payne8/authBook
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add service to service ideas and password best practice ideas

Browse Source
This commit is contained in:
Mason Payne
2023-10-07 10:45:07 -06:00
parent 596dc91bf4
commit faeee51d6b
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
Big Ideas/Topics.md
View File

@ -92,8 +92,31 @@ The following list was derived from https://identitymanagementinstitute.org/laye
* Password hash storage
* Limited accountability - sharing of passwords
* Less convenience compared to biometrics or other technology
* WebAuthn or other asymmetric cryptography is mostly fantastic for user experience and security
* How it works will be discussed in the Asymmetric Cryptography for Authentication chapter
* There is a large user experience hurdle to implementing asymmetric cryptography for applications. Users are not use to managing keys. When keys (or devices) are lost, how does one recover an identity?
### Asymmetric Cryptography for authentication
* The case for WebAuthn and other asymmetric cryptographic authentication
* It is almost accidentally multifactor, you have something, but in order to use it you need to unlock it with something you know or something you are. e.g. Your smartphone keeps the key in a special module that needs to be unlocked with the phone's security features (pin, password, FaceID or TouchID). Then that module can prove you 'have' the key using cryptography.
* Unlocking the key using a password is great because the password verification is local only, a password hash doesn't ever have to leave your phone or be stored in some database you don't control.
* Asymmetric cryptography allows for the private key to stay on the device while still being usable to prove you have the key. Using the private key you can sign messages. The recipient of the message can use your public key to verify the signature.
* The authentication system doesn't need to store any secrets or sensitive information in order to authenticate a user. This makes the authentication system a much less interesting target for attackers.
* Internal service to service authentication
* Some systems simply use a shared secret to generate symmetrical tokens
* Issues include, non-repudiation (you don't know for certain which service generated that key)
* Compromised keys give access to everything
* rotating the keys requires coordination (which some organizations try to avoid because it's 'hard')
* Google Cloud (and other cloud services) provide some authentication when a service is running in their cloud. Using their asymmetric authentication to prove the service is running in a place we trust we can issue credentials for our application.
* Requires that the system be authenticated by its host
* gives us non-repudiation, auditability and a bunch of other goodies
* allows us to apply authorization levels if desired
### Password Best Practices
* Policies tend to change as computers become more powerful
* NIST guidelines are great
* bcrypt, pbkdf2 and other hashing and storing suggestions
* Securing your database