You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/11-authentication.livemd
+51-42Lines changed: 51 additions & 42 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,85 +4,79 @@
4
4
5
5
> ### 🛠 <spanstyle="color:goldenrod;">MODULE UNDER CONSTRUCTION - Please move to next module</span>
6
6
7
-
Authentication is the concept and refers to mechanisms for establishing an entity (person or machine) is who they say they are.
7
+
Authentication is the process of establishing that an entity, whether person or machine, is who they say they are. In this process the entity starts by "knocking on the door", perhaps even announcing themselves and showing their id card when prompted. Identification(id) cards usually contain a photograph, name, description, and other personal information. Id cards are usually issued by a trusted organization.
8
+
9
+
Then, someone or something compares the information on the id card with the entity as they currently appear to be in realtime, as they have anounced themselves. One of two things follow:
10
+
11
+
- The information on the card, matches verbal annoucement, and matches the entity as it has presented itself in that moment. Authentication is successful and completed. Further communication and access can proceed.
12
+
13
+
- Something between the information on the card, what was said in the verbal announcement, and the entity in that moment doesn't match. Imagine you get a knock on your door, you ask who it is, and the person on the other side says you have a package delivery. In fact, you're not expecting a package and when you look through the peek hole, the person is not wearing a uniform and doesn't have a package in their hands. Something doesn't match. They don't seem to be who they say they are. Authentication fails and other that notifying the entity of the failure, no further communication proceeds and certainly no access is granted.
14
+
15
+
Authentication is the mechanism that helps guard the front door of an application. It's the mechanism that helps control the outter rim. In the context of cyberspace, in the most simple implementations, this usually means a username and a password but a variety of credentials can be used.
16
+
17
+
In this module, we will covers some of the related concepts that can be confused with authentication, but that interact with it to secure a system or applicaiton as well as some of the different ways authentication can be implemented.
8
18
9
19
## Table of Contents
10
20
11
21
*[Confusion with Authorization and Access](#confusion-with-authorization-and-access)
*[Prevention and Countermeasures](#prevention-and-countermeasures)
15
27
16
28
## Confusion with Authorization and Access
17
29
18
30
### Description
19
31
20
-
Multiple concepts that are very closely related. One of the concepts we'll discuss later, OAuth, originally designed for authorization, has evolved into providing
21
-
authentication as well (not intended). Authorization and Access are very similar concepts and are implemented together, sometimes within the Authorization mechanism.
22
-
Confusing, right?
32
+
Thinking back to the example above, authentication is required for access beyond being on the property and standing on the doorstep. Once an entity has been authenticated, then they are granted access. Access immediately follows Authentication, but how much access an entity is allowed and the actions they are permitted to, is authorized, to perform are governed by a set of permissions or access controls referred to as Authorization.
23
33
24
-
### Security Concerns
34
+
Authorization can be addressed based on a set of credentials. Depending on the application, credentials can consist of a username and password pair, or may included other things like tokens, which will be covered, later in this module. Credentials are what entities use to for access but are also presented as part of the authentication process. A little confusing, right?
25
35
26
-
*TODO: Write Prevention*
36
+
When implemented in an application/system, this often appears to happen in a single step. You login and if you get a successful response you get access to the application.
Multiple concepts that are very closely related. One of the concepts we'll discuss later, OAuth, originally designed for authorization, has evolved into providing
39
+
authentication as well (not intended). Authorization and Access are very similar concepts and are implemented together, sometimes within the Authorization mechanism.
31
40
32
-
```elixir
41
+
Another related concept is session management. Depending on the architecture of the system or application, once an entity is authenticated, subsequent activity/interactions need to be tracked/attributed to the same entity. This functions like a hand stamp for re-entry to an event or amusement park accept it is unique to you.
33
42
34
-
```
43
+
Authorization, Identity, Credentials, Access, Access Controls, Permissions, Session and Session Management are all terms you will come across when implementing Authentication in applications. While each has distinct definitions, consider them as mutually interactive contributors/participants in an integrated system that works to allow into an application only what is verified and trusted, tracks and monitors the activity of what's been allowed in, and ensures what does get in, only has access to what they absolutely need in order to perform their specific function. How these are implemented and their specific configuration/arrangement is unique to the design of each application.
35
44
36
45
## Multi-factor Authentication
37
46
38
47
### Description
39
48
40
-
Factors refer to 3 checks that work together to establish identity.
49
+
Multi-factor Authentication (MFA) is a way of implementing authentication so that more than one aspect of an entity is checked when it presents itself. from the initial simple example, checking both the information on the id card (something they have) and asking the entity to verbally state their name (something they know), for instance.
50
+
51
+
When implemented in applications, these aspects are referred to as factors and Authentication can be implemented using one of these factors (single-factor) or 2 or more (multi-factor):
52
+
41
53
Something you know/that is in your brain - Password
42
54
Something you have/possess/have physical or digital access to - Code generated by outside party; key
43
55
Something you are/something unique to you as a person - fingerprint, facial recognition, other biometrics, palm scan, retinal scan
44
56
45
-
Authentication can be implemented using one of these factors (single-factor) or 2 or more (multi-factor)
46
-
47
-
Authentication mechanism can be complex...
48
-
Security concerns/examples of multi-factor authentication getting hacked
Authentication mechanism can be simple or complex. Security industry best practices recommend implementing multi-factor authentication wherever possible.
61
58
62
59
## Token-based Implementation
63
60
64
61
### Description
65
62
66
-
Tokens are ... long strings of random characters used to identify an entity, session, as a badge for access.
63
+
Tokens are ... long strings of random characters used to identify an entity, session, as a badge for access. Used for authentication, used for session management, provided by authorization servers.
67
64
68
-
Common implementations include OAuth: [
69
-
](https://www.youtube.com/watch?v=996OiexHze0)
70
65
71
-
JSON Web Tokens (abbreviated JWT, pronounced "jot")
66
+
Common implementations include OAuth:
72
67
73
-
### Security Concerns
68
+
Open Authorization(OAuth) is a protocol in which a multi-step arrangement generates a token for a specific users, the user presents as a credential in lieu of a password. Client-server model, there is an extra server (authorization/token generating service or server) that after a user authenticates with it, it generateds a token, and brokers authentication/authorization between initial entity and a resource.
74
69
75
-
*TODO: Write Prevention*
70
+
Originally built for authorization, as it's name suggests, it has evolved for use in the authentication and authorization mechanisms. A very good resource that describes the OAuth in context of it's history and current implementations is here: https://www.youtube.com/watch?v=996OiexHze0
JSON Web Tokens (abbreviated JWT, pronounced "jot")
74
+
Multi-use tokens for authentication and session.
75
+
Three components, header contains information identifying type of token and algorithm used for the signature, payload/body that contains data about the disposition of the token, signature - which serves as an integrity check to establish if the token has been modified or tampered with.
82
76
83
-
```
77
+
Base64 encoded and cryptographically signed
84
78
85
-
<!-- livebook:{"branch_parent_index":4} -->
79
+
Tokens, like other authentication credentials, etc. must be protected in transit and at rest.
86
80
87
81
## Authentication Channels
88
82
@@ -103,10 +97,20 @@ Establish/Manage a Session
103
97
104
98
Session-less ... fire and forget
105
99
100
+
## Security Concerns
106
101
107
-
### Security Concerns
102
+
Authentication, credentials, should never be stored in cleartext, hardcoded in code base,
103
+
Credential Stuffing Attacks
104
+
Security concerns/examples of multi-factor authentication getting hacked
0 commit comments