Authentication

--Originally published at Computer and Information Security

Each day, we log into many different webpages, they ask for authentication. We need to prove that we are us, but why is it so important? Also, how does it works? Authentication is needed to access to personal information, social media, at work, unlocking the phone, anywhere. It is almost a requisite to join every webpage to access to certain content. Regarding security, it is the way to block your information for the resto of the world. There are many different ways to prove that you are really you. Commonly, sites ask for a password, but they aren’t the only option. The next video uses interesting examples to explain the importance of authentication.

Knowledge factors: sometimes, the service that is asking for authentication can ask for names, specific questions, PIN numbers, or the password itself. Those are known as knowledge factors.
Possession factors: these are the ones that the user has in possession, such as ID cards, one-time password tokens, specific codes, or any artifact that can prove your authentication.
Inherence factors: this authentication factor covers the biometrics of the user, such as fingerprint scans, facial recognition, voice recognition, retina scans, iris scans, between others.

A modern way to authenticate the user is its location depending on the cellphone. This also has to do within its device activity and many other complex factors. Nowadays, it is recommended to use at least two factor authentications at the time per each account. For example, it is possible to activate an account with password and with a pin provided by the service company via cellphone.

There are may authentication tools in the market. It is important to be secure and also to protect your personal information. It can be annoying to unlock the accounts with more than 1-factor-authentication, but sometimes it is necessary Continue reading "Authentication" →

Tokens: the ‘I’m old enough to drink’ of web-based teens

--Originally published at tc2027 – Ce qui est chouette

In this post I’ll be dealing with the topic of Authentication and Authorization, and at the end of this post I’ll provide some examples and summarize some of the currently used solutions.

The difference

First, let’s deal with what both of these concepts refer to and what the difference between them is.

Authentication means verifying who someone is. This is what sign up and log in are for, the first one defines who you are, while the latter is where the authentication lies, in checking your user-id and password to match you with someone in the system; authentication answers the claim this is who I am with a yep, that’s who you are.

bouncers - fabio venni.jpg — Bouncers by Fabio Venni on Flickr under a CC License.

Authorization means verifying that someone has permission to perform an action. This refers to a certain user having or gaining access to a resource, this is usually done through the use of different types of user, e.g., Administrator, Anonymous User, etc; authorizations answers hey can I do this? with yep, you can or if it were an english teacher, can you? to which you would simply groan in disgust at this attempt at comedy.

Tokens

One common way to handle both these processes is through the use of tokens. A token is a series of characters, usually encoded, that represent both to whom the token belongs—to which account it is linked—and what type of access this token has.

An implementation of tokens that I’ve used is JWT (JSON Web Token). JWT consists in three parts: header, payload, and signature. The first two are all base64 encoded and separated by a dot (.), the signature is a bit different, it consists in the following:

EncryptionAlgorithm(base64(  Continue reading "Tokens: the ‘I’m old enough to drink’ of web-based teens" →