Ideal Authentication in your JavaScript Application

Ideal Authentication in your JavaScript Application

From this talk, you'll know how to implement a secure and reliable authentication mechanism in your JavaScript applications.
I'll go through popular "Authentication as a Service" providers and show how you can use them in JavaScript applications.
Finally, I'll teach you how to introduce additional security measures to your application, like multi-factor authentication without a hassle.

8fac73c8695395b3ec634a0be7cb5fc6?s=128

Volodymyr Rudyi

November 08, 2019
Tweet

Transcript

  1. Ideal Authentication in your JavaScript Application Meme-driven knowledge sharing. Volodymyr

    Rudyi Almost
  2. ABOUT ME CEO of AgileVision.io and CTO of Agile Cashflow.

    Professionally developing software for the last 7 years. Designing architectures for SaaS solutions. AWS-Certified Solutions Architect. Creates SaaS Products Is a SaaS Product
  3. Authentication — a process of verifying the identity. Air Force

    Photo/Paul Zadach
  4. Authorization — a process of defining access policy for some

    resource.
  5. Authentication Most likely You are doing it wrong

  6. Even if not anyway... You may be in danger

  7. Before you can authenticate you need to implement 1. Registration

    flow. 2. Password reset flow. 3. Credentials Validation 4. Error Handling 5. Error Messages 6. Localization 7. Brute-force attacks protection 8. Email templates
  8. After user authenticates, you need to think about 1. “Remember

    me” feature 2. Deleting or blocking/suspending users 3. Event log 4. Anomaly Detection 5. MFA 6. Global logout 7. Scaling
  9. Implementation Approaches Let’s see... I will write it myself

  10. Pros • Flexible Cons • Huge effort • Difficult to

    maintain • Requires “low-level” testing • Insecure in many cases • Not reusable Public domain image from Wikimedia.org DIY Approach Closer Look
  11. Popular Tools to Create Custom Authentication Passport.js

  12. Implementation Approaches Let’s see... Pre-Packaged Platform

  13. Third-party, self-hosted Pros • Flexible, especially if open-source • Moderate

    implementation effort • Many of bugs made suffer other users (Maybe those will be fixed)
  14. Third-party, self-hosted Cons • Learning curve may be steep •

    Proprietary self-hosted solutions can be expensive • Maintenance required • Vendor lock-in
  15. Popular self-hosted authentication providers Open-source Proprietary

  16. Implementation Approaches Let’s see... AaaS Solution*

  17. Authentication as a Service Pros • Almost zero time-to-market •

    Per-user pricing • Low implementation costs • Low maintenance • Tight integration with PaaS where applicable • Often compliant with many regulations, even local ones
  18. Authentication as a Service Cons • Vendor lock-in • Per-user

    pricing • Availability is not under control • A gap in support between you and your users. Anything that happens on AaaS side can’t be resolved by anyone but the owner • Limited customization
  19. Popular Authentication Services

  20. What you should take into account? • Platforms support •

    Migration path • Backup options • Compliance • Implementation cost • License/subscription cost • Implementation timeline, including security audits (Hello, Google!) • Availability, especially past incidents • Support
  21. How to think? 1. Prefer Authentication as a Service over

    anything else. 2. Prefer open-source over proprietary self-hosted. 3. Do custom implementation only if there is no other choice or it’s for testing/PoC
  22. Authentication Service Market Overview

  23. Auth0 Overview • Provided by a company, focused on the

    authentication and authorization service • Integrates well with different platforms and languages • Provides Hosted UI • Client-side and server-side SDKs • MFA Support • Passwordless/OTP sign-in • Self-hosted enterprise version for setups with such requirements
  24. Auth0 Weaknesses • Standalone product, thus requires additional integration to

    your infrastructure • Not so fast support for lower tier subscriptions • Powerful, but somewhat complicated • HIPAA and other compliance is available only for enterprise license tier
  25. AWS Cognito Overview • Provided as a part of the

    Amazon Web Services(AWS) Platform • Supports OIDC and SAML Federation • Supports web, iOS and Android clients • Provides client-side and server-side SDKs • Deeply integrated with AWS services and can issue tokens to access • Supports Hosted UI • Supports MFA • HIPAA, PCI DSS compliant out of the box • OIDC and SAML Support
  26. AWS Cognito Weaknesses • Hosted UI is not very customizable.

    Only logo and several colors can be changed • There is no such thing as action email/action link, besides the standard registration/reset flow. Invitation emails are not first class citizens • API is very slow • Default API rate limits are low • Search API is not usable, unless you are happy with basic search capabilities by name and email • Too few “ready-to-use” integrations for external systems
  27. Firebase Overview • Integrates well with the Firebase(obviously) • Provides

    SDKs for many platforms, including C++ and Unity • Flexible email configuration and email actions
  28. Firebase Weaknesses • HIPAA Compliance (there are workaro • No

    SAML support out-of-the-box
  29. Live coding session Almost

  30. Flutter and Svelte Auth0 Example

  31. Flutter Example from https://github.com/devdennysegura/flutter-auth0

  32. Vue App

  33. Public domain image from Wikimedia.org Bonus Slide Pricing Comparison. Rough

    Estimates Auth0 AWS Cognito Okta Firebase 1K $23/mo $0/mo $0/mo Free* 10K $228/mo $0/mo $200/mo Free* 50K $1140/mo $0/mo $1000/m o Free*
  34. Questions?

  35. Thanks! volodymyr@agilevision.io https://agilevision.io