with & without computers, writing Software, ~ 20 yrs ▸ Co-Lead of JUG DA (https://www.jug-da.de / @JUG_DA) ▸ Speaker at international Tech Conferences ▸ Author of „Serverless Computing in AWS Cloud“ serverlessbuch.de ▸ Twitter: @dasniko HOW DO YOU AUTHENTICATE..?
username/password Request: client app -> server ▸ Server checks for user & authenticates it Send a unique token back to user’s client ▸ Client app stores the token in cookie(s) Send it back with every subsequent request ▸ Server receives w/ every request the token to authenticate the user and send back data ▸ On logout, the client (and server) removes the token Subsequent requests will be unauthorized
every user authentication, the server needs to create a record somewhere on the server. This may lead into increased memory allocation ▸ Since sessions are stored in memory, this will lead to problems with scalability. e.g. replication over multiple instances / network
No data will be stored on servers! ▸ Has gained popularity over the last years, thanks to Single-Page- and Mobile-Apps, Web APIs, IoT, … ▸ Mostly used token: Json Web Token (JWT) ▸ signed ▸ self-contained ▸ can contain additional data ▸ Foundation for SSO (Single-/Social-Sign-On)
credentials ▸ Server verifies credentials and returns a signed token (the JWT) ▸ Token is stored client-side! (e.g. local storage) ▸ Subsequent requests to server include the token, generally as Authorization header ▸ Server decodes the JWT, if valid, proceed with request, no memory lookups necessary ▸ On logout, JWT is destroyed client-side
based on their social networking accounts ▸ Users don’t need to register again, thus don’t need to remember credentials ▸ Developers don’t need to implement the whole authentication process/features Don’t need to secure all the credentials ▸ See OAuth2, Open-ID Connect, JWT for more information!
User enters email address ▸ Server sends a temporary one-time link (TOTL) to that email ▸ User clicks link & is automatically logged in the application ▸ Similar approaches: ▸ Code or TOTP through SMS or push notification (needs setup, costs money) or email ▸ Touch-/Face-ID
insecure passwords ▸ No more complicate passwords to remember ▸ No more „forgot password“ ▸ All of the above is valid and a win-win for users and developers! ▸ BUT: If your email account is compromised, then… good luck!
Something you Know e.g. password or PIN ▸ Something you Have e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are a biologically unique feature, e.g. fingerprints, voice, retinas
Something you Know e.g. password or PIN ▸ Something you Have e.g. a physical device like a mobile phone or software that can generate (T)OTPs ▸ Something you Are a biologically unique feature, e.g. fingerprints, voice, retinas
dasniko
askokc
kawaji_scratch
kaonavi
taka_aki
moriyuya
sonoda_mj
moepy_stats
oracle4engineer
jumtech
ks91
_awache
askua
andyhume
denniskardys
ryanjones
stuffmc
3n
tenderlove
inesmontani
maggiecrowley
samlambert
aleyda
thoeni
codingconduct
