SAGE MIR DEINEN NAMEN UND ICH SAGE DIR, WER DU BIST! NIKO KÖBLER (@DASNIKO)

ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko HOW DO YOU AUTHENTICATE..?

AUTHENTICATION I don’t know who you are. AUTHORIZATION I know who you are, but you’re not allowed.

HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN means Unauthorized

HOW DO YOU AUTHENTICATE?

HOW DO YOU AUTHENTICATE..? SESSION BASED AUTHENTICATION ▸ User enters username/password
 Request: client app -> server ▸ Server checks for user & authenticates it
 Send a unique token back to user’s client ▸ Client app stores the token in cookie(s)
 Send it back with every subsequent request ▸ Server receives w/ every request the token to authenticate the user and send back data ▸ On logout, the client (and server) removes the token
 Subsequent requests will be unauthorized

HOW DO YOU AUTHENTICATE..? SESSION BASED - DOWNSIDES ▸ On every user authentication, the server needs to create a record somewhere on the server. This may lead into increased memory allocation ▸ Since sessions are stored in memory, this will lead to problems with scalability.
 e.g. replication over multiple instances / network

HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ Completely stateless!
 No data will be stored on servers! ▸ Has gained popularity over the last years, thanks to Single-Page- and Mobile-Apps, Web APIs, IoT, … ▸ Mostly used token: Json Web Token (JWT) ▸ signed ▸ self-contained ▸ can contain additional data ▸ Foundation for SSO (Single-/Social-Sign-On)

HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ User enters credentials ▸ Server verifies credentials and returns a signed token (the JWT) ▸ Token is stored client-side! (e.g. local storage) ▸ Subsequent requests to server include the token, generally as Authorization header ▸ Server decodes the JWT, if valid, proceed with request, no memory lookups necessary ▸ On logout, JWT is destroyed client-side

SOCIAL SIGN ON

HOW DO YOU AUTHENTICATE..? SOCIAL SIGN ON ▸ Authenticate users based on their social networking accounts ▸ Users don’t need to register again, thus don’t need to remember credentials ▸ Developers don’t need to implement the whole authentication process/features
 Don’t need to secure all the credentials ▸ See OAuth2, Open-ID Connect, JWT for more information!

PASSWORDLESS…

HOW DO YOU AUTHENTICATE..? PASSWORDLESS / THE „MAGIC LINK“ ▸ User enters email address ▸ Server sends a temporary one-time link (TOTL) to that email ▸ User clicks link & is automatically logged in the application ▸ Similar approaches: ▸ Code or TOTP through SMS or push notification (needs setup, costs money) or email ▸ Touch-/Face-ID

HOW DO YOU AUTHENTICATE..? PASSWORDLESS - BENEFITS ▸ No more insecure passwords ▸ No more complicate passwords to remember ▸ No more „forgot password“ ▸ All of the above is valid and a win-win for users and developers! ▸ BUT: If your email account is compromised, then… good luck!

MULTI-FACTOR AUTHENTICATION

HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸ Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas

HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸ Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas

MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

THANK YOU. ANY QUESTIONS? https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de | niko@n-k.de | @dasniko HOW DO YOU AUTHENTICATE..?