Authentication is a major sub-system of any information system. It involves identifying and validating the user who claims he or she claims to be. Often, login and authentication are misunderstood as one process. First of all, we will clarify some of the terms around information security.
user account: a digital identity that represents humans but also software applications, Internet of Things devices, or robotics.
Identification: the process of attribution an identifier to a person or an object such as firewalls, network interface cards, printers, etc. Often, online systems use an email address or a unique string as an identifier.
Authentication: identifying a user and validating who he claims to be.
Authorization: the process of determining what resources are allowed to a user or what functionalities can be performed by the user on a particular system, after Successful authentication of the user to the system.
Login / Logon: the process of gaining access to specific resources, and computer systems for networks using credentials( username, password, biometric elements ) after the user is identified and authenticated. Credentials are used to verify that the user is an authorized user.
Common factors for user authentication
There are three main factors used for authentication:
- Something you know (such as a password)
- Something you have (cellphone, hardware tokens, smart card)
- Something you are (biometric method)
In addition, other factors such as time and /or location are also used although not as common as the above-mentioned factors.
Many Authentication systems have developed over the years based on the authentication factors. Below is a summary of some of them. Information systems security is a dynamic field, therefore, new methods and technologies emerge in response to new threats, to improve existing technologies, and to provide a better user experience in user identification and authentication process.
- Simple authentication system
- Part of the HTTP protocol
- Based on base64-encoded
- Set User login credentials in the Authorization header and send when sending an HTTP requests to the server
- Common, but less secure
- Users favor usability over security, thus they use the same password for different accounts in favor of convenience and compromise the security
- To improve the password to increase security
- Use 16 digit random password
- Make the password strong with two special characters and alphanumeric values
- One the most secure systems
- Use unique biological characteristics of the user
- Use at high-security areas such as airports, military basis, and nuclear facilities
- Use in a two-factor authentication system ( a subset of Multi-factor authentication )
- Common identifiers are fingerprint scans, facial recognition, and voice-based identification ( less secure than other biometric methods )
- Need special devices to integrate with web applications. Therefore, this is not a popular choice for web applications as compared to other authentication systems. Typing biometrics( keystroke dynamics) that analyzes and stores a user’s typing patterns using A has some hope.
- Two or more ways to identify a user
- Adds another layer on top of the password-only authentication system
- Ex: use a password and send a security code/ sign-in code to the user’s phone
- The extra factors belong to the following categories :
- Knowledge Factors
- ex: Birth city, Password, Partial password, PIN, Challenge-response, Security questions
- Possession factor
- Wrist band, ID card, security token, cell phone
- Inherent factor(biometrics) – fingerprint, eyeball scan
- Location Factor – this could be used with GPS enabled devices such as Smartphones, or on networks
- The time Factor – can be used in conjunction with the location factor to strengthen security and prevent unauthorized access.
- The system generates a digital certificate using the user’s ID, passport any other valid identification to validate the user
- Can be used to authenticate machines, devices, IoT
- A digital certificate has the user’s public key and a digital signature
- When authenticating a user, the system will ask for the digital signature and uses cryptography to make sure it’s a valid user.
- Digital certificates are also commonly used to verify the authenticity of a website to a web browser. ( SSL certificate ).
- The server sends a unique token to identify the user after the user sends login credentials to the server.
- Allow users to access resources on an online system on without having to enter login credentials each visit
- The reason for this is the token generated(by the server ) is shared between these resources
- The token is valid only for a short period
- After the period is elapsed, the token expires and a new token should be generated.
- If the user logout the existing token is destroyed
Single sign-on (SSO) is an authentication
- Use one set of login credentials to authenticate a user for multiple applications.
- The basis for this authentication mechanism involves the trust between two parties: the identity provider and the service provider.
- Identity provider
- Ex: Facebook, Google, Twitter, GitHub
- Service provider:
- The system that the user tries to gain access to
- Send user information, such as email address, to the identity provider
- The service provider sends a token with the user information to the identity provider
- The Identity provider checks if the particular user is an authenticated user on its system
- If the Identity provider identified the user as an authenticated and valid user, it will send another confirmation token back to the service provider through the user’s browser. This token contains the identity of the user.
- Consequently, service providers let the user access restricted resources on their system.
Usability and security
Usability and security are two important metrics when choosing authentication factors. It is a well-known fact over the years that users favor a system that is convenient to use without concerning security vulnerabilities. Whenever the usability increases the security decrease. A good authentication mechanism should find the balance between these two metrics.
Should you implement user authentication and authorization from scratch as a developer?
User Authentication and authorization is a critical parts of any information system. If you are a developer, thinking of implementing user authentication from scratch may not be a wise choice. The main reason for this is that hackers, threats, and intrusions evolve as much as security measurements are. No single developer can update his user authentication sub-system to handle all sorts of new threats. Because of this, you must use professional services specializing in user authentication and authorization in real-world applications. If you decided to add some code, authentication libraries such as PassportJS, Permit, Grant, or firebase authentication for small apps.
In addition, there are services user management and authentication service such as Auth0, Okta, Prove, DUO, PingIdentity, and so on.
A popular choice in many web applications is also to integrate SSO( single sign-on) with social network providers such as Facebook, Twitter, LinkedIn, Google, Github, etc
If you are a WordPress developer, you can use existing WordPress authentication or install a plugin for user management and authentication.
These libraries, services, and plugins are dedicated to updating their functionality as part of their business. So, always use these choices in real-world applications.
We have discussed what identification, login, authorization, and authentication mean. User authentication and authorization is a broad topics that can be covered in one blog post. As a developer, you should have a sound understanding of how different systems work. you can implement your own user authentication as part of learning. But, after that, you need to use existing well-tested libraries and services for user authentication and authorization.