Most engineers think about identity in two terms: the user is authenticated or they aren’t. If you’ve built a login system, you’ve probably made decisions like “we’ll require MFA for sensitive actions” or “we’ll use SSO”. Those are reasonable decisions, but they’re incomplete.

Continue Reading