IAM 

stands for Identity and Access Management. But is more than handling user accounts: it encompass
authentication, authorization and privacy, making this perimeter quite complex. It is an essential pillar of
the cloud stack, where users, products and security meets. The other pillar being billing & payments 💰.

This knowledge base expose all the technologies, protocols and jargon of the domain in a
comprehensive and actionable manner.

Contents

 Overview

 Security

 Account Management

 Cryptography

 Zero-trust Network

 Authentication

o Password-based

o Password-less

o Security Key

o Multi-Factor

o SMS-based

o Public-Key Infrastructure (PKI)

o JWT

o OAuth2 & OpenID

o SAML

 Authorization

o Policy models

o Open-source policy frameworks

o AWS policy tools

o Macaroons

 Secret Management

o Hardware Security Module (HSM)

 Trust & Safety

o User Identity
 o Fraud

o Moderation

o Threat Intelligence

o Captcha

 Blocklists

o Hostnames and Subdomains

o Emails

o Reserved IDs

o Profanity

 Privacy

o Anonymization

o GDPR

 UX/UI

 Competitive Analysis

 History

Overview

In a Stanford class providing an overview of cloud computing, the software architecture of the platform
is described as in the right diagram →

Here we set out the big picture: definition and strategic importance of the domain, its place in the larger
ecosystem, plus some critical features.

 The EnterpriseReady SaaS Feature Guides - The majority of the features making B2B users happy
will be implemented by the IAM perimeter.

 IAM is hard. It's really hard. - “Overly permissive AWS IAM policies that
allowed s3:GetObject to * (all) resources”, led to $80 million fine for Capital One. The only
reason why you can't overlook IAM as a business owner.
  IAM Is The Real Cloud Lock-In - A little click-baity, but author admit that “It depends on how
much you trust them to 1. Stay in business; 2. Not jack up your prices; 3. Not deprecate services
out from under you; 4. Provide more value to you in business acceleration than they take away
in flexibility.”

Security

Security is one of the most central pillar of IAM foundations. Here are some broad concepts.

 Enterprise Information Security - Mozilla's security and access guidelines.

 Mitigating Cloud Vulnerabilities - “This document divides cloud vulnerabilities into four classes
(misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain
vulnerabilities)”.

 Cartography - A Neo4J-based tool to map out dependencies and relationships between services
and resources. Supports AWS, GCP, GSuite, Okta and GitHub.

 Open guide to AWS Security and IAM

Account Management

The foundation of IAM: the definition and life-cycle of users, groups, roles and permissions.

 As a user, I want… - A meta-critic of account management, in which features expected by the

business clash with real user needs, in the form of user stories written by a fictional project
manager.
  Things end users care about but programmers don't - In the same spirit as above, but broader:
all the little things we overlook as developers but users really care about. In the top of that list
lies account-centric features, diverse integration and import/export tools. I.e. all the enterprise
customers needs to cover.

 Separate the account, user and login/auth details - Sound advice to lay down the foundation of a
future-proof IAM API.

 Identity Beyond Usernames - On the concept of usernames as identifiers, and the complexities
introduced when unicode characters meets uniqueness requirements.

 Kratos - User login, user registration, 2FA and profile management.

 Conjur - Automatically secures secrets used by privileged users and machine identities.

 SuperTokens - Open source alternative to Auth0 / Firebase Auth / AWS Cognito.

 UserFrosting - Modern PHP user login and management framework.

Cryptography

The whole authentication stack is based on cryptography primitives. This can't be overlooked.

 Cryptographic Right Answers - An up to date set of recommendations for developers who are
not cryptography engineers. There's even a shorter summary available.

 Security Recommendations for Any Device that Depends on Randomly-Generated Numbers -

“The phrase ‘random number generator’ should be parsed as follows: It is a random generator
of numbers. It is not a generator of random numbers.”

 Real World Crypto Symposium - Aims to bring together cryptography researchers with
developers, focusing on uses in real-world environments such as the Internet, the cloud, and
embedded devices.

 An Overview of Cryptography - “This paper has two major purposes. The first is to define some
of the terms and concepts behind basic cryptographic methods, and to offer a way to compare
the myriad cryptographic schemes in use today. The second is to provide some real examples of
cryptography in use today.”

 Papers we love: Cryptography - Foundational papers of cryptography.

 Lifetimes of cryptographic hash functions - “If you are using compare-by-hash to generate
addresses for data that can be supplied by malicious users, you should have a plan to migrate to
a new hash every few years”.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify”.

 BeyondCorp: A New Approach to Enterprise Security - Quick overview of Google's Zero-trust

Network initiative.
  What is BeyondCorp? What is Identity-Aware Proxy? - More companies add extra layers of
VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight
security gain. There's a better way.

 oathkeeper - Identity & Access Proxy and Access Control Decision API that authenticates,
authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white
paper.

 transcend - BeyondCorp-inspired Access Proxy server.

 Pomerium - An identity-aware proxy that enables secure access to internal applications.

Authentication

Protocols and technologies to verify that you are who you pretend to be.

 API Tokens: A Tedious Survey - An overview and comparison of all token-based authentication
schemes for end-user APIs.

 A Child's Garden of Inter-Service Authentication Schemes - In the same spirit as above, but this
time at the service level.

 Scaling backend authentication at Facebook - How-to in a nutshell: 1. Small root of trust; 2. TLS
isn't enough; 3. Certificate-based tokens; 4. Crypto Auth Tokens (CATs). See the slides for more
details.

Password-based

 The new NIST password guidance - A summary of NIST Special Publication 800-63B covering new
password complexity guidelines.

 Password Storage Cheat Sheet - The only way to slow down offline attacks is by carefully
choosing hash algorithms that are as resource intensive as possible.

 Password expiration is dead - Recent scientific research calls into question the value of many
long-standing password-security practices such as password expiration policies, and points
instead to better alternatives such as enforcing banned-password lists and MFA.

 Practical Recommendations for Stronger, More Usable Passwords - This study recommend the
association of: blocklist checks against commonly leaked passwords, password policies without
character-class requirements, minimum-strength policies.

 Banks, Arbitrary Password Restrictions and Why They Don't Matter - “Arbitrary low limits on
length and character composition are bad. They look bad, they lead to negative speculation
about security posture and they break tools like password managers.”

 Dumb Password Rules - Shaming sites with dumb password rules.

 Plain Text Offenders - Public shaming of websites storing passwords in plain text.

 Password Manager Resources - A collection of password rules, change URLs and quirks by sites.
  A Well-Known URL for Changing Passwords - Specification defining site resource for password
updates.

 How to change the hashing scheme of already hashed user's passwords - Good news: you're not
stuck with a legacy password saving scheme. Here is a trick to transparently upgrade to stronger
hashing algorithm.

Password-less

 An argument for passwordless - Passwords are not the be-all and end-all of user authentication.
This article tries to tell you why.

 WebAuthn guide - A very accessible guide to WebAuthn, a standard allowing “servers to register
and authenticate users using public key cryptography instead of a password”, supported by all
major browsers.

Security Key

 Webauthn and security keys - Describe how authentication works with security keys, details the
protocols, and how they articulates with WebAuthn. Key takeaway: “There is no way to create a
U2F key with webauthn however. (…) So complete the transition to webauthn of your login
process first, then transition registration.”

 Getting started with security keys - A practical guide to stay safe online and prevent phishing
with FIDO2, WebAuthn and security keys.

 Solo - Open security key supporting FIDO2 & U2F over USB + NFC.

 OpenSK - Open-source implementation for security keys written in Rust that supports both FIDO
U2F and FIDO2 standards.

 YubiKey Guide - Guide to using YubiKey as a SmartCard for storing GPG encryption, signing and
authentication keys, which can also be used for SSH. Many of the principles in this document are
applicable to other smart card devices.

 YubiKey at Datadog - Guide to setup Yubikey, U2F, GPG, git, SSH, Keybase, VMware Fusion and
Docker Content Trust.

Multi-Factor

 Breaking Password Dependencies: Challenges in the Final Mile at Microsoft - The primary source
of account hacks is password spraying (on legacy auth like SMTP, IMAP, POP, etc.), second is
replay attack. Takeaway: password are insecure, use and enforce MFA.

 Beyond Passwords: 2FA, U2F and Google Advanced Protection - An excellent walk-trough over
all these technologies.

 A Comparative Long-Term Study of Fallback Authentication - Key take-away: “schemes based on

email and SMS are more usable. Mechanisms based on designated trustees and personal
knowledge questions, on the other hand, fall short, both in terms of convenience and
efficiency.”
  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at
Google - “Our analysis confirms that secret questions generally offer a security level that is far
lower than user-chosen passwords. (…) Surprisingly, we found that a significant cause of this
insecurity is that users often don't answer truthfully. (…) On the usability side, we show that
secret answers have surprisingly poor memorability”.

 How effective is basic account hygiene at preventing hijacking - Google security team's data
shows 2FA blocks 100% of automated bot hacks.

 Your Pa$$word doesn't matter - Same conclusion as above from Microsoft: “Based on our
studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

 Attacking Google Authenticator - Probably on the verge of paranoia, but might be a reason to
rate limit 2FA validation attempts.

 Compromising online accounts by cracking voicemail systems - Or why you should not rely on
automated phone calls as a method to reach the user and reset passwords, 2FA or for any kind
of verification. Not unlike SMS-based 2FA, it is currently insecure and can be compromised by
the way of its weakest link: voicemail systems.

 Getting 2FA Right in 2019 - On the UX aspects of 2FA.

 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about
it”.

 Authelia - Open-source authentication and authorization server providing two-factor

authentication and single sign-on (SSO) for your applications via a web portal.

 Kanidm - Simple, secure and fast identity management platform.

SMS-based

TL;DR: don't. For details, see articles below.

 SMS 2FA auth is deprecated by NIST - NIST has said that 2FA via SMS is bad and awful since
2016.

 SMS: The most popular and least secure 2FA method

 Is SMS 2FA Secure? No. - Definitive research project demonstrating successful attempts at SIM
swapping.

 Hackers Hit Twitter C.E.O. Jack Dorsey in a 'SIM Swap.' You're at Risk, Too.

 AT&T rep handed control of his cellphone account to a hacker

 The Most Expensive Lesson Of My Life: Details of SIM port hack

 SIM swap horror story

  AWS is on its way to deprecate SMS-based 2FA - “We encourage you to use MFA through a U2F
security key, hardware device, or virtual (software-based) MFA device. You can continue using
this feature until January 31, 2019.”

Public-Key Infrastructure (PKI)

Certificate-based authentication.

 PKI for busy people - Quick overview of the important stuff.

 Everything you should know about certificates and PKI but are too afraid to ask - PKI lets you
define a system cryptographically. It's universal and vendor neutral.

 lemur - Acts as a broker between CAs and environments, providing a central portal for
developers to issue TLS certificates with 'sane' defaults.

 CFSSL - A swiss army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API server
for signing, verifying, and bundling TLS certificates.

 JA3 - Method for creating SSL/TLS client fingerprints that should be easy to produce on any
platform and can be easily shared for threat intelligence.

JWT

JSON Web Token is a bearer's token.

 Introduction to JSON Web Tokens - Get up to speed on JWT with this article.

 Learn how to use JWT for Authentication - Learn how to use JWT to secure your web app.

 Using JSON Web Tokens as API Keys - Compared to API keys, JWTs offers granular security,
homogenous auth architecture, decentralized issuance, OAuth2 compliance, debuggability,
expiration control, device management.

 Managing a Secure JSON Web Token Implementation - JWT has all sorts of flexibility that make it
hard to use well.

 Hardcoded secrets, unverified tokens, and other common JWT mistakes - A good recap of all
JWT pitfalls.

 Adding JSON Web Token API Keys to a DenyList - On token invalidation.

 Stop using JWT for sessions - And why your "solution" doesn't work, because stateless JWT
tokens cannot be invalidated or updated. They will introduce either size issues or security issues
depending on where you store them. Stateful JWT tokens are functionally the same as session
cookies, but without the battle-tested and well-reviewed implementations or client support.

 JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web
Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web
Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
  JOSE is a Bad Standard That Everyone Should Avoid - The standards are either completely
broken or complex minefields hard to navigate.

 JWT.io - Allows you to decode, verify and generate JWT.

 loginsrv - Standalone minimalistic login server providing a JWT login for multiple login backends
(htpasswd, OSIAM, user/password, HTTP basic authentication, OAuth2: GitHub, Google,
Bitbucket, Facebook, Gitlab).

 jwtXploiter - A tool to test security of json web token.

OAuth2 & OpenID

OAuth 2.0 is an authorization framework. OpenID Connect (OIDC) is an authentication layer on top of it.

The old OpenID is dead; the new OpenID Connect is very much not-dead.

 An Illustrated Guide to OAuth and OpenID Connect - Explain how these standards work using
simplified illustrations.

 OAuth 2 Simplified - A reference article describing the protocol in simplified format to help
developers and service providers implement it.

 OAuth 2.0 and OpenID Connect (in plain English) - Starts with an historical context on how these
standards came to be, clears up the innacuracies in the vocabulary, then details the protocols
and its pitfalls to make it less intimidating.

 Everything You Need to Know About OAuth (2.0) - A good overview with a practical case study
on how Teleport, an open-source remote access tool, allows users to log in through GitHub SSO.

 OAuth in one picture - A nice summary card.

 How to Implement a Secure Central Authentication Service in Six Steps - Got multiple legacy
systems to merge with their own login methods and accounts? Here is how to merge all that
mess by the way of OIDC.

 Open-Sourcing BuzzFeed's SSO Experience - OAuth2-friendly adaptation of the Central

Authentication Service (CAS) protocol. You'll find there good OAuth user flow diagrams.

 The Decline of OpenID - OpenID is being replaced in the public web to a mix of OAuth 1, OAuth 2
or other proprietary SSO protocols.

 Why Mastercard Doesn't Use OAuth 2.0 - “They did this to provide message-level integrity.
OAuth 2 switched to Transport-level confidentiality/Integrity.” (which TLS provides) (source).

 OAuth 2.0 Security Best Current Practice - “Updates and extends the OAuth 2.0 Security Threat
Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers
new threats relevant due to the broader application”.

 Hidden OAuth attack vectors - How to identify and exploit some of the key vulnerabilities found
in OAuth 2.0 authentication mechanisms.
  PKCE Explained - “PKCE is used to provide one more security layer to the authorization code flow
in OAuth and OpenID Connect.”

 Hydra - Open-source OIDC & OAuth2 Server.

 Cierge - Open-source authentication server (OIDC) that handles user signup, login, profiles,
management, and more.

 Keycloak - Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2,
LDAP and AD directories, password policies.

 Casdoor - A UI-first centralized authentication / Single-Sign-On (SSO) platform based. Supports

OIDC and OAuth 2, social logins, user management, 2FA based on Email and SMS.

 IdentityServer - Free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

 authentik - Open-source Identity Provider similar to Keycloak.

 ZITADEL - An Open-Source solution built with Go and Angular to manage all your systems, users
and service accounts together with their roles and external identities. ZITADEL provides you with
OIDC, OAuth 2.0, login & register flows, passwordless and MFA authentication. All this is built on
top of eventsourcing in combination with CQRS to provide a great audit trail.

SAML

Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and
authentication between services, like OAuth/OpenID protocols above.

Typical SAML identity provider is an institution or a big corporation's internal SSO, while the typical
OIDC/OAuth provider is a tech company that runs a data silo.

 SAML vs. OAuth - “OAuth is a protocol for authorization: it ensures Bob goes to the right parking
lot. In contrast, SAML is a protocol for authentication, or allowing Bob to get past the
guardhouse.”

 The Difference Between SAML 2.0 and OAuth 2.0 - “Even though SAML was actually designed to
be widely applicable, its contemporary usage is typically shifted towards enterprise SSO
scenarios. On the other hand, OAuth was designed for use with applications on the Internet,
especially for delegated authorisation.”

 What's the Difference Between OAuth, OpenID Connect, and SAML? - Identity is hard. Another
take on the different protocol is always welcome to help makes sense of it all.

 How SAML 2.0 Authentication Works - Overview of the how and why of SSO and SAML.

 Web Single Sign-On, the SAML 2.0 perspective - Another naive explanation of SAML workflow in
the context of corporate SSO implementation.

 The Beer Drinker's Guide to SAML - SAML is arcane at times. A another analogy might helps get
more sense out of it.
  SAML is insecure by design - Not only weird, SAML is also insecure by design, as it relies on
signatures based on XML canonicalization, not XML byte stream. Which means you can exploit
XML parser/encoder differences.

 The Difficulties of SAML Single Logout - On the technical and UX issues of single logout
implementations.

Authorization

Now that we know you are you, are you allowed to perform what you want to do?

Policy specification is the science, enforcement is the art.

Policy models

As a concept, access control policies can be designed to follow very different archetypes, from
classic Access Control Lists to Role Based Access Control. In this section we explore lots of different
patterns and architectures.

 Why Authorization is Hard - Because it needs multiple tradeoffs on Enforcement which is

required in so many places, on Decision architecture to split business logic from authorization
logic, and on Modeling to balance power and complexity.

 The never-ending product requirements of user authorization - How a simple authorization

model based on roles is not enough and gets complicated fast due to product packaging, data
locality, enterprise organizations and compliance.

 RBAC like it was meant to be - How we got from DAC (unix permissions, secret URL), to MAC
(DRM, MFA, 2FA, SELinux), to RBAC. Details how the latter allows for better modeling of policies,
ACLs, users and groups.

 The Case for Granular Permissions - Discuss the limitations of RBAC and how ABAC (Attribute-
Based Access Control) addresses them.

 In Search For a Perfect Access Control System - The historical origins of authorization schemes.
Hints at the future of sharing, trust and delegation between different teams and organizations.

 Semantic-based Automated Reasoning for AWS Access Policies using SMT - Zelkova is how AWS
does it. This system perform symbolic analysis of IAM policies, and solve the reachability of
resources according user's rights and access constraints. Also see the higher-level introduction
given at re:inforce 2019.

 Zanzibar: Google's Consistent, Global Authorization System - Scales to trillions of access control
lists and millions of authorization requests per second to support services used by billions of
people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of
greater than 99.999% over 3 years of production use. Other bits not in the paper. Zanzibar
Academy is a site dedicated to explaining how Zanzibar works.

 Description of an authz system that is built around labeled security and RBAC concepts.

Open-source policy frameworks

Collection of open-source projects if you're looking to roll your own policy implementation.

 Keto - Policy decision point. It uses a set of access control policies, similar to AWS policies, in
order to determine whether a subject is authorized to perform a certain action on a resource.

 Ladon - Access control library, inspired by AWS.

 Athenz - Set of services and libraries supporting service authentication and role-based
authorization (RBAC) for provisioning and configuration.

 Casbin - Open-source access control library for Golang projects.

 Open Policy Agent - Allows end to end testing of your policies across SQL, Kubernetes,
Terraform, Kafka, Envoy, S3 (via Minio), EC2/ECS/Lambda (Linux).

 Gubernator - High performance rate-limiting micro-service and library.

 Biscuit - Biscuit merge concepts from cookies, JWTs, macaroons and Open Policy Agent. “It
provide a logic language based on Datalog to write authorization policies. It can store data, like
JWT, or small conditions like Macaroons, but it is also able to represent more complex rules like
role-based access control, delegation, hierarchies.”

 Oso - A batteries-included library for building authorization in your application.

 Cerbos - An authorization endpoint to write context-aware access control policies.

AWS policy tools

Tools and resources exclusively targetting the AWS IAM policies ecosystem.

 Become an AWS IAM Policy Ninja - “In my nearly 5 years at Amazon, I carve out a little time each
day, each week to look through the forums, customer tickets to try to find out where people are
having trouble.”

 Cloudsplaining - Security assessment tool that identifies violations of least privilege and
generates a risk-prioritized report.

 Policy Sentry - Writing security-conscious IAM Policies by hand can be very tedious and
inefficient. Policy Sentry helps users to create least-privilege policies in a matter of seconds.

 Aardvark and Repokid - Netflix tools to enforce least privilege on AWS. The idea is that the
default policy on new things is deny all, and then it monitors cloudtrail for privilege failures and
reconfigures IAM to allow the smallest possible privilege to get rid of that deny message.

 Principal Mapper - Quickly evaluates permissions.

 PolicyUniverse - Parse and process AWS policies, statements, ARNs, and wildcards.

 IAM Floyd - AWS IAM policy statement generator with fluent interface. Helps with creating type
safe IAM policies and writing more restrictive/secure statements by offering conditions and ARN
generation via IntelliSense. Available for Node.js, Python, .Net and Java.
  ConsoleMe - A self-service tool for AWS that provides end-users and administrators credentials
and console access to the onboarded accounts based on their authorization level of managing
permissions across multiple accounts, while encouraging least-privilege permissions.

Macaroons

A clever curiosity to distribute and delegate authorization.

 Google's Macaroons in Five Minutes or Less - If I'm given a Macaroon that authorizes me to
perform some action(s) under certain restrictions, I can non-interactively build a second
Macaroon with stricter restrictions that I can then give to you.

 Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud -
Google's original paper.

 Google paper's author compares Macaroons and JWTs - As a consumer/verifier of macaroons,

they allow you (through third-party caveats) to defer some authorization decisions to someone
else. JWTs don't.

Secret Management

Architectures, software and hardware allowing the storage and usage of secrets to allow for
authentication and authorization, while maintaining the chain of trust.

 Secret at Scale at Netflix - Solution based on blind signatures. See the slides.

 High Availability in Google's Internal KMS - Not GCP's KMS, but the one at the core of their
infrastructure. See the slides.

 vault - Secure, store and tightly control access to tokens, passwords, certificates, encryption
keys.

 sops - Encrypts the values of YAML and JSON files, not the keys.

 gitleaks - Audit git repos for secrets.

 truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep
into commit history.

 Keywhiz - A system for managing and distributing secrets, which can fit well with a service
oriented architecture (SOA).

 roca - Python module to check for weak RSA moduli in various key formats.

Hardware Security Module (HSM)

HSMs are physical devices guaranteeing security of secret management at the hardware level.

 HSM: What they are and why it's likely that you've (indirectly) used one today - Really basic
overview of HSM usages.

 Tidbits on AWS Cloud HSM hardware - AWS CloudHSM Classic is backed by SafeNet's Luna HSM,
current CloudHSM rely on Cavium's Nitrox, which allows for partitionable "virtual HSMs".
  CrypTech - An open hardware HSM.

 Keystone - Open-source project for building trusted execution environments (TEE) with secure
hardware enclaves, based on the RISC-V architecture.

 Project Oak - A specification and a reference implementation for the secure transfer, storage
and processing of data.

 Everybody be cool, this is a robbery! - A case study of vulnerability and exploitability of a HSM
(in French, sorry).

Trust & Safety

Once you've got a significant user base, it is called a community. You'll then be responsible to protect it:
the customer, people, the company, the business, and facilitate all interactions and transactions
happening therein.

A critical intermediation complex driven by a policy and constraint by local laws, the Trust & Safety
department is likely embodied by a cross-functional team of 24/7 operators and systems of highly
advanced moderation and administration tools. You can see it as an extension of customer support
services, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping
harassment, handling of warrants and copyright claims, data sequestration and other credit card
disputes.

 Trust and safety 101 - A great introduction on the domain and its responsabilities.

 What the Heck is Trust and Safety? - A couple of real use-case to demonstrate the role of a TnS
team.

 Awesome List of Billing and Payments: Fraud links - Section dedicated to fraud management for
billing and payment, from our sister repository.

User Identity

Most businesses do not collect customer's identity to create user profiles to sell to third party, no. But
you still have to: local laws require to keep track of contract relationships under the large Know You
Customer (KYC) banner.

 The Laws of Identity - Is this paper aims at identity metasystem, its laws still provides great
insights at smaller scale, especially the first law: to always allow user control and ask for consent
to earn trust.

 How Uber Got Lost - “To limit "friction" Uber allowed riders to sign up without requiring them to
provide identity beyond an email — easily faked — or a phone number. (…) Vehicles were stolen
and burned; drivers were assaulted, robbed and occasionally murdered. The company stuck
with the low-friction sign-up system, even as violence increased.”

 A Comparison of Personal Name Matching: Techniques and Practical Issues - Customer name
matching has lots of application, from account deduplication to fraud monitoring.
  Statistically Likely Usernames - Wordlists for creating statistically likely usernames for use in
username-enumeration, simulated password-attacks and other security testing tasks.

 Facebook Dangerous Individuals and Organizations List - Some groups and content are illegal in
some juridictions. This is an example of a blocklist.

 Sherlock - Hunt down social media accounts by username across social networks.

Fraud

As an online service provider, you're exposed to fraud, crime and abuses. You'll be surprised by how
much people gets clever when it comes to money. Expect any bug or discrepancies in your workflow to
be exploited for financial gain.

 After Car2Go eased its background checks, 75 of its vehicles were stolen in one day. - Why
background check are sometimes necessary.

 Investigation into the Unusual Signups - A really detailed analysis of suspicious contributor
signups on OpenStreetMap. This beautiful and high-level report demonstrating an orchestrated
and directed campaign might serve as a template for fraud reports.

 MIDAS: Detecting Microcluster Anomalies in Edge Streams - A proposed method to “detects

microcluster anomalies, or suddenly arriving groups of suspiciously similar edges, in edge
streams, using constant time and memory.”

 Gephi - Open-source platform for visualizing and manipulating large graphs.

Moderation

Any online communities, not only those related to gaming and social networks, requires their operator
to invest a lot of resource and energy to moderate it.

 Still Logged In: What AR and VR Can Learn from MMOs - “If you host an online community,
where people can harm another person: you are on the hook. And if you can't afford to be on
the hook, don't host an online community”.

 You either die an MVP or live long enough to build content moderation - “You can think about
the solution space for this problem by considering three dimensions: cost, accuracy and speed.
And two approaches: human review and machine review. Humans are great in one of these
dimensions: accuracy. The downside is that humans are expensive and slow. Machines, or
robots, are great at the other two dimensions: cost and speed - they’re much cheaper and
faster. But the goal is to find a robot solution that is also sufficiently accurate for your needs.”

 Keep out the bad apples: How to moderate a marketplace - “With great power comes great
responsibility. Some of my tips and tricks to make your marketplace a safer place.”

 The despair and darkness of people will get to you - Moderation of huge social networks is
performed by an army of outsourced subcontractors. These people are exposed to the worst
and generally ends up with PTSD.
  The Cleaners - A documentary on these teams of underpaid people removing posts and deleting
accounts.

Threat Intelligence

How to detect, unmask and classify offensive online activities. Most of the time these are monitored by
security, networking and/or infrastructure engineering teams. Still, these are good resources for T&S
and IAM people, who might be called upon for additional expertise for analysis and handling of threats.

 Awesome Threat Intelligence - “A concise definition of Threat Intelligence: evidence-based

knowledge, including context, mechanisms, indicators, implications and actionable advice, about
an existing or emerging menace or hazard to assets that can be used to inform decisions
regarding the subject's response to that menace or hazard.”

 SpiderFoot - An open source intelligence (OSINT) automation tool. It integrates with just about
every data source available and uses a range of methods for data analysis, making that data easy
to navigate.

 Standards related to Threat Intelligence - Open standards, tools and methodologies to support
threat intelligence analysis.

 MISP taxonomies and classification - Tags to organize information on “threat intelligence

including cyber security indicators, financial fraud or counter-terrorism information.”

 Browser Fingerprinting: A survey - Fingerprints can be used as a source of signals to identify bots
and fraudsters.

 The challenges of file formats - At one point you will let users upload files in your system. Here is
a corpus of suspicious media files that can be leveraged by scammers =to bypass security or fool
users.

 SecLists - Collection of multiple types of lists used during security assessments, collected in one
place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads,
web shells, and many more.

 PhishingKitTracker - CSV database of email addresses used by threat actor in phishing kits.

 PhoneInfoga - Tools to scan phone numbers using only free resources. The goal is to first gather
standard information such as country, area, carrier and line type on any international phone
numbers with a very good accuracy. Then search for footprints on search engines to try to find
the VoIP provider or identify the owner.

 Confusable Homoglyphs - Homoglyphs is a common phishing trick.

Captcha

Another line of defense against spammers.

 Awesome Captcha - Reference all open-source captcha libraries, integration, alternatives and
cracking tools.
  reCaptcha - reCaptcha is still an effective, economical and quick solution when your company
can't afford to have a dedicated team to fight bots and spammers at internet scale.

 You (probably) don't need ReCAPTCHA - Starts with a rant on how the service is a privacy
nightmare and is tedious UI-wise, then list alternatives.

 Anti-captcha - Captchas solving service.

Blocklists

The first mechanical line of defense against abuses consist in plain and simple deny-listing. This is the
low-hanging fruit of fraud fighting, but you'll be surprised how they're still effective.

 Bloom Filter - Perfect for this use-case, as bloom filters are designed to quickly check if an
element is not in a (large) set. Variations of bloom filters exist for specific data types.

 How Radix trees made blocking IPs 5000 times faster - Radix trees might come handy to speed-
up IP blocklists.

Hostnames and Subdomains

Useful to identified clients, catch and block swarms of bots, and limit effects of dDOS.

 hosts - Consolidates reputable hosts files, and merges them into a unified hosts file with
duplicates removed.

 nextdns/metadata - Extensive collection of list for security, privacy and parental control.

 The Public Suffix List - Mozilla's registry of public suffixes, under which Internet users can (or
historically could) directly register names.

 Country IP Blocks - CIDR country-level IP data, straight from the Regional Internet Registries,
updated hourly.

 Certificate Transparency Subdomains - An hourly updated list of subdomains gathered from

certificate transparency logs.

 Subdomain denylists: #1, #2, #3, #4.

 common-domain-prefix-suffix-list.tsv - Top-5000 most common domain prefix/suffix list.

 hosts-blocklists - No more ads, tracking and other virtual garbage.

 xkeyscorerules100.txt - NSA's XKeyscore matching rules for TOR and other anonymity preserving

tools.

 pyisp - IP to ISP lookup library (includes ASN).

 AMF site blocklist - Official French denylist of money-related fraud sites.

Emails

 Burner email providers - A list of temporary email providers. And its derivative Python module.
  MailChecker - Cross-language temporary (disposable/throwaway) email detection library.

 Temporary Email Address Domains - A list of domains for disposable and temporary email
addresses. Useful for filtering your email list to increase open rates (sending email to these
domains likely will not be opened).

 gman - “A ruby gem to check if the owner of a given email address or website is working for THE
MAN (a.k.a verifies government domains).” Good resource to hunt for potential government
customers in your user base.

 Swot - In the same spirit as above, but this time to flag academic users.

Reserved IDs

 General List of Reserved Words - This is a general list of words you may want to consider
reserving, in a system where users can pick any name.

 Hostnames and usernames to reserve - List of all the names that should be restricted from
registration in automated systems.

Profanity

 List of Dirty, Naughty, Obscene, and Otherwise Bad Words - Profanity blocklist from
Shutterstock.

 profanity-check - Uses a linear SVM model trained on 200k human-labeled samples of clean and
profane text strings.

Privacy

As the guardian of user's data, the IAM stack is deeply bounded by the respect of privacy.

 Privacy Enhancing Technologies Decision Tree - A flowchart to select the right tool depending on
data type and context.

 Paper we love: Privacy - A collection of scientific studies of schemes providing privacy by design.

 IRMA Authentication - Open-source app and protocol that offers privacy-friendly attribute based
authentication and signing using Camenisch and Lysyanskaya's Idemix.

 Have I been Pwned? - Data breach index.

 Automated security testing for Software Developers - Most privacy breaches were allowed by
known vulnerabilities in third-party dependencies. Here is how to detect them by the way of
CI/CD.

 Email marketing regulations around the world - As the world becomes increasingly connected,
the email marketing regulation landscape becomes more and more complex.

 World's Biggest Data Breaches & Hacks - Don't be the next company leaking your customer's
data.

Anonymization
As a central repository of user data, the IAM stack stakeholders have to prevent any leakage of business
and customer data. To allow for internal analytics, anonymization is required.

 The False Allure of Hashing for Anonymization - Hashing is not sufficient for anonymization no.
But still it is good enough for pseudonymization (which is allowed by the GDPR).

 Four cents to deanonymize: Companies reverse hashed email addresses - “Hashed email
addresses can be easily reversed and linked to an individual”.

 Why differential privacy is awesome - Explain the intuition behind differential privacy, a

theoretical framework which allow sharing of aggregated data without compromising
confidentiality. See follow-up articles with more details and practical aspects.

 k-anonymity: an introduction - An alternative anonymity privacy model.

 Presidio - Context aware, pluggable and customizable data protection and PII data
anonymization service for text and images.

 Diffix: High-Utility Database Anonymization - Diffix try to provide anonymization, avoid

pseudonymization and preserve data quality. Written in Elixir at Aircloak, it acts as an SQL proxy
between the analyst and an unmodified live database.

GDPR

The well-known European privacy framework

 GDPR Tracker - Europe's reference site.

 GDPR Developer Guide - Best practices for developers.

 GDPR – A Practical guide for Developers - A one-page summary of the above.

 GDPR Tracker - Track the GDPR compliance of cloud services and subprocessors.

 GDPR documents - Templates for personal use to have companies comply with "Data Access"
requests.

 Dark Patterns after the GDPR - This paper demonstrates that, because of the lack of GDPR law
enforcements, dark patterns and implied consent are ubiquitous.

 GDPR Enforcement Tracker - List of GDPR fines and penalties.

 Ship Your Enemies GDPR - Weaponizing GDPR to help you send your enemies a Data Requests
designed to waste as much of their time as possible.

UX/UI

As stakeholder of the IAM stack, you're going to implement in the backend the majority of the primitives
required to build-up the sign-up tunnel and user onboarding. This is the first impression customers will
get from your product, and can't be overlooked: you'll have to carefully design it with front-end experts.
Here is a couple of guides to help you polish that experience.

 The 2020 State of SaaS Product Onboarding - Covers all the important facets of user onboarding.
  User Onboarding Teardowns - A huge list of deconstructed first-time user signups.

 Discover UI Design Decisions Of Leading Companies - From Leaked Screenshots & A/B Tests.

 Conversion Optimization - A collection of tactics to increase the chance of users finishing the
account creation funnel.

 Trello User Onboarding - A detailed case study, nicely presented, on how to improve user
onboarding.

 11 Tips for Better Signup / Login UX - Some basic tips on the login form.

 Don't get clever with login forms - Create login forms that are simple, linkable, predictable, and
play nicely with password managers.

 Why are the username and password on two different pages? - To support both SSO and
password-based login. Now if breaking the login funnel in 2 steps is too infuriating to users,
solve this as Dropbox does: an AJAX request when you enter your username.

 HTML attributes to improve your users' two factor authentication experience - “In this post we
will look at the humble <input> element and the HTML attributes that will help speed up our
users' two factor authentication experience”.

 Remove password masking - Summarizes the results from an academic study investigating the
impact removing password masking has on consumer trust.

 For anybody who thinks "I could build that in a weekend," this is how Slack decides to send a
notification - Notifications are hard. Really hard.

Competitive Analysis

A bunch of resources to keep track of the current status and progress of all companies operating in the
domain.

 AWS Security, Identity & Compliance announcements - The source of all new features added to
the IAM perimeter.

 GCP IAM release notes - Also of note: Identity, Identity Platform, Resource Manager, Key

Management Service/HSM, Access Context Manager, Identity-Aware Proxy, Data Loss
Prevention and Security Scanner.

 Unofficial Weekly Google Cloud Platform newsletter - Relevant keywords: IAM and Security.

 DigitalOcean Accounts changelog - All the latest accounts updates on DO.

 163 AWS services explained in one line each - Help makes sense of their huge service catalog. In
the same spirit: AWS in simple terms & AWS In Plain English.

 Google Cloud Developer's Cheat Sheet - Describe all GCP products in 4 words or less.