What is an Identity? Modern?
Create accounts,
authenticate users. Strong
auth, MFA, 2FA, etc…
Identity Challenges Life of an Identity
The concept of identifier,
identity and account are
closely related but subtly
different.
Slide 3
Slide 3 text
Who am I? Randson!
I’m a software engineer, blogger
and editor. Interested in
cartoon drawing.
- Back-end with Elixir;
- Always learning.
Trying to make the world a
better place to live, through
technology.
Slide 4
Slide 4 text
Identity
Challenges
The application is ready. Now we need to
create accounts, authenticate users,
provide multi-factor authentication, and
make all this work smoothly across
multiple devices.
Slide 5
Slide 5 text
We usually think only
about our flows
❖ A blogging platform may have
administrators, editors, authors and
contributors.
Slide 6
Slide 6 text
We usually think only
about our flows
❖ A company may have many services
which users can login with the same
account.
Slide 7
Slide 7 text
It’s very simple (in theory)
❖ It requires carefully planning, designing
and development to work well.
Slide 8
Slide 8 text
It’s very simple (in theory)
❖ All of them while balancing the business
requirements.
Slide 9
Slide 9 text
It’s very simple (in theory)
❖ Not to mention the user experience.
Slide 10
Slide 10 text
The social login
❖ A person can login to your website
using Facebook, Google or any other
third-party service and be recognised
as the same person.
Slide 11
Slide 11 text
The social login
❖ On the other hand, employees want to
use a single account to login on all the
company services.
Slide 12
Slide 12 text
Strong Authentication
❖ An application with sensitive content
might require more forms of strong
authentication than a simple password.
Slide 13
Slide 13 text
Strong Authentication
❖ Strong forms of authentication can vary
from one-time password through mobile
push, sms or hardware security tokens
with private cryptography keys.
Slide 14
Slide 14 text
Single Sign On
❖ If you have multiple applications it’s
good to offer one place to login and be
authenticated in every service.
Slide 15
Slide 15 text
Single Sign On
❖ Be aware that SSOs need to be highly
available.
Slide 16
Slide 16 text
Single Sign On
❖ If doesn’t have high availability, it will
suddenly become an obstacle rather
than a gateway.
Slide 17
Slide 17 text
May need to accommodate
various constraints
❖ On the web, a user may expect a
browser redirect to a sign in page to
authenticate.
Slide 18
Slide 18 text
May need to accommodate
various constraints
❖ Desktop may prefer login flows
embedded within the application or
leverage a session provided by the OS.
Slide 19
Slide 19 text
May need to accommodate
various constraints
❖ Different mobile devices can use
different approaches.
Slide 20
Slide 20 text
We need to answer all these
questions while taking into
account the sensitivity of our
apps and satisfy all the business
requirements.
Slide 21
Slide 21 text
Sometimes we need to deal with
everything at once.
Slide 22
Slide 22 text
And this is the Hydra!
❖ A mythical beast from Greek
mythology with nine heads;
❖ If you cut a head, two more grew.
Solving one identity challenge can lead
to more if you don’t have a good plan.
Slide 23
Slide 23 text
Properly designed, it
simplifies your overall
architecture
❖ Allows your application to delegate
responsibility to other components;
❖ Provides a single view of the user.
Slide 24
Slide 24 text
❖ Unify access control to simplify access
issues;
❖ Provide auditing capabilities, and more…
Properly designed, it
simplifies your overall
architecture
Slide 25
Slide 25 text
To bear in mind…
● Who are my users?
● How will users login?
● How sensitive is the data we handle?
Slide 26
Slide 26 text
To bear in mind…
● Is there more than one application?(SSO)
● How long should a session last?
● What should happen when a user logs
out?
Slide 27
Slide 27 text
Modern users expect a
frictionless
experience.
Identity management should help
them access what they want quickly.
Not be in their way.
Slide 28
Slide 28 text
Life of an Identity
The concept of Identifier, Identity and
Account are closely related, but subtly
different.
Slide 29
Slide 29 text
Identifier, Identity, Account!
Identifier
Attribute basically
used to identify
Identity
Collection of
identifiers that
defines an identity
Account
Is associated with an
identity based on the
context
Slide 30
Slide 30 text
The “identifier” term
❖ Is used to refer to a single attribute
whose purpose is to uniquely identify a
person.
They are essential to Identity Management.
Slide 31
Slide 31 text
The “identifier” term
❖ Human entities can use email,
passports, ID cards and more.
They are essential to Identity Management.
Slide 32
Slide 32 text
The “identifier” term
❖ Non human entities such as agent bot,
devices, etc… May be identified with a
alphanumeric character.
They are essential to Identity Management.
Slide 33
Slide 33 text
The “identity” term
❖ Defined as a collection of attributes
associated with a specific person or
entity.
It can be used to start an authentication or
authorization process.
Slide 34
Slide 34 text
The “identity” term
❖ It may contains one or more identifiers
associated.
It can be used to start an authentication or
authorization process.
Slide 35
Slide 35 text
The “identity” term
❖ Human entities includes email, first &
last name, age, address and more.
It can be used to start an authentication or
authorization process.
Slide 36
Slide 36 text
The “identity” term
❖ Non human entities may include owner,
IP address, model, version and many
more.
It can be used to start an authentication or
authorization process.
Slide 37
Slide 37 text
The “account” term
❖ Is used when referring an account as a
construct within an app or service that
has an identity associated with it.
Could have many attributes associated with
it, which enable them to perform actions.
Slide 38
Slide 38 text
The “account” term
❖ Non human accounts can also have an
identity associated with it.
Slide 39
Slide 39 text
An Identity Management Service(IDM) is a set of
services that support creating, modification,
and removal of identities associated with
accounts.
It’s also used to authorise resources.
As you might guess…
Slide 40
Slide 40 text
Life of an Identity!
Provisioning Authorization
Single Sign On Stronger
Authentication
Authentication
Log out
Access Policy
Enforcement
Account Management
Sessions
Deprovisioning
Slide 41
Slide 41 text
Provision
❖ The act of creating an account is often seen as
provision.
Alice wants to open a bank account by filling a
registration form.
Slide 42
Slide 42 text
Authorisation
❖ When an account is created, is often necessary to
specify what the account can do, in terms of
privilege.
After Alice created her account, she now can see her
checking account, do transfers and many more.
Slide 43
Slide 43 text
Authentication
❖ To access content that is not public available, an
user provides identifiers to signify they wish to
use and enter login credentials for the account.
To view her balance, Alice first need to sign in on the
app.
Slide 44
Slide 44 text
Access Policy
Enforcement
❖ Even user logged in, every time we have a new
request we need to check the privileges of the
account.
Alice accesses the trade section and it’s denied
because she is not authorised.
Slide 45
Slide 45 text
Sessions
❖ Once a user is authenticated, they can perform
many actions for an amount of time (timeout).
❖ We can put as many attributes in the session as
we want.
Alice can only access the app for 5 minutes. Then it
asks her to log in again.
Slide 46
Slide 46 text
Single Sign On
❖ The account can be reused across many services
within the context.
Alice logs in with her account for a newsletter that the
bank provides.
Slide 47
Slide 47 text
Strong Authentication
❖ Two-Factor Auth (2Fa) and Multi-Factor Auth (MFA)
both involve authenticating a user with stronger
forms of authentication.
Slide 48
Slide 48 text
Strong Authentication
Sometimes it can include at least two of the following
aspects:
❖ Something the user knows - such as a password;
❖ Something the user owns - such as keyfob;
❖ Something the user is - such as a biometric input.
Slide 49
Slide 49 text
Strong Authentication
Alice might initially log in with a username and
password to see her account balance.
Slide 50
Slide 50 text
Log out
❖ After the user has finished using the application
they can log out, which terminates their session.
Alice has finished using the web app. When she logs out,
it logs out just on the web app.
Slide 51
Slide 51 text
Account Management
❖ At any point in time, the user should be able to
change their information.
Alice wants to update her password to a more secure
one.
Slide 52
Slide 52 text
Deprovisioning
❖ There may come a time when it’s necessary to
close an account. An user doesn’t want to have
access, an employee was deactivated, etc…
If Alice at any point in time wants to close her
relationship with the bank, she would request her
account to be closed.
Slide 53
Slide 53 text
Next steps?
Talks about types of identity
servers, SSO, user
repositories, etc…
Evolution of Identity Identity Provisioning
It’s just a registration form?
Nah, it is literally another
beast to deal with 🐉
Slide 54
Slide 54 text
Thanks!
You can find me on these
places:
❖ https://rands0n.com
❖ orandson@gmail.com
❖ twitter.com/rands0n
Check out my videos ♥
Trying to make the world a
better place to live, through
technology.