Authentication Strategies

By: Johnathon Wright on: January 30, 2017

Just thinking about all the possible authentication strategies and tokens:

Single Auth Token

As a user, I want to authenticate for a single request, no session or authentication persistence, for API purposes or downloads. I assume it was a thing before this, but I was introduced to it by AuthLogic, long may it reign.

Looks like:

POST domain.test/invoices.xml?token=sometokenhere

or

GET domain.test/reports/65432.pdf?token=sometokenhere

Instance-based key

As a user, I want to be able to send a link to a non-user so that they can look at just this one page without having to authenticate because I know they should have access to this one piece of information.

Looks like:

GET domain.test/reports/65432.pdf?key=sometokenhere
  • You wouldn't want to use the same param as for auth-based
  • You can either store a key OR you can derive one based on some set of fields. Note that in the first case, you can reset the token if it becomes exposed. In the second case, you gain simplicity. Each case must be judged on its own merits.

Here's an example of generating a token based on some input:

def token(seed)
  sha256 = Digest::SHA256.new
  digest = sha256.digest(seed.to_s + SOME_SECRET_CONSTANT)
  return Digest.hexencode(digest)[0..10]
end

Perishable Token

As a user, I want to authenticate and create a session using a token that expires when used OR after some short lifespan so that I can reset passwords.

This idea also came to me through AuthLogic, long may it reign.

One tricky thing about perishable tokens. You need them to create a session because you're going to (a) show a form and (b) change the password. But some developers might want the user to have to login after resetting the password, and wouldn't want them to see a menu that would allow them to not reset their password. So you have to add some extra logic around being partially authenticated, or allow the perishable token to live past its first use. So that's weird.

In the past I've put this token on the user. But I'm starting to think it belongs in its own table now.

perishable_tokens table:

  • key
  • user_id
  • created_at - datetime
  • expires_at - datetime
  • used_at - datetime
  • rescinded_at - datetime - an administrator may choose to rescind one or all open tokens

This way you keep a history of attempts, which may be interesting in terms of finding patterns if you suspect some kind of And obviously if expiresat is in the past or usedat is not NULL, it isn't valid. And you might want some validation around not having more than one per user.

Link-Through Authentication

As a lazy user, I want a link in an email to log me in automatically.

Everyone is booing. I hear you. I know, it flies in the face of web security. Banks should avoid this. But I saw it being done by Motley Fool and I think it's a good fit for their audience. Probably older. Probably not tech savvy.

I don't mind it. If you own the email address you own the account, so who cares.

One thing is how long these links should live. Fool.com sends you a one-use link. But there are some very-low-security sites for which auth-until-password-reset might be ok!

Any others?





Comments:

cheap jordans said: I have to voice my appreciation for your kind-heartedness for those who really need help with in this area of interest. Your very own commitment to getting the solution around came to be exceptionally significant and has continually permitted girls just like me to get to their targets. Your personal interesting tutorial implies so much a person like me and a whole lot more to my mates. Regards; from everyone of us. cheap jordans [url=http://www.air-jordanshoes.us.org]cheap jordans[/url]

calvin klein underwear said: I intended to write you this very small word to help say thanks the moment again about the incredible pointers you've provided above. It is so seriously generous with people like you in giving openly exactly what a lot of folks would have sold for an e book to get some profit on their own, even more so considering that you might have tried it if you ever considered necessary. Those good ideas likewise worked to be the great way to fully grasp many people have a similar dream much like mine to find out significantly more when it comes to this matter. I know there are some more enjoyable instances up front for those who read through your website. calvin klein underwear

kd shoes said: I simply wished to appreciate you once again. I'm not certain the things that I would have created without the actual solutions shared by you regarding such a area of interest. It actually was the frustrating scenario in my position, nevertheless spending time with a new specialized form you processed the issue took me to cry over fulfillment. I'm just grateful for the service and even sincerely hope you know what an amazing job that you're accomplishing teaching some other people via a web site. More than likely you've never encountered all of us. kd shoes

retro jordans said: I am only writing to let you be aware of of the cool experience my friend's princess obtained browsing your site. She even learned lots of things, with the inclusion of what it is like to possess an excellent helping style to have a number of people really easily know some very confusing issues. You undoubtedly surpassed readers' expectations. Thank you for supplying those insightful, healthy, informative and as well as fun guidance on this topic to Lizeth. retro jordans

nike air vapormax said: My wife and i were quite fortunate when Albert could finish off his analysis because of the precious recommendations he got out of your web page. It is now and again perplexing to just choose to be giving for free hints that the rest might have been making money from. We fully understand we need the website owner to give thanks to because of that. The type of explanations you made, the easy site navigation, the relationships your site help foster - it's got many astonishing, and it is helping our son and the family consider that the issue is brilliant, which is extremely vital. Many thanks for the whole thing! nike air vapormax

nike shox for women said: I enjoy you because of your whole effort on this web page. Gloria delights in getting into research and it's obvious why. I hear all relating to the powerful way you present both useful and interesting techniques on the website and as well attract contribution from the others on that topic then our favorite daughter is always studying so much. Enjoy the remaining portion of the new year. You're the one performing a terrific job. nike shox for women

birkin bag said: My wife and i ended up being very satisfied Michael managed to do his inquiry out of the ideas he had in your web site. It is now and again perplexing to simply be making a gift of tips and hints which many others may have been trying to sell. And we already know we have got the blog owner to give thanks to because of that. The main illustrations you have made, the straightforward website navigation, the relationships you can help create - it's most remarkable, and it is helping our son and us believe that the issue is entertaining, and that's particularly pressing. Thanks for the whole lot! birkin bag

yeezy boost 350 said: I'm also writing to let you be aware of of the notable discovery my cousin's girl developed checking your web site. She mastered so many issues, which included what it's like to possess an amazing coaching spirit to get the mediocre ones really easily comprehend a number of impossible things. You actually surpassed people's expectations. Thanks for supplying such effective, dependable, educational and easy tips on your topic to Julie. yeezy boost 350

yeezy boost 350 v2 said: Thank you so much for providing individuals with such a splendid opportunity to read critical reviews from this site. It's always very nice and as well , packed with fun for me and my office peers to search the blog a minimum of thrice in one week to study the new guides you will have. And lastly, we're at all times satisfied concerning the striking methods you give. Selected 3 points in this article are absolutely the most efficient we have had. yeezy boost 350 v2
Back