Quick Guide on Core of Application Security — Authentication & Authorisation
A 4 minute guide to understand one of the key of application security
When we talk about Application Security, people will normally think of firewall, encryption, etc. They are defined as Server-level security. In fact, authentication & authorisation are also the keys in application security that they are something you are familiar with and use it everyday (e.g. password, thumb print or facial recognition).
In this story, we will explore the basic of authentication and authorisation to let you gain the foundational concepts of application security.
Starting with the definitions
Authentication is the act of proving an assertion, such as the identity of a computer system / application user
There are two common types in authentication — Local authentication and External authentication.
External authentication — Your identify, credentials and password management are handled by external identity providers (IdP). OAuth2 is one of the external authentication being used in daily life which get user identify from the federation (e.g. Microsoft, Twitter, Facebook, Google, LinkedIn).
Local authentication — instead of using an external identity provider. The users just create accounts on the stack using their email address/ user name and a password of their choosing. For local authentication, the identify, credentials and password management are handled by application itself.
The key considerations of authentication are following,
- Customer experience — External authentication could deliver better customer experience that users do not need to register a new account with extra password management
- Security concerns — Some financial applications (e.g. online banking) should not be using external authentication like FaceBook, Twitter, Google due to security concers. Local authentication should be used with strong password protection policy
- Systems/Applications integration — Some applications may not support external authentication due to the limitations from the code base / there is no available library
Authorisation is the function of specifying access rights/privileges on website/application/system to users
Authorisation follows the application / system design and configuration. Different applications / systems have different privileges could be setup. Common privileges are Read-only, Read-write, Read-write/Reject delete.
Since it will be super time consuming if the autheroisation need to be setup for each indivdual, role-based authorisation is the resolution to save the efforts that the privileges are assigned to a role (e.g. developer, end-user, system admin). Then the users will be granted with one or more roles to operate / use the systems.
The key principle of authorisation is Principle of least privilege (POLP) that you should not grant everyone as system administrators / super users. It means enforcing the minimal level of user rights, or lowest clearance level, that allows the user to perform his/her role.
To make it simple, you can treat the authentication as your identity card. With the identity card, you could enter and stay at your country. Authorisation will be your rights along with your identity card (e.g. you are a Green Card holder in the United States which allows you to live and work permanently).
Are OTP / MFA also authentication methods?
One Time Password (OTP), also known as one-time PIN or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. It’s very common in online credit card payment confirmation, password reset, initial registration, etc.
OTP is the extra layer of security to prevent unauthorised usage or to avoid number of shortcomings that are associated with static password-based authentication. Nowadays, some applications/websites will use OTP to replace the static password-based authentication.
Multi-Factor Authentication (MPA), also known as Two-Factor Authentication (2FA) is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence.
In our daily life, MPA/2FA is normally optional because it will impact the user experience, require longer time to login or even create inconvenience (e.g. your phone is not with you but you need to login to your bank account). But it’s highly recommended for those financial related applications (e.g. online banking, credit card applications) as extra layer of security since the consequences of unauthorised access could be huge.
With the evolving of mobile applications and increasing of cybersecurity risk, the important of authentication & authorisation keep increasing. It could impact everyone no matter you are developers / application end-users. Hope this story explains more about authentication & authorisation behind the scenes.
Learn more on Authorization & Authentication
Application Security foundation — LDAP and SAML
In my last story, I’ve given a quick introduction on Authentication and Authorization. How does it actually work in the…