Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Do You Authenticate..?

395d9a1bac6f64d04bbd713d5b6bc433?s=47 Niko Köbler
September 06, 2018

How Do You Authenticate..?

395d9a1bac6f64d04bbd713d5b6bc433?s=128

Niko Köbler

September 06, 2018
Tweet

Transcript

  1. SAGE MIR DEINEN NAMEN UND ICH SAGE DIR, WER DU

    BIST! NIKO KÖBLER (@DASNIKO)
  2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

    with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko HOW DO YOU AUTHENTICATE..?
  3. AUTHENTICATION I don’t know who you are. AUTHORIZATION I know

    who you are, but you’re not allowed.
  4. HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN

    means Unauthorized
  5. HOW DO YOU AUTHENTICATE?

  6. HOW DO YOU AUTHENTICATE..? SESSION BASED AUTHENTICATION ▸ User enters

    username/password
 Request: client app -> server ▸ Server checks for user & authenticates it
 Send a unique token back to user’s client ▸ Client app stores the token in cookie(s)
 Send it back with every subsequent request ▸ Server receives w/ every request the token to authenticate the user and send back data ▸ On logout, the client (and server) removes the token
 Subsequent requests will be unauthorized
  7. HOW DO YOU AUTHENTICATE..? SESSION BASED - DOWNSIDES ▸ On

    every user authentication, the server needs to create a record somewhere on the server. This may lead into increased memory allocation ▸ Since sessions are stored in memory, this will lead to problems with scalability.
 e.g. replication over multiple instances / network
  8. HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ Completely stateless!


    No data will be stored on servers! ▸ Has gained popularity over the last years, thanks to Single-Page- and Mobile-Apps, Web APIs, IoT, … ▸ Mostly used token: Json Web Token (JWT) ▸ signed ▸ self-contained ▸ can contain additional data ▸ Foundation for SSO (Single-/Social-Sign-On)
  9. HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ User enters

    credentials ▸ Server verifies credentials and returns a signed token (the JWT) ▸ Token is stored client-side! (e.g. local storage) ▸ Subsequent requests to server include the token, generally as Authorization header ▸ Server decodes the JWT, if valid, proceed with request, no memory lookups necessary ▸ On logout, JWT is destroyed client-side
  10. SOCIAL SIGN ON

  11. HOW DO YOU AUTHENTICATE..? SOCIAL SIGN ON ▸ Authenticate users

    based on their social networking accounts ▸ Users don’t need to register again, thus don’t need to remember credentials ▸ Developers don’t need to implement the whole authentication process/features
 Don’t need to secure all the credentials ▸ See OAuth2, Open-ID Connect, JWT for more information!
  12. PASSWORDLESS…

  13. HOW DO YOU AUTHENTICATE..? PASSWORDLESS / THE „MAGIC LINK“ ▸

    User enters email address ▸ Server sends a temporary one-time link (TOTL) to that email ▸ User clicks link & is automatically logged in the application ▸ Similar approaches: ▸ Code or TOTP through SMS or push notification (needs setup, costs money) or email ▸ Touch-/Face-ID
  14. HOW DO YOU AUTHENTICATE..? PASSWORDLESS - BENEFITS ▸ No more

    insecure passwords ▸ No more complicate passwords to remember ▸ No more „forgot password“ ▸ All of the above is valid and a win-win for users and developers! ▸ BUT: If your email account is compromised, then… good luck!
  15. MULTI-FACTOR AUTHENTICATION

  16. HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸

    Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas
  17. HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸

    Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas
  18. MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

  19. MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

  20. THANK YOU. ANY QUESTIONS? https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de |

    niko@n-k.de | @dasniko HOW DO YOU AUTHENTICATE..?