DigiNews

Tech Watch by Johan Denoyer

← Back to articles

Why We Don’t Trust the Database With Authentication

Quality: 8/10 Relevance: 9/10

Summary

The article argues that authentication should not be trusted to the database and demonstrates how relying on hashed API keys stored in the DB can be bypassed via SQL injection. It presents a cryptographic binding approach using a server-side pepper and HMAC-SHA512, plus multi-layer tenancy checks and database triggers to prevent rollback and cross-tenant leakage. It also discusses zero-downtime rotation and schema-level safeguards to maintain secure authentication boundaries.

🚀 Service construit par Johan Denoyer