Developer 101: Foundational Concepts Web Apps Authentication
Authentication is a crucial and important aspect of web security that proofs the identity of users. It involves verifying the identity of individuals or entities before granting them access to specific resources or services. In web authentication, various methods and technologies are employed, including passkeys and Federated Credential Management API (FedCM).
Authentication is not to be confused with authorization as these are two distinct concepts in the realm of web application security. Here’s a differentiation between the two:
Authentication
- Authentication is the process of verifying or ascertaining the identity of users or entities accessing a web application.
- It ensures that users are who they claim to be before granting them access to the system or specific resources.
- Authentication is typically performed at the beginning of a session or when accessing restricted areas of an application.
- Common authentication methods or strategies include usernames and passwords, biometric authentication, two-factor authentication (2FA), and certificates amongst others.
- The primary goal is to establish trust and ensure that only authorized individuals or entities can access the application.
Authorization
- Authorization is the process of granting or denying access rights and permissions to authenticated users or entities.
- Once a user’s identity is established through authentication, authorization determines what actions or resources they are allowed to access within the application.
- Authorization is based on predefined rules, policies, or permissions associated with user roles or specific attributes.
- It involves defining and enforcing access controls to protect sensitive data and functionalities.
- Authorization mechanisms can include role-based access control (RBAC), attribute-based access control (ABAC), and other fine-grained permission models.
- The primary goal of authorization is to ensure that authenticated users have appropriate privileges to perform their intended actions within the application while preventing unauthorized access.
Both authentication and authorization work hand in hand and are crucial components of web application security protecting data, maintaining system integrity, and preventing unauthorized access or misuse.
Now we understand authentication is used to identify and authorization to control access to resource and functionalities on identities
Authentication strategies:
Here are the most common authentication strategies you are likely to encounter:
Passkeys (Username/Password):
Passkeys, commonly known as usernames and passwords, have been widely used for authentication. Users provide their username and password during the login process. The server compares the entered credentials with the stored credentials associated with that username. If the credentials match, the user is granted access. However, passkeys have vulnerabilities, such as weak passwords, password reuse, and password-based attacks, which can compromise security.
This strategy requires lots of hands on management and could be disastrous when poorly handled. Outright indicators of wrong approach are for example: not using a secure protocol like https, storing plain passwords without hashing or salting in the database amongst others.
Brute-force attacks, password guessing, and credential stuffing are common authentication vulnerabilities. Brute-force attacks involve systematically trying all possible combinations to guess a password. Password guessing refers to attempting to guess a user’s password based on personal information, social engineering or phishing attacks. Credential stuffing is the automated injection of stolen usernames and passwords from one site into another. Implementing strong password policies, account lockouts, 2FA (2 Factor Auth), Code generator, OTPs and mechanisms like CAPTCHA can mitigate these vulnerabilities.
Single Sign-On (SSO) and Federated Credential Management:
Federated Credential Management (FedCM) is an approach that enables users to log in to multiple web services or applications using a single set of credentials. It reduces the need for users to remember multiple usernames and passwords for different services. Users authenticate with an identity provider (IdP) for example Twitter, Facebook, Google which issues an authentication token or assertion. This token can be used by various web services to validate the user’s identity without directly managing user credentials.
When implementing FedCM, a web user during authentication is redirected by the web services to the IdP. The IdP authenticates the user and issues an authentication token or assertion. The web service then verifies the token’s validity, which includes checking its expiration, signature, and other security measures. Standardized protocols like SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) facilitate secure communication between the IdP and web service.
FedCM offers benefits such as improved user experience, reduced password fatigue, and centralized management of user credentials. It simplifies the authentication process, enhances security by centralizing authentication management with trusted IdPs, and enables single sign-on (SSO) across multiple applications.
Single Sign-On allows users to authenticate once and gain access to multiple applications or services without the need to re-enter credentials. SSO simplifies the authentication process for users, improves user experience by reducing the need to remember and manage multiple credentials, and enhances productivity by eliminating the need for repeated logins. It also helps organizations enforce consistent security policies and centralize user management.
There are various SSO implementations, including SSO based on OpenID Connect (OIDC), and Security Assertion Markup Language (SAML) 2.0. OIDC is an identity layer on top of OAuth 2.0, providing a modern and flexible approach to SSO with JSON-based tokens for example JWT tokens. SSO typically relies on session management techniques to maintain user authentication across different applications. Common methods include using secure session tokens, cookies, or persistent authentication tokens.
SSO integration requires coordination between the IdP and SP (Service provider) or your web service, including establishing trust, exchanging metadata, and implementing the necessary protocols and standards. Federated identity providers like Azure Active Directory, Okta, or Keycloak provide SSO identity and access management solutions for organizations.
To enable SSO across multiple domains or applications, SAML is is used when exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The IdP authenticates users and issues SAML assertions containing user identity information. The SP relies on the assertions provided by the IdP to grant access to its resources or services. SAML assertions contain information about the user’s identity, attributes, and authentication status.
SSO and FedCM simplifies the authentication process for users, improves user experience by reducing the need to remember and manage multiple credentials, and enhances productivity by eliminating the need for repeated logins. It also helps organizations enforce consistent security policies and centralize user management.
Considerations include carefully selecting reliable IdPs, ensuring secure token handling, and properly managing authorization after authentication.
Proof Key for Code Exchange (PKCE)
PKCE is a security extension to the OAuth 2.0 authorization code flow that protects against authorization code interception attacks.
Authorization Code Flow for OAuth 2.0 involves exchanging an authorization code for an access token. This requires the client to send the client ID and client secret to the authorization server to obtain the access token. This in itself is susceptible to an “Authorization Code Interception Attack” since web, native and mobile applications face security challenges when securely storing and exchanging client secrets. PKCE was introduced to address this issue by adding an additional security layer to the authorization code flow.
With PKCE, instead of sending the client secret, the client generates a random code verifier and transforms it into a code challenge. The code challenge is sent to the authorization server along with the authorization request. The server associates the code challenge with the generated authorization code. When exchanging the authorization code for an access token, the client sends the original code verifier, proving its possession of the secret code.
PKCE helps prevent authorization code interception attacks, even if the authorization code is intercepted in transit. It ensures that only the client who initiated the authorization flow can obtain the access token.
Additional Web Application Security Considerations
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF):
- XSS is a vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. It occurs when an application does not properly validate or sanitize user-provided input before rendering it as part of the HTML response.
- CSRF is a vulnerability that allows an attacker to trick authenticated users into unknowingly performing unwanted actions on a website or web application. It occurs when an application does not adequately verify the origin of a request, allowing malicious actors to forge requests on behalf of unsuspecting users.
- Discuss preventive measures, such as input validation, output encoding, and anti-CSRF tokens, to mitigate these vulnerabilities.
Security Headers:
- Security headers play a crucial role in enhancing the security of web applications by providing additional layers of protection against various attacks. Examples include Content Security Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, Referrer-Policy, and X-Frame-Options.
Secure Session Management:
- Implementing secure session management practices helps protect user accounts, sensitive data, and ensures that user sessions are not compromised. It is essential to follow secure coding practices, leverage secure session storage mechanisms including session expiration, secure session storage, and session fixation prevention.
Web security is a wide topic that requires continuous learning. The implementations discussed here are only a high level overview of the common strategies used. I encourage you to research and learn more on this topic.
Additional References
