Authenticate a user without a username, password, or database

Authenticate a user without a username, password, or database

How do you authenticate your users? Authentication is such a common feature we don’t even think about it anymore. Let’s challenge the status quo and authenticate a user with, well, nothing. Not even a database, and no API in its place. Do we need databases at all? Let’s talk.

Developed an application exploring the possibility of signing in without a username, password or a database on the web using Elixir/Erlang. I shared this as the closing keynote at Rubyfuza 2019.

Google slides: https://docs.google.com/presentation/d/1XJiBXD6uzWaFYbTXqacBmQZZEuicYN_CcSc2JDmcpUA/edit?usp=sharing

A7100969143eaac527fc93233801f447?s=128

Simon van Dyk

February 08, 2019
Tweet

Transcript

  1. 2.
  2. 10.

    Claim Verify Store How would you do identity claim? a.

    Don’t be silly, just use OAuth b. Gait analysis c. Use their face d. Security is a lie
  3. 11.

    Claim Verify Store How would you do identity claim? a.

    Don’t be silly, just use OAuth b. Gait analysis c. Use their face d. Security is a lie
  4. 12.

    Claim Verify Store How would you do identity verification? a.

    Obviously a blood test b. OAuth, you will be assimilated c. Send them an OTP d. Fingerprint or retinal scan
  5. 13.

    Claim Verify Store How would you do identity verification? a.

    Obviously a blood test b. OAuth, you will be assimilated c. Send them an OTP d. Fingerprint or retinal scan
  6. 14.

    Claim Verify Store How would you do identity storage? a.

    Throw it in a file - that’s not a database is it? b. Mechanical turk: an army of humans write it out on paper c. Machine learning serverless blockchain™ d. Keep it in memory and never let the server die
  7. 15.

    Claim Verify Store How would you do identity storage? a.

    Throw it in a file - that’s not a database is it? b. Mechanical turk: an army of humans write it out on paper c. Machine learning serverless blockchain™ d. Keep it in memory and never let the server die
  8. 17.

    Claim Verify Store Facial recognition One time pin Memory storage

    Slack’s “magic links” or an OTP sent to an email address Erlang process storing face to email mapping in memory Face to email mapping used to identify a user
  9. 18.

    Nada Faces API Nada App AWS Rekognition Sign up AWS

    S3 { selfie } { face_id } { email selfie } Claim { email face_id } Store { otp } Verify
  10. 19.

    Nada Faces API Nada App AWS Rekognition Log in AWS

    S3 { selfie } { face_id } { email face_id } Store { otp } Verify { selfie } Claim
  11. 20.

    Claim Verify Store Face to email mapping used to identify

    a user Facial recognition # @ Face Face ID Email Image
  12. 21.

    Claim Verify Store One time pin Slack’s “magic links” or

    an OTP sent to an email address user@example.com Log in
  13. 22.

    Claim Verify Store One time pin Slack’s “magic links” or

    an OTP sent to an email address user@example.com mail@nada.com thisappdoesnothing.com/djtufy TO FROM
  14. 23.

    Claim Verify Store One time pin Slack’s “magic links” or

    an OTP sent to an email address SUCCESS!
  15. 24.

    Claim Verify Store Memory storage Erlang process storing face to

    email mapping in memory Erlang VM Web server process Agent process ...
  16. 25.

    Claim Verify Store Memory storage Erlang process storing face to

    email mapping in memory Erlang VM Web server process “a7j3hgdg”: “bob@gold.com” “jmd739sh”: “sam@mail.com”
  17. 26.
  18. 33.

    Erlang data stores • Mnesia • ETS (Erlang Term Storage)

    • Process state (GenServer/Agent) • *Riak
  19. 34.

    • Are there relationships between the data you store? •

    Are you storing time-related data? • Do you need to be able to look at the database in the past? How do you intend to query the data?
  20. 35.

    • Relational • Object / Document • Graph • Key-Value

    • Time series • Fact tables Typical data storage options by query
  21. 37.
  22. 44.
  23. 45.
  24. 48.