Slide 1

Slide 1 text

SAGE MIR DEINEN NAMEN UND ICH SAGE DIR, WER DU BIST! NIKO KÖBLER (@DASNIKO)

Slide 2

Slide 2 text

ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko HOW DO YOU AUTHENTICATE..?

Slide 3

Slide 3 text

AUTHENTICATION I don’t know who you are. AUTHORIZATION I know who you are, but you’re not allowed.

Slide 4

Slide 4 text

HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN means Unauthorized

Slide 5

Slide 5 text

HOW DO YOU AUTHENTICATE?

Slide 6

Slide 6 text

HOW DO YOU AUTHENTICATE..? SESSION BASED AUTHENTICATION ▸ User enters username/password
 Request: client app -> server ▸ Server checks for user & authenticates it
 Send a unique token back to user’s client ▸ Client app stores the token in cookie(s)
 Send it back with every subsequent request ▸ Server receives w/ every request the token to authenticate the user and send back data ▸ On logout, the client (and server) removes the token
 Subsequent requests will be unauthorized

Slide 7

Slide 7 text

HOW DO YOU AUTHENTICATE..? SESSION BASED - DOWNSIDES ▸ On every user authentication, the server needs to create a record somewhere on the server. This may lead into increased memory allocation ▸ Since sessions are stored in memory, this will lead to problems with scalability.
 e.g. replication over multiple instances / network

Slide 8

Slide 8 text

HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ Completely stateless!
 No data will be stored on servers! ▸ Has gained popularity over the last years, thanks to Single-Page- and Mobile-Apps, Web APIs, IoT, … ▸ Mostly used token: Json Web Token (JWT) ▸ signed ▸ self-contained ▸ can contain additional data ▸ Foundation for SSO (Single-/Social-Sign-On)

Slide 9

Slide 9 text

HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ User enters credentials ▸ Server verifies credentials and returns a signed token (the JWT) ▸ Token is stored client-side! (e.g. local storage) ▸ Subsequent requests to server include the token, generally as Authorization header ▸ Server decodes the JWT, if valid, proceed with request, no memory lookups necessary ▸ On logout, JWT is destroyed client-side

Slide 10

Slide 10 text

SOCIAL SIGN ON

Slide 11

Slide 11 text

HOW DO YOU AUTHENTICATE..? SOCIAL SIGN ON ▸ Authenticate users based on their social networking accounts ▸ Users don’t need to register again, thus don’t need to remember credentials ▸ Developers don’t need to implement the whole authentication process/features
 Don’t need to secure all the credentials ▸ See OAuth2, Open-ID Connect, JWT for more information!

Slide 12

Slide 12 text

PASSWORDLESS…

Slide 13

Slide 13 text

HOW DO YOU AUTHENTICATE..? PASSWORDLESS / THE „MAGIC LINK“ ▸ User enters email address ▸ Server sends a temporary one-time link (TOTL) to that email ▸ User clicks link & is automatically logged in the application ▸ Similar approaches: ▸ Code or TOTP through SMS or push notification (needs setup, costs money) or email ▸ Touch-/Face-ID

Slide 14

Slide 14 text

HOW DO YOU AUTHENTICATE..? PASSWORDLESS - BENEFITS ▸ No more insecure passwords ▸ No more complicate passwords to remember ▸ No more „forgot password“ ▸ All of the above is valid and a win-win for users and developers! ▸ BUT: If your email account is compromised, then… good luck!

Slide 15

Slide 15 text

MULTI-FACTOR AUTHENTICATION

Slide 16

Slide 16 text

HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸ Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas

Slide 17

Slide 17 text

HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸ Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas

Slide 18

Slide 18 text

MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

Slide 19

Slide 19 text

MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

Slide 20

Slide 20 text

THANK YOU. ANY QUESTIONS? https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de | [email protected] | @dasniko HOW DO YOU AUTHENTICATE..?