Randall Degges
Randall's realm of expertise include Python, JavaScript, and Go development, web security, cryptography, and infrastructure security. Randall has been writing software for ~20 years and has built some of the most-used API services on the internet.
All Posts by Randall Degges
Multi-Factor Authentication Sucks
For the last seven years or so I’ve been building developer tools to help make user authentication and authorization simpler and more secure. When I’m not building tools to help secure web applications, I’m often writing articles, creating videos, and educating developers on web security best practices. I care a lot about web security. With that said (and I almost feel guilty admitting this), I think multi-factor authentication (MFA) sucks. It’s slow, annoying, frustrating, and...
A Thorough Introduction to PASETO
Today I’m going to introduce you to one of my favorite pieces of security technology released in the last several years: PASETO (platform-agnostic security tokens). PASETO is a relatively new protocol, designed by Scott Arciszewski in early 2018 that is quickly gaining adoption in the security community. While PASETO is still a young technology, I thought it’d be interesting to take an in-depth look at it, since it’s both incredibly useful and solves a lot...
The Hardest Thing About Data Encryption
Encrypting data is all about making sure that only the right people can view the data you’ve encrypted. There are two primary forms of data encryption: symmetric and asymmetric. While you can easily Google “symmetric encryption best practices” and figure out the best algorithms and developer libraries to use (more on this later) to encrypt and decrypt data, one thing isn’t so easy: figuring out how to properly store and manage your data encryption keys....
Build a Phone System for Your Company With Twilio, Okta, and JavaScript
If you’ve ever worked for a company with more than a few employees, you’ve probably seen some interesting phone systems. When I used to work at Cisco, everyone was given a dedicated Cisco desk phone that hooked up to a server somewhere in the company and each employee was assigned a unique phone number and extension. I never really liked that setup. It annoyed me that I had this big, clunky desk phone taking up...
User Migration: The Definitive Guide
Migrating sensitive user data from one system to another can be difficult (to say the least). While making incremental changes in your codebase to get rid of technical debt can be easy, replacing (or upgrading) something as critical and deeply-intertwined as your user management system can be a nightmare. In this guide, you’ll learn the best strategies and methods for migrating your user accounts from one backend to another in the simplest (and most secure)...
Nobody Cares About OAuth or OpenID Connect
If you’re reading this post, there’s a good chance that you’re a web developer who’s very interested in web security. You’ve probably heard about OAuth or OpenID Connect (OIDC) before. You may have even used them at some point in your career. But here’s the thing: almost nobody actually cares about OAuth or OIDC. Not you, not me, and not even other developers in the security industry. To understand why nobody cares about these two...
Build and Understand a Simple Node.js Website with User Authentication
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. Building websites with user authentication and management (login, registration, password reset, etc.), can be a huge pain. As a developer there are a million...
Build a Simple CRUD App with Flask and Python
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. Today I’m going to walk you through building a simple Flask web app (a blog) complete with user management (login, registration, etc.), database models,...
Flask Tutorial: Simple User Registration and Login
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. Flask is my favorite Python web framework. It’s minimal, it’s fast, and most of all: it’s fun. I love almost everything about Flask development,...
Tutorial: Build a Basic CRUD App with Node.js
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. Node.js is eating the world. Many of the largest companies are building more and more of their websites and API services with Node.js, and...
What Happens If Your JWT Is Stolen?
All of us know what happens if our user credentials (email and password) are discovered by an attacker: they can log into our account and wreak havoc. But a lot of modern applications are using JSON Web Tokens (JWTs) to manage user sessions—what happens if a JWT is compromised? Because more and more applications are using token-based authentication, this question is increasingly relevant to developers and critical to understand if you’re building any sort of...
How to Prevent Your Users from Using Breached Passwords
Not too long ago, the National Institute of Standards and Technology (NIST) officially recommended that user-provided passwords be checked against existing data breaches. Today I’m going to show you how you can easily add this functionality to any website you run using PassProtect, an open-source developer library we created specifically for this purpose. Why Check User Passwords? The new NIST recommendations mean that every time a user gives you a password, it’s your responsibility as...
Add Authentication to Any Web Page in 10 Minutes
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. × Heads up... this blog post is old! For updated instructions on adding authentication using the Okta Sign-in Widget, see Embedded Okta Sign-In Widget...
Static Sites vs CMS
There’s a frequent debate amongst development and marketing teams at companies around the world about whether or not their blog or website should be managed through a content management system (CMS) like Wordpress, Drupal, Squarespace, etc. or through a static site generator like Jekyll or Hugo. I’ve been blogging since 2006, writing websites since 2002, and I’ve built just about every possible type of website. Today I’d like to explain why static sites are the...
Announcing PassProtect - Proactive Web Security
If you’re reading this article you probably care about web security. You probably use a password manager to manage your passwords, you’ve probably got multi-factor authentication setup for all of your services, and you’re probably already subscribed to Have I Been Pwned? so you’re alerted when one of your logins have been involved in a data breach. But you’re not most people. Most web users are completely disconnected from the incredible advancements that have been...
Build a Video Chat Service with JavaScript, WebRTC, and Okta
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. As recently as seven short years ago, building video applications on the web was a massive pain. Remember the days of using Flash and...
Everything You Need to Know About the Twelve-Factor App
Ever heard of the twelve-factor app? Earlier this week I was scrolling through one of my favorite websites, Hacker News, and stumbled across the twelve-factor app for the first time. While I didn’t have time to read the official twelve-factor website, I wanted to take some time to share my thoughts about building twelve-factor apps, why they’re important, and what you need to know about them. Writing secure web applications can be really difficult! My...
Hosting Our First Developer Conference, Iterate
A couple weeks ago (Tuesday, Feb. 27) we officially ran the very first Iterate Developer Conference. Not only did we have a ton of fun throwing a developer conference, but it was also a huge success and succeeded in hitting all of our goals. In this post I’ll recap the Iterate experience from start to finish, including some interesting things I learned along the way. If you weren’t lucky enough to attend Iterate, don’t worry...
A Breakdown of the New SAML Authentication Bypass Vulnerability
Several weeks ago a new critical vulnerability was discovered that affects many SAML implementations. This vulnerability was first reported by Kelby Ludwig of Duo Security and is particularly interesting to us (as a user management company) as it can be used to bypass authentication in a sinisterly simplistic way. In this post, we’ll take an in-depth look at this new SAML vulnerability, what it is, how it works, and what you need to know to...
Build Your Own Invoicing Service with Node, Coinbase, Bitcoin, and Okta
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. I got into Bitcoin back in 2011. Since then, I’ve been a fan of cryptocurrencies and have always had an interest in them. I’ve...
Three Developer Tools I'm Thankful For
I’ve been writing code since I was 12 years old. When I first got started, I was using an old MSDOS computer that was given to my family by a member of our church. I’ve always been really thankful that person gave my family a computer, as without it, I doubt I’d be the person I am today. Each year around Thanksgiving time I always try to sit back, relax, and think about how thankful...
Use OpenID Connect to Build a Simple Node.js Website
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. If you’ve ever spent time trying to figure out the best way to handle user authentication for your Node app and been confused: you’re...
Why Are Webhooks Better Than Serverless Extensibility?
When you’ve built a successful software-as-a-service product, you tend to run into interesting technical (and business) questions. My favorite question is: “How do we add more functionality to our platform faster?” It’s an interesting question because everyone wants to build features faster. In a perfect world, you’d be able to hire 100,000 engineers, split them into teams of four (with no managers!), and have each team own a feature: spec it out, build it, iterate...
Build a Cryptocurrency Comparison Site with Vue.js
Vue.js is a simple JavaScript framework that lets you build dynamic front-end web applications. Lots of people compare it to React and Angular. As a back-end developer, and someone not incredibly experienced with frontend web applications, I’ve found Vue.js a lot simpler to learn, use, and be successful with vs. React and Angular. In this article, I’ll walk you through the basics of Vue.js, and in the process we’ll build a very simple single page...
Meet the New Okta Identity Platform
I’m genuinely excited to announce that today, we’re officially re-launching the new and improved Okta Identity Platform. Everything has been molded to our vision, and we’re aiming to do something we could not before: build the world’s largest authentication-as-a-service platform for developers of all shapes and sizes. The new Okta Identity Platform is our attempt to make authentication and authorization problems a relic of the past. We want to provide beautiful developer libraries across every...
Why JWTs Suck as Session Tokens
Note: In May 2025, the Okta Integrator Free Plan replaced Okta Developer Edition Accounts, and the Okta CLI was deprecated. We preserved this post for reference, but the instructions no longer work exactly as written. Replace the Okta CLI commands by manually configuring Okta following the instructions in our Developer Documentation. JSON Web Tokens (JWTs) are so hot right now. They’re all the rage in web development: Trendy? ✓ Secure? ✓ Scalable? ✓ Compact? ✓...