How Do You Authenticate..?

Transcript

1. SAGE MIR DEINEN NAMEN UND ICH SAGE DIR, WER DU

   BIST! NIKO KÖBLER (@DASNIKO)

2. ABOUT ME ▸ Freelance Consultant/Architect/Developer/Trainer @ www.n-k.de ▸ Doing stuff

   with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“
 serverlessbuch.de ▸ Twitter: @dasniko HOW DO YOU AUTHENTICATE..?

3. AUTHENTICATION I don’t know who you are. AUTHORIZATION I know

   who you are, but you’re not allowed.

4. HTTP STATUS CODES 401 UNAUTHORIZED means Not authenticated 403 FORBIDDEN

   means Unauthorized

5. HOW DO YOU AUTHENTICATE?

6. HOW DO YOU AUTHENTICATE..? SESSION BASED AUTHENTICATION ▸ User enters

   username/password
 Request: client app -> server ▸ Server checks for user & authenticates it
 Send a unique token back to user’s client ▸ Client app stores the token in cookie(s)
 Send it back with every subsequent request ▸ Server receives w/ every request the token to authenticate the user and send back data ▸ On logout, the client (and server) removes the token
 Subsequent requests will be unauthorized

7. HOW DO YOU AUTHENTICATE..? SESSION BASED - DOWNSIDES ▸ On

   every user authentication, the server needs to create a record somewhere on the server. This may lead into increased memory allocation ▸ Since sessions are stored in memory, this will lead to problems with scalability.
 e.g. replication over multiple instances / network

8. HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ Completely stateless!


   No data will be stored on servers! ▸ Has gained popularity over the last years, thanks to Single-Page- and Mobile-Apps, Web APIs, IoT, … ▸ Mostly used token: Json Web Token (JWT) ▸ signed ▸ self-contained ▸ can contain additional data ▸ Foundation for SSO (Single-/Social-Sign-On)

9. HOW DO YOU AUTHENTICATE..? TOKEN BASED AUTHENTICATION ▸ User enters

   credentials ▸ Server verifies credentials and returns a signed token (the JWT) ▸ Token is stored client-side! (e.g. local storage) ▸ Subsequent requests to server include the token, generally as Authorization header ▸ Server decodes the JWT, if valid, proceed with request, no memory lookups necessary ▸ On logout, JWT is destroyed client-side

10. SOCIAL SIGN ON

11. HOW DO YOU AUTHENTICATE..? SOCIAL SIGN ON ▸ Authenticate users

    based on their social networking accounts ▸ Users don’t need to register again, thus don’t need to remember credentials ▸ Developers don’t need to implement the whole authentication process/features
 Don’t need to secure all the credentials ▸ See OAuth2, Open-ID Connect, JWT for more information!

12. PASSWORDLESS…

13. HOW DO YOU AUTHENTICATE..? PASSWORDLESS / THE „MAGIC LINK“ ▸

    User enters email address ▸ Server sends a temporary one-time link (TOTL) to that email ▸ User clicks link & is automatically logged in the application ▸ Similar approaches: ▸ Code or TOTP through SMS or push notification (needs setup, costs money) or email ▸ Touch-/Face-ID

14. HOW DO YOU AUTHENTICATE..? PASSWORDLESS - BENEFITS ▸ No more

    insecure passwords ▸ No more complicate passwords to remember ▸ No more „forgot password“ ▸ All of the above is valid and a win-win for users and developers! ▸ BUT: If your email account is compromised, then… good luck!

15. MULTI-FACTOR AUTHENTICATION

16. HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸

    Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas

17. HOW DO YOU AUTHENTICATE..? TWO / MULTI FACTOR AUTHENTICATION ▸

    Something you Know
 e.g. password or PIN ▸ Something you Have
 e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are
 a biologically unique feature, e.g. fingerprints, voice, retinas

18. MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

19. MOBILE PHONE AUTHENTICATION? IMEI & IMSI ARE PUBLIC!

20. THANK YOU. ANY QUESTIONS? https://speakerdeck.com/dasniko Niko Köbler | www.n-k.de |

    [email protected] | @dasniko HOW DO YOU AUTHENTICATE..?