-63B)
- When implementing OAuth2 for SPAs, mobile apps, or service-to-service auth
- When designing token strategies: access token lifetimes, refresh rotation, and JWT validation
- When adding MFA (TOTP or hardware-backed WebAuthn) and secure session handling
Best practices
- Always require MFA for sensitive operations and privileged accounts (TOTP or WebAuthn)
- Sign JWTs using RS256 asymmetric keys; validate issuer, audience, algorithms, and expirations
- Keep access tokens short (≈15 minutes) and use rotating refresh tokens stored in httpOnly, secure cookies
- Use Authorization Code flow with PKCE for public clients; use client credentials for service-to-service
- Configure session cookies with secure=true, httpOnly=true, sameSite=strict and enforce absolute session timeouts and lockouts after repeated failures
Example use cases
- Implementing an OAuth2 login for a single-page application using PKCE and short access tokens
- Issuing RS256 JWT access and refresh tokens with server-side rotation and audit logging
- Adding TOTP-based MFA with QR provisioning and recovery code generation
- Deploying WebAuthn to support hardware keys for phishing-resistant second factors
- Enforcing session limits and absolute timeouts with a Redis-backed session store for web apps
FAQ
RS256 uses asymmetric keys so private signing keys stay on the auth server while public keys can be distributed to resource servers, avoiding shared secret leaks common with HS256.
How short should access tokens be?
Aim for about 10–15 minutes for access tokens and use refresh tokens with rotation and secure storage (httpOnly cookies) to balance UX and security.