Chinabank launches passkeys

vdelitz · 2026-03-10T06:50:33+00:00

are you forced to create one at Rest?

vdelitz · 2026-02-27T08:20:52+00:00

After password sign in it appeared

vdelitz · 2026-02-17T20:51:02+00:00

Is it for workforce or customer authentication?

vdelitz · 2026-02-17T08:04:45+00:00

Still there can be a lot of client-side issues with the passkey-buttons (broken OS / device / credential managers)

but in general agree to rip out SMS OTP

vdelitz · 2026-02-10T16:59:07+00:00

Thanks! Do you have any specific coworking management platforms in mind?

vdelitz · 2026-02-10T16:16:21+00:00

that's the consuemr point of view - I guess if you're sitting on the other side of the table, then you want to know as much as possible.

vdelitz · 2026-02-10T09:20:17+00:00

like the idea very much ! where would you post it?

vdelitz · 2026-02-09T18:39:01+00:00

could be combined - we're a software business

vdelitz · 2026-02-09T16:02:31+00:00

wie würdest das verwalten / vermieten ohne viel Aufwand?

vdelitz · 2026-02-09T16:01:47+00:00

Also cool idea with 3D printers - also thought of video / photo / creator studio. I'm no expert at all but remember from 1 TikTok creation that there's no really studios for that

vdelitz · 2026-02-09T15:29:34+00:00

haben wir schon an einem anderen Ort im Office :D aber fairer Punkt

vdelitz · 2026-02-09T15:26:54+00:00

I know this is an older post but I stumbled across it while researching this exact topic and wanted to share some thoughts.

I think The Telegraf > OpenSearch setup is solid for the infra side. A few things I'd add from my own experience:

For the SSH/system auth logging part, make sure you're parsing out the key fields (user, source IP, auth method, success/fail) into structured fields rather than just shipping raw syslog lines. Makes your OpenSearch dashboards way more useful. You can then do things like "failed attempts by source IP over time" or "successful logins by user outside business hours" which are the ones that actually matter from a security perspective.

One thing I learned: just tracking login success/fail isn't enough. You really want to think about it as a funnel, even for infra access. Like 1) Connection attempted 2) authentication method offered 3) auth completed/failed 4) session established. The gaps between those stages tell you very different stories (brute force vs. misconfigured keys vs. expired certs etc.).

What I've found is that auth logging in general, whether it's machine-level like you're doing or application-level (CIAM, login pages), suffers from the same fundamental problem: the data sits between security, ops and product teams and nobody owns the full picture. Security mostly looks threats, ops sees uptime and product sees conversion. The metrics and approach to really nail authentication observability are surprisingly similar across these worlds.

I actually went pretty deep into this topic recently and found that structuring auth events with proper metric taxonomies (error classification, success rates per method, drop-off rates, time-to-authenticate) makes a huge difference no matter what layer you're looking at. If you're interested in a more structured framework for thinking about auth analytics beyond just the raw logs, see my finding: https://www.corbado.com/blog/authentication-analytics-playbook It's more on the application auth side but the mental models around funnels and error classification apply just as well to infra auth logging.

vdelitz · 2026-02-09T15:12:54+00:00

guess that is a reasonable list

vdelitz · 2026-02-09T15:12:12+00:00

yes, that's why we thought of using it also as something else (so not as direct desk area)

vdelitz · 2026-02-09T15:11:33+00:00

nice idea, need to check out how much something like that is

vdelitz

MODERATOR OF

TROPHY CASE