Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Sign up for free
The Hydra of Modern Identity
August 03, 2022
The Hydra of Modern Identity
August 03, 2022
More Decks by Randson
See All by Randson
Ecto is not your ORM
Pirâmide de Teste
SMACSS - Uma arquitetura modular e escalável para CSS
Other Decks in Technology
See All in Technology
開発支援のための組織体制 〜ゆめみの情報共有と成長環境〜 / abceed Tech Night yumemi
Symfony Serializer Deep Dive
PHPバージョンアップのための依存ライブラリとの付き合い方 / phpcon2022
Drivemode 会社資料 (採用向け) - We are hiring!
Evolving JUnit 5
カンファレンスに登壇してみよう / Let's try to talk on conference
Ideas for introducing new methods
See All Featured
Build The Right Thing And Hit Your Dates
For a Future-Friendly Web
Why Our Code Smells
Designing Experiences People Love
Designing for Performance
Designing with Data
How GitHub Uses GitHub to Build GitHub
Atom: Resistance is Futile
Java REST API Framework Comparison - PWX 2021
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
YesSQL, Process and Tooling at Scale
Fashionably flexible responsive web design (full day workshop)
The Hydra of Modern Identity Who am I?
What is an Identity? Modern? Create accounts, authenticate users. Strong
auth, MFA, 2FA, etc… Identity Challenges Life of an Identity The concept of identifier, identity and account are closely related but subtly different.
Who am I? Randson! I’m a software engineer, blogger and
editor. Interested in cartoon drawing. - Back-end with Elixir; - Always learning. Trying to make the world a better place to live, through technology.
Identity Challenges The application is ready. Now we need to
create accounts, authenticate users, provide multi-factor authentication, and make all this work smoothly across multiple devices.
We usually think only about our flows ❖ A blogging
platform may have administrators, editors, authors and contributors.
We usually think only about our flows ❖ A company
may have many services which users can login with the same account.
It’s very simple (in theory) ❖ It requires carefully planning,
designing and development to work well.
It’s very simple (in theory) ❖ All of them while
balancing the business requirements.
It’s very simple (in theory) ❖ Not to mention the
The social login ❖ A person can login to your
website using Facebook, Google or any other third-party service and be recognised as the same person.
The social login ❖ On the other hand, employees want
to use a single account to login on all the company services.
Strong Authentication ❖ An application with sensitive content might require
more forms of strong authentication than a simple password.
Strong Authentication ❖ Strong forms of authentication can vary from
one-time password through mobile push, sms or hardware security tokens with private cryptography keys.
Single Sign On ❖ If you have multiple applications it’s
good to offer one place to login and be authenticated in every service.
Single Sign On ❖ Be aware that SSOs need to
be highly available.
Single Sign On ❖ If doesn’t have high availability, it
will suddenly become an obstacle rather than a gateway.
May need to accommodate various constraints ❖ On the web,
a user may expect a browser redirect to a sign in page to authenticate.
May need to accommodate various constraints ❖ Desktop may prefer
login flows embedded within the application or leverage a session provided by the OS.
May need to accommodate various constraints ❖ Different mobile devices
can use different approaches.
We need to answer all these questions while taking into
account the sensitivity of our apps and satisfy all the business requirements.
Sometimes we need to deal with everything at once.
And this is the Hydra! ❖ A mythical beast from
Greek mythology with nine heads; ❖ If you cut a head, two more grew. Solving one identity challenge can lead to more if you don’t have a good plan.
Properly designed, it simplifies your overall architecture ❖ Allows your
application to delegate responsibility to other components; ❖ Provides a single view of the user.
❖ Unify access control to simplify access issues; ❖ Provide
auditing capabilities, and more… Properly designed, it simplifies your overall architecture
To bear in mind… • Who are my users? •
How will users login? • How sensitive is the data we handle?
To bear in mind… • Is there more than one
application?(SSO) • How long should a session last? • What should happen when a user logs out?
Modern users expect a frictionless experience. Identity management should help
them access what they want quickly. Not be in their way.
Life of an Identity The concept of Identifier, Identity and
Account are closely related, but subtly different.
Identifier, Identity, Account! Identifier Attribute basically used to identify Identity
Collection of identifiers that defines an identity Account Is associated with an identity based on the context
The “identifier” term ❖ Is used to refer to a
single attribute whose purpose is to uniquely identify a person. They are essential to Identity Management.
The “identifier” term ❖ Human entities can use email, passports,
ID cards and more. They are essential to Identity Management.
The “identifier” term ❖ Non human entities such as agent
bot, devices, etc… May be identified with a alphanumeric character. They are essential to Identity Management.
The “identity” term ❖ Defined as a collection of attributes
associated with a specific person or entity. It can be used to start an authentication or authorization process.
The “identity” term ❖ It may contains one or more
identifiers associated. It can be used to start an authentication or authorization process.
The “identity” term ❖ Human entities includes email, first &
last name, age, address and more. It can be used to start an authentication or authorization process.
The “identity” term ❖ Non human entities may include owner,
IP address, model, version and many more. It can be used to start an authentication or authorization process.
The “account” term ❖ Is used when referring an account
as a construct within an app or service that has an identity associated with it. Could have many attributes associated with it, which enable them to perform actions.
The “account” term ❖ Non human accounts can also have
an identity associated with it.
An Identity Management Service(IDM) is a set of services that
support creating, modification, and removal of identities associated with accounts. It’s also used to authorise resources. As you might guess…
Life of an Identity! Provisioning Authorization Single Sign On Stronger
Authentication Authentication Log out Access Policy Enforcement Account Management Sessions Deprovisioning
Provision ❖ The act of creating an account is often
seen as provision. Alice wants to open a bank account by filling a registration form.
Authorisation ❖ When an account is created, is often necessary
to specify what the account can do, in terms of privilege. After Alice created her account, she now can see her checking account, do transfers and many more.
Authentication ❖ To access content that is not public available,
an user provides identifiers to signify they wish to use and enter login credentials for the account. To view her balance, Alice first need to sign in on the app.
Access Policy Enforcement ❖ Even user logged in, every time
we have a new request we need to check the privileges of the account. Alice accesses the trade section and it’s denied because she is not authorised.
Sessions ❖ Once a user is authenticated, they can perform
many actions for an amount of time (timeout). ❖ We can put as many attributes in the session as we want. Alice can only access the app for 5 minutes. Then it asks her to log in again.
Single Sign On ❖ The account can be reused across
many services within the context. Alice logs in with her account for a newsletter that the bank provides.
Strong Authentication ❖ Two-Factor Auth (2Fa) and Multi-Factor Auth (MFA)
both involve authenticating a user with stronger forms of authentication.
Strong Authentication Sometimes it can include at least two of
the following aspects: ❖ Something the user knows - such as a password; ❖ Something the user owns - such as keyfob; ❖ Something the user is - such as a biometric input.
Strong Authentication Alice might initially log in with a username
and password to see her account balance.
Log out ❖ After the user has finished using the
application they can log out, which terminates their session. Alice has finished using the web app. When she logs out, it logs out just on the web app.
Account Management ❖ At any point in time, the user
should be able to change their information. Alice wants to update her password to a more secure one.
Deprovisioning ❖ There may come a time when it’s necessary
to close an account. An user doesn’t want to have access, an employee was deactivated, etc… If Alice at any point in time wants to close her relationship with the bank, she would request her account to be closed.
Next steps? Talks about types of identity servers, SSO, user
repositories, etc… Evolution of Identity Identity Provisioning It’s just a registration form? Nah, it is literally another beast to deal with 🐉
Thanks! You can find me on these places: ❖ https://rands0n.com
❖ email@example.com ❖ twitter.com/rands0n Check out my videos ♥ Trying to make the world a better place to live, through technology.