Identity Lab
A hands-on playground for the auth model that's replacing passwords: passkeys, phishing-resistant MFA, and the workload-identity primitives that extend the same guarantees to AI agents.
Try it
Passwordless sign-in
Register a passkey on your device, then sign back in with no password and no OTP. Walks through every byte of the WebAuthn ceremony — including the origin binding that makes it phishing- resistant.
Open demo →JWT inspector
Paste a real token, see what's inside, and watch the analyzer flag alg=none, alg-confusion, missing exp, and PII leakage in real time.
Phishing-resistant MFA, explained
Why FIDO2 / WebAuthn is the only mainstream MFA factor that survives a real-time AitM phishing kit. With diagrams of what actually happens on the wire.
Read →Agent identity
What a passkey is to a human, a workload credential is to an AI agent. Covers OIDC, SPIFFE/SPIRE, attestation, and the new problem: how do you authenticate an agent that acts on a user's behalf?
Read →Why this exists
I spend my days auditing identity systems at Microsoft. The same bugs keep showing up: tokens accepted with jwt.verify(token, secret) without an algorithm pinned, MFA prompts that any reverse-proxy phishing kit can replay, and now — agents handed long-lived API keys because nobody designed an identity model for them.
This lab lets you touch the alternative: phishing-resistant authentication for humans, the same primitives extended to workloads, and the failure modes that cause both to be deployed insecurely.
Modeled on real guidance
- NIST SP 800-63B-4 (draft) — phishing-resistant AAL3
- CISA Zero Trust Maturity Model — "phishing-resistant MFA" as the identity pillar baseline
- FIDO2 / WebAuthn Level 3 — the protocol the demo implements
- OMB M-22-09 — federal civilian agencies required to deploy phishing-resistant MFA
- SPIFFE / SPIRE — the de-facto workload-identity standard for agents and services