Here I'll talk about the factors that you may consider in crafting the authentication part of your web apps.
Your needs may vary depending on your use cases, be it for B2E (Business to Employees), B2B (Business to Business), or B2C (Business to Consumer). What matters is your awareness of these options and necessities that you may leverage for a better sense of security and control.
Provisioned sign-ups
Provisioned sign-ups are done for workforce identity for B2E (Business to Employees) purposes. An example is when you are onboarding a new employee within your recruitment cycle.
Provisioned sign-ups are also done for customer identity for B2B (Business to Business) purposes. An example is when you are onboarding a new client within your sales cycle.
In these cases, your website Administrators are expected to create the accounts for your employees or clients. They may get a special sign-up link, or a randomly-generated password, or a passwordless authentication process that only requires their email address.
Self-service sign-ups
Self-service sign-ups are done for customer identity for B2C (Business to Consumer) purposes. An example is when a user discovers your product / service and is eager to try it out.
In this case, Users are expected to create their own account using the publicly-available sign-up forms. Identification of users vary from platform to platform, such as email address, phone number, or username.
Basic Authentication
Basic Authentication is the most basic way your users may sign-in.
- Email + Password
- Phone Number + Password
- Username + Password
Social Authentication
Social Authentication is when users may authenticate using their social accounts.
The most common way is through the OAuth2 protocol.
- Sign-in with GitHub
- Sign-in with Google.
- Sign-in with Twitter
- Sign-in with Facebook
Multi-factor Authentication
Quoting Wikipedia:
Multi-factor authentication (MFA; encompassing authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.
The factors are:
- Knowledge: something you know
- Possession: something you have
- Inherent: something you are
- Location: somewhere you are
Here are couple examples:
- User provides the verification code received in the email address or phone number
- User generates Time-based One-time Password (TOTP) using an Authenticator App
- User plugs in Yubikey, then presses the Yubikey button once
It could go on depending on the security demands of your project, such as scanning your fingerprints and retinas.
Passwordless Authentication
Passwordless Authentication is when you let the users sign-in without the need of the password.
Here's an example:
- User enters email address
- System sends sign-in link to email address
- User clicks sign-in link
- User is now signed-in
Another example:
- User enters email address
- User plugs-in Yubikey
- User presses the Yubikey button once
- User is now signed-in
Risk-based Authentication
Risk-based Authentication is best explained by Okta here: okta.com/identity-101/risk-based-authentica..
Single sign-on (SSO) Authentication
Single sign-on Authentication is pretty much like Social Authentication, except that you sign-in using your company's provisioned workforce account for you, instead of your accounts in common social platforms.
Sometimes they cost more, example here: sso.tax
Account Recovery
- Can the users recover their account if they forgot their password?
Session Settings
- Can the users view their active sessions?
- Can the users end their active sessions?
Profile Settings
- Can the users update their public profile, such as their name and photo?
Notification Settings
- Can the users update their notification preferences?
Rate Limits
- What are your sign-up limits per IP address per 24 hours?
- What are your recovery code limits per account per 24 hours?
- What are your recovery code limits per IP address per 24 hours?
Logs
- Can the administrator see the logs of authentication events?
Security
- latacora.micro.blog/2018/04/03/cryptographi..
- Do you hash your passwords correctly?
- cheatsheetseries.owasp.org
- Do you show appropriate authentication error messages?