Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ideal Authentication in your JavaScript Application

Ideal Authentication in your JavaScript Application

From this talk, you'll know how to implement a secure and reliable authentication mechanism in your JavaScript applications.
I'll go through popular "Authentication as a Service" providers and show how you can use them in JavaScript applications.
Finally, I'll teach you how to introduce additional security measures to your application, like multi-factor authentication without a hassle.

Volodymyr Rudyi

November 08, 2019

More Decks by Volodymyr Rudyi

Other Decks in Programming


  1. ABOUT ME CEO of AgileVision.io and CTO of Agile Cashflow.

    Professionally developing software for the last 7 years. Designing architectures for SaaS solutions. AWS-Certified Solutions Architect. Creates SaaS Products Is a SaaS Product
  2. Before you can authenticate you need to implement 1. Registration

    flow. 2. Password reset flow. 3. Credentials Validation 4. Error Handling 5. Error Messages 6. Localization 7. Brute-force attacks protection 8. Email templates
  3. After user authenticates, you need to think about 1. “Remember

    me” feature 2. Deleting or blocking/suspending users 3. Event log 4. Anomaly Detection 5. MFA 6. Global logout 7. Scaling
  4. Pros • Flexible Cons • Huge effort • Difficult to

    maintain • Requires “low-level” testing • Insecure in many cases • Not reusable Public domain image from Wikimedia.org DIY Approach Closer Look
  5. Third-party, self-hosted Pros • Flexible, especially if open-source • Moderate

    implementation effort • Many of bugs made suffer other users (Maybe those will be fixed)
  6. Third-party, self-hosted Cons • Learning curve may be steep •

    Proprietary self-hosted solutions can be expensive • Maintenance required • Vendor lock-in
  7. Authentication as a Service Pros • Almost zero time-to-market •

    Per-user pricing • Low implementation costs • Low maintenance • Tight integration with PaaS where applicable • Often compliant with many regulations, even local ones
  8. Authentication as a Service Cons • Vendor lock-in • Per-user

    pricing • Availability is not under control • A gap in support between you and your users. Anything that happens on AaaS side can’t be resolved by anyone but the owner • Limited customization
  9. What you should take into account? • Platforms support •

    Migration path • Backup options • Compliance • Implementation cost • License/subscription cost • Implementation timeline, including security audits (Hello, Google!) • Availability, especially past incidents • Support
  10. How to think? 1. Prefer Authentication as a Service over

    anything else. 2. Prefer open-source over proprietary self-hosted. 3. Do custom implementation only if there is no other choice or it’s for testing/PoC
  11. Auth0 Overview • Provided by a company, focused on the

    authentication and authorization service • Integrates well with different platforms and languages • Provides Hosted UI • Client-side and server-side SDKs • MFA Support • Passwordless/OTP sign-in • Self-hosted enterprise version for setups with such requirements
  12. Auth0 Weaknesses • Standalone product, thus requires additional integration to

    your infrastructure • Not so fast support for lower tier subscriptions • Powerful, but somewhat complicated • HIPAA and other compliance is available only for enterprise license tier
  13. AWS Cognito Overview • Provided as a part of the

    Amazon Web Services(AWS) Platform • Supports OIDC and SAML Federation • Supports web, iOS and Android clients • Provides client-side and server-side SDKs • Deeply integrated with AWS services and can issue tokens to access • Supports Hosted UI • Supports MFA • HIPAA, PCI DSS compliant out of the box • OIDC and SAML Support
  14. AWS Cognito Weaknesses • Hosted UI is not very customizable.

    Only logo and several colors can be changed • There is no such thing as action email/action link, besides the standard registration/reset flow. Invitation emails are not first class citizens • API is very slow • Default API rate limits are low • Search API is not usable, unless you are happy with basic search capabilities by name and email • Too few “ready-to-use” integrations for external systems
  15. Firebase Overview • Integrates well with the Firebase(obviously) • Provides

    SDKs for many platforms, including C++ and Unity • Flexible email configuration and email actions
  16. Public domain image from Wikimedia.org Bonus Slide Pricing Comparison. Rough

    Estimates Auth0 AWS Cognito Okta Firebase 1K $23/mo $0/mo $0/mo Free* 10K $228/mo $0/mo $200/mo Free* 50K $1140/mo $0/mo $1000/m o Free*