Authentication

Learn about the types of authentication, as well as the protocols used to authenticate information.

We'll cover the following

There are two important concepts related to information security:

  • Knowing who the end user is.

  • Determining what the end user is allowed to do.

In this chapter, we’ll go over the specifics of each, as well as some associated technical topics like hashing, encryption, and encoding.

Introduction

Authentication is the process of verifying that a user is who they say they are. Authentication is the first required step before we can “trust” the user and allow them to perform certain actions. In this step, we identify the user and allow them to access certain pages or functionalities.

The most common way to verify identity is the combination of some identifier (like a username or email address) and a password. Based on these two pieces of information, the server can establish the identity of the person who enters them.

Since anyone who has a user’s identifier and password can access the system as that user, we need to take additional steps to ensure that this data is encrypted when we store it and send it from one system to another.

Passwords aren’t the most secure method for authentication. Users may write them down, and they can be passed on or guessed (sometimes using brute force methods). Some systems employ a two-factor authentication pattern to further secure a user’s information because it has requirements that are much more difficult to meet. Two-factor authentication doesn’t just require that the user knows the password but that the user has a certain device in their possession. With the abundance of smartphones and mobile devices, a popular additional factor is the entry of a number sent to the device. This represents an additional guarantee that the user is actually who they claim to be.

Some systems, such as the following, do not rely on the use of passwords:

  • Smart cards (unique code, hardware-based)

  • Certificates (unique code, software-based)

  • Biometric (scanning fingerprints or other unique physical features)

Protocols

There are various ways in which the authentication information can be transferred to the server. In web applications and REST-style endpoints, the main protocol is always HTTP. Within the header of the request to the server, we can place various pieces of information to identify our users.

The main problem with HTTP is that all the information flowing from the client to the server and vice versa is easily readable by a third party. This means that usernames and passwords can easily be discovered when we look at the traffic that is going over the wire.

A secure connection is therefore required to protect the credentials of the user during authentication. With a secure connection, denoted by HTTPS, the data is encrypted as it travels between the two parties. This is a much safer way to transfer credentials.

TLS (Transport Layer Security) is considered a superior method of encryption to any version of the older, flawed SSL (Secure Socket Layer). Only the receiver can reconstruct the original information. Other parties can only observe the flow of bits, which is missing certain critical information to decode.