Checking on the best practices to implement API security.
One view I have is that we can eliminate the need for a username and password by implementing it as a ziti service… I like this because it improves the user experience… instead.
I was thinking … but hey…how do you know who they are…and what level of access they are allowed to have?
Well… we can then implement 2FA at the Ziti Desktop… which is pretty cool… and there are ways to push the identity back through the connection… especially if you are using ZTNA.
So… I thought to make a post about this… is there anything else to consider?
Is it really possible to implement API’s with no passwords… without compromising security?
One thing I have tried in the past is a Ziti Reverse Proxy… which allows you to implement ZTNA. The downside is that it needs to run as a localhost.
Are there other ways to implement the same functionality?