How Do You Authenticate..?

SAGE MIR DEINEN NAMEN
UND ICH SAGE DIR, WER DU BIST!
NIKO KÖBLER (@DASNIKO)

View Slide

ABOUT ME
▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de
▸ Doing stuff with & without computers, writing Software, ~ 20 yrs
▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA)
▸ Speaker at international Tech Conferences
▸ Author of „Serverless Computing in AWS Cloud“ 
serverlessbuch.de
▸ Twitter: @dasniko
HOW DO YOU AUTHENTICATE..?

View Slide

AUTHENTICATION
I don’t know who you are.
AUTHORIZATION
I know who you are, but you’re not allowed.

View Slide

HTTP STATUS CODES
401 UNAUTHORIZED
means Not authenticated
403 FORBIDDEN
means Unauthorized

View Slide

HOW DO YOU AUTHENTICATE?

View Slide

SESSION BASED AUTHENTICATION
▸ User enters username/password 
Request: client app -> server
▸ Server checks for user & authenticates it 
Send a unique token back to user’s client
▸ Client app stores the token in cookie(s) 
Send it back with every subsequent request
▸ Server receives w/ every request the token to
authenticate the user and send back data
▸ On logout, the client (and server) removes the token 
Subsequent requests will be unauthorized

View Slide

SESSION BASED - DOWNSIDES
▸ On every user authentication, the server needs
to create a record somewhere on the server.
This may lead into increased memory allocation
▸ Since sessions are stored in memory, this will
lead to problems with scalability. 
e.g. replication over multiple instances /
network

View Slide

TOKEN BASED AUTHENTICATION
▸ Completely stateless! 
No data will be stored on servers!
▸ Has gained popularity over the last years,
thanks to Single-Page- and Mobile-Apps, Web
APIs, IoT, …
▸ Mostly used token: Json Web Token (JWT)
▸ signed
▸ self-contained
▸ can contain additional data
▸ Foundation for SSO (Single-/Social-Sign-On)

View Slide

TOKEN BASED AUTHENTICATION
▸ User enters credentials
▸ Server veriﬁes credentials and returns a signed
token (the JWT)
▸ Token is stored client-side! (e.g. local storage)
▸ Subsequent requests to server include the
token, generally as Authorization header
▸ Server decodes the JWT, if valid, proceed with
request, no memory lookups necessary
▸ On logout, JWT is destroyed client-side

View Slide

SOCIAL SIGN ON

View Slide

SOCIAL SIGN ON
▸ Authenticate users based on their social
networking accounts
▸ Users don’t need to register again, thus don’t
need to remember credentials
▸ Developers don’t need to implement the whole
authentication process/features 
Don’t need to secure all the credentials
▸ See OAuth2, Open-ID Connect, JWT for more
information!

View Slide

PASSWORDLESS…

View Slide

PASSWORDLESS / THE „MAGIC LINK“
▸ User enters email address
▸ Server sends a temporary one-time link (TOTL)
to that email
▸ User clicks link & is automatically logged in the
application
▸ Similar approaches:
▸ Code or TOTP through SMS or push
notiﬁcation (needs setup, costs money) or
email
▸ Touch-/Face-ID

View Slide

PASSWORDLESS - BENEFITS
▸ No more insecure passwords
▸ No more complicate passwords to remember
▸ No more „forgot password“
▸ All of the above is valid and a win-win for users
and developers!
▸ BUT: If your email account is compromised,
then… good luck!

View Slide

MULTI-FACTOR AUTHENTICATION

View Slide

TWO / MULTI FACTOR AUTHENTICATION
▸ Something you Know 
e.g. password or PIN
▸ Something you Have 
e.g. a physical device like a mobile phone or
software that can generate (T)OTPs
▸ Something you Are 
a biologically unique feature, e.g. ﬁngerprints,
voice, retinas

View Slide

MOBILE PHONE
AUTHENTICATION?
IMEI & IMSI ARE PUBLIC!

View Slide

THANK YOU.
ANY QUESTIONS?
https://speakerdeck.com/dasniko
Niko Köbler | www.n-k.de | [email protected] | @dasniko

View Slide

How Do You Authenticate..?

How Do You Authenticate..?

Niko Köbler

More Decks by Niko Köbler

Other Decks in Technology

Featured

Transcript