User Authentication & Authorization has become core, essential and critical part of every service or platform around the Internet. Holes in it have and will cost a lot for the big companies and the users. Many things could occur – data breaches, data losses, account and servers overrun by ill-intended hackers and so on. Without having this personalized aspect of the Web, the Software and Technological Industry would have grown so much. It is no surprise that a lot of effort is invested in this core function of the Services around the Internet. Big companies invest in all aspects – speed, security, scalability, user interface and user experience and so on.
From a Mixed – End User / Technical Architect/Developer/Coder point of view there are several Critical Points:
- Log in (Required). This End Point probably has the biggest load and also currently endless variations – especially in terms of user experience:
- Email & Password or PIN
- A QR Code – containing hash (non-reversible to the source text) paired with app that does some very custom logic
- Public-Private Cryptographic Keys with Several Form Factors Like:
- Software Cryptographic Keys,
- Hardware contained Cryptographic Keys – unlock-able with password or even – some hardware button,
- Keys protected on a device with newer and newer ways:
- pin (4 digits)
- dot/picture pattern
- fingerprint sensor
- face/eyes/palm detection/recognition
- voice recognition
- combination of the above paired with GPS Location and so on.
- IP White Listing paired with some of the above – Allowing the user to add his IP addresses (home, office), and deny all others. This may be implemented internally in an authentication service and rise a flag for new IP logins
- Two Pass Authentication paired with some of the above
- Log Out (Required) – This End Points is probably “hit” far less than the Log-In, because of the default and by convention and recommendation – from resource and from security point of view – to limit the time of the access of the user to a Web Site, Service or Platform. In most frameworks there are default 30 minutes.
- Register (Optional) – Optional, because there are probably a lot of systems that are used after some separate/real world entry or integration into “bucket” the a system works around. After successful real world entry – an administrator/manager adds the accounts of the users. Such systems are – Schools Management Systems (especially for the teachers side), Medical Databases, Jurisdiction Platforms for the courts, Company or Corporation Employees Databases and so on. Their nature is not to be open to the public in contrast to social networks – that any monkey with small amount of computer skills could fill some forms and start playing inside.
- Update Password – This is a “Change Password” functionality of already logged in user. It is totally required especially of the cases where the initial user record is created by Administrator or even if the system doesn’t show the password. In many cases it is transmitted to the user on some side non-secure channel so change is a must.
- Reset Password/Forgotten Password(for not logged users). A way to reset the log-in with new credentials – that are typed in – in the time of the registration or ofter the user has logged in. In most workflows it has two steps – sent to a user specified end point/could be email, sms, letter/ some temporary secret like a non-trivial key and second step – within that time frame – allow the update of the password. Some services extend this temporary key with additional questions.
- Cookies – The Legacy Way is using HTTP cookies.
- Base64 Authorization Header containing the credentials
- Cookie or Header containing JWT – signed JSON Token protected thanks to the latest cryptographic algorithms.
- Private Databases
- Active Directories (for Microsoft Networks), ERP for legacy, big and un-migratable database systems.
- Social Networks – All the big platforms provide a way for Authenticating a User – Facebook, Twitter, LinkedIn, Snapchat, StackOverFlow, etc.
- Other Identity Providers (Apple, Oracle, Google, Internal Corporate Systems)