Pro Yearly is on sale from $80 to $50! »

Choosing the Right Authentication Strategy - Gabe Evans

B044a0f039af800f4df09bf3b2465f18?s=47 Las Vegas Ruby Group
September 11, 2013
54

Choosing the Right Authentication Strategy - Gabe Evans

B044a0f039af800f4df09bf3b2465f18?s=128

Las Vegas Ruby Group

September 11, 2013
Tweet

Transcript

  1. RIGHT THE AUTHENTICATION STRATEGY CHOOSING

  2. BEFORE WE BEGIN • The title of this presentation is

    half a lie. This is no “right” way. There is, however, the best way depending on your situation. • I sign into many different websites daily. As such, I consider myself an expert. • The goal is to present the options, their benefits, and shortcomings.
  3. Authentication vs. Authorization Source: https://secure.flickr.com/photos/mcgovernville/48178733/

  4. Authentication vs. Authorization Authentication verifies who you are. Source: https://secure.flickr.com/photos/mcgovernville/48178733/

  5. Authentication vs. Authorization Authorization verifies what you can do. Authentication

    verifies who you are. Source: https://secure.flickr.com/photos/mcgovernville/48178733/
  6. METHODSOF AUTHENTICATION

  7. Something You Have Source: https://secure.flickr.com/photos/bodhack/3400270656/

  8. Something You Are Source: https://secure.flickr.com/photos/flyingturtle/7475071144/

  9. Something You Know Source: https://secure.flickr.com/photos/formalfallacy/2057169454/

  10. STANDARDSOF AUTHENTICATION

  11. OAuth • Doubles as authentication for users of your apps

    while requesting privileges to data through providers (e.g. Facebook Graph API). • Credentials are le" in the hands of the provider. If they’re compromised, you’re compromised. • Easy to offer too many options and raises privacy concerns. • There are three different versions in use.
  12. OpenID • Decentralized. Authentication is through a URL, rather than

    a specific provider. • Credentials are le" in the hands of the provider. If they’re compromised, you’re compromised.
  13. HTTP Authentication • Oldest, most well supported web-based authentication. •

    Easiest implementation for simple API clients. • Ugly to users. • Basic is insecure, Digest is overly complex.
  14. MULTIPLEFACTORS OF AUTHENTICATION

  15. SMS One-Time Passwords • If your users have a computer,

    they have a cellphone capable of receiving text messages. • However, they’re the weakest second factor (OTPs can be read when your phone is locked).
  16. Biometric Authentication • Can be any kind of (but not

    limited to) fingerprint or retina scanning, facial or voice recognition, or a signature. • In theory, identifies an individual and cannot be replicated. • Expensive, difficult to implement, young, and o"en times easy to exploit.
  17. USB One-Time Password Authenticators • Must be in your users’

    possession to authenticate. • Costs money. • Small and easy to lose.
  18. LaunchKey • Supports many factors of authentication: PIN, pattern, geofencing,

    device factor (Bluetooth). • Usable through OpenID and OAuth. • Recently out of private beta, not in widespread production use (yet).
  19. RAILSIMPLEMENTATIONS OF AUTHENTICATION

  20. Devise • Most support and documentation. • Requires Ruby on

    Rails. • Includes everything but the kitchen sink. • Difficult to customize.
  21. OmniAuth • Alternative to all-in-one solutions (Devise). • Supports almost

    every OAuth provider imaginable. • Works with any Rack-based application. • Can be too minimal for spoiled Rails developers.
  22. CUSTOM GOING COMPLETELY

  23. Use Warden for Authentication • Works as a Rack middleware.

    • Specifies authentication strategies in a DSL. • Used by Devise.
  24. Use has_secure_password in Models • Avoids the trouble of picking

    a hashing algorithm (uses bcrypt). • Includes minimal validations for password and password confirmation. • Adds a total of 3 methods: #authenticate, #password=, #password_confirmation=
  25. QUESTIONS?