--Originally published at Diego's Password
Please, input your username and password to read this post:
Username:
Password:
…
You didn’t fall under our little trap/joke right? (Really, hopefully you didn’t).
Anyways, jokes aside, this kind of things that many pages like Facebook or Gmail, or that even your computer when you start it does, it’s called Authentication. What it basically does, is assuring that you are, indeed, you. Sounds funny, but we said we were leaving jokes aside. It is a fundamental security block (if not imagine, someone through the web could get your info without anything to block them, or your friends posting on your FB account). It is made in two steps: identification – identify the username – and verification – bind the identification and the entity.
As you probably already know, authentication can be made through something you know (password), something you have (card or token) or something you are (fingerprint).
But after authentication, then what?
Well, next is access control, which is the prevention of use of a resource from unauthorized people (can be a bit like integrity from the CIA). What access control does is to authenticate users and to assign what do those users can or cannot do within the system or with it’s resources. It is made of three elements:
- Subject (no, not test subject): it’s the entity who can access resources.
- Object: the resource.
- Access right: Remember how civil rights tell you what the government guarantee to you? It’s the same logic: what things you have the right to use in the system.For example: read, write, delete, modify.
One way of access control are Access Lists. In networking, this lists can access who can connect, for example, to a modem.
Traditional Identity
is Obsolete
An example of well authentication system is Auth0. It is an outstanding framework for easy and secure authentication. It offers a very wide variety of products surrounding access control, multi platform authentication and even user administration. We will link their web page right here.
This is an information security blog post so we’ll talk about security. Auth0 offers six main security factor that will definitely convince you, even without mentioning the great usability and how it makes our lives as programmers much easier.
- Encryption. As expected they never save or manage password and sensitive data as plain text. Always hashed and communicated through TLS encrypted with at least 128 bit AES encryption.
- Password complexity enforcement. We as developers can set rules for password creation up to five levels.
- Security based architecture. Auth0 implemented automated blocking features, mitigating denial of service attacks.
- Infrastructure. They offer hardened Linux hosts with automatic security patching, VPCs, role-based access controls and many other features.
- Account verification.
You have the control over email verification setting an automatic message that will be confirmed by the user. - Multiple steps authentication.
Auth0 also offers two and three step authentication with mobile texts and calls.
We just took Web Development Laboratory in which we learned a lot of new technologies and frameworks that makes our lives easier. Now that we were researching on this topic,; we realized how much work it would have been to implement a secure authentication process by ourselves, that is why Auth0 was definitely our favorite cause you can be sure that your users data is secure without investing months on security infrastructure. I think you can implement this tools in your website in less that one hour and have everything tested and running.
I made this awesome post with my dear classmate and friend Ari. I’ll link her blog here.
Sources
Erland Jonsson – Authentication and Access Control
http://www.cse.chalmers.se/edu/course/EDA263/oh15/L04%20authentication%20and%20access%20control.pdf
