Choosing the Right Authentication Strategy - Gabe Evans

Transcript

1. RIGHT THE AUTHENTICATION STRATEGY CHOOSING

2. BEFORE WE BEGIN • The title of this presentation is

   half a lie. This is no “right” way. There is, however, the best way depending on your situation. • I sign into many different websites daily. As such, I consider myself an expert. • The goal is to present the options, their benefits, and shortcomings.

3. Authentication vs. Authorization Source: https://secure.flickr.com/photos/mcgovernville/48178733/

4. Authentication vs. Authorization Authentication verifies who you are. Source: https://secure.flickr.com/photos/mcgovernville/48178733/

5. Authentication vs. Authorization Authorization verifies what you can do. Authentication

   verifies who you are. Source: https://secure.flickr.com/photos/mcgovernville/48178733/

6. METHODSOF AUTHENTICATION

7. Something You Have Source: https://secure.flickr.com/photos/bodhack/3400270656/

8. Something You Are Source: https://secure.flickr.com/photos/flyingturtle/7475071144/

9. Something You Know Source: https://secure.flickr.com/photos/formalfallacy/2057169454/

10. STANDARDSOF AUTHENTICATION

11. OAuth • Doubles as authentication for users of your apps

    while requesting privileges to data through providers (e.g. Facebook Graph API). • Credentials are le" in the hands of the provider. If they’re compromised, you’re compromised. • Easy to offer too many options and raises privacy concerns. • There are three different versions in use.

12. OpenID • Decentralized. Authentication is through a URL, rather than

    a specific provider. • Credentials are le" in the hands of the provider. If they’re compromised, you’re compromised.

13. HTTP Authentication • Oldest, most well supported web-based authentication. •

    Easiest implementation for simple API clients. • Ugly to users. • Basic is insecure, Digest is overly complex.

14. MULTIPLEFACTORS OF AUTHENTICATION

15. SMS One-Time Passwords • If your users have a computer,

    they have a cellphone capable of receiving text messages. • However, they’re the weakest second factor (OTPs can be read when your phone is locked).

16. Biometric Authentication • Can be any kind of (but not

    limited to) fingerprint or retina scanning, facial or voice recognition, or a signature. • In theory, identifies an individual and cannot be replicated. • Expensive, difficult to implement, young, and o"en times easy to exploit.

17. USB One-Time Password Authenticators • Must be in your users’

    possession to authenticate. • Costs money. • Small and easy to lose.

18. LaunchKey • Supports many factors of authentication: PIN, pattern, geofencing,

    device factor (Bluetooth). • Usable through OpenID and OAuth. • Recently out of private beta, not in widespread production use (yet).

19. RAILSIMPLEMENTATIONS OF AUTHENTICATION

20. Devise • Most support and documentation. • Requires Ruby on

    Rails. • Includes everything but the kitchen sink. • Difficult to customize.

21. OmniAuth • Alternative to all-in-one solutions (Devise). • Supports almost

    every OAuth provider imaginable. • Works with any Rack-based application. • Can be too minimal for spoiled Rails developers.

22. CUSTOM GOING COMPLETELY

23. Use Warden for Authentication • Works as a Rack middleware.

    • Specifies authentication strategies in a DSL. • Used by Devise.

24. Use has_secure_password in Models • Avoids the trouble of picking

    a hashing algorithm (uses bcrypt). • Includes minimal validations for password and password confirmation. • Adds a total of 3 methods: #authenticate, #password=, #password_confirmation=

25. QUESTIONS?