Make one resolution this year. Never write your own Authentication
I've seen a few blogs recently and tweets talking about authentication and handling passwords, it got me thinking...
I'm going to start by caveating. I'm all for learning how authentication works, if you're anything like me, I learn best by doing, so I've played around with authentication locally. But don't roll it out to production.
Authentication is often the linchpin in the security of your application. If we've seen anything over the last few years that data breaches of applications are only increasing, so application security has to be top of the priorities. There is plenty to think about too about securing your application even before you get to your authentication system.
Thinking about writing your own authentication?
What about cookies?
Cookies are plaintext, so you don't want to put anything secret in there and visible to anyone using the computer. Is it using the Path argument to limit the cookie to your application? Is it shared over subdomains? It is Secure and only available over HTTPS connections? What about Cross Site Scripting (XSS) attacks?
Okay so you've dealt with cookies. But maybe your storing data in browser storage - please never store anything sensitive or personal identifiable information (PII) in browser storage - have you ensured this is as secure as possible? e.g. using session storage rather than local.
What about limiting the number of requests? So that someone could not keep trying lots of different passwords. How are you going to implement rate limiting? IP based; cookie based etc. Do you lock out specific IP addresses after X attempts? What about valid users who get locked?
Now let's talk about passwords. Are you going to set password requirements? If so, what are you going to make them? Are you going to check if that password has been compromised using https://haveibeenpwned.com/ for example? How are you storing the passwords? What happens if someone puts in a really long one, say generated by a password manager, is it going to get truncated? (I've seen this happen many times) How are you hashing and salting the passwords? Please Please never keep passwords in plaintext.
So, you're storing them in a database somewhere. How are you protecting that database to ensure its not breached? If the database does get breached how are you limiting that to as few records as possible? What about the network security around the database?
The list goes on, and on and on and on...
So, you're thinking alright, you've made your point, so what options do I have.
Well, fortunately you are in luck! There are now plenty of IDaaS (Identity as a Service) offerings. They often have great free tiers, for example Azure B2C has 50,000 Monthly Active Users...FREE!
As with anything you need to find the best for your use case so I'll list a few below for you to check out:
These companies have literal teams of people working to ensure that their authentication is secure and it's their business to make sure it is!
In summary, authentication is hard! There is a lot to think about, my list here only scratches the surface and some of it you will still need to consider e.g. general database security. But there are plenty of authentication providers you can use, even for free!
Stick to what adds value to your application/business! Leave the authentication to the companies whose job it is 😄
Let me know your favourite authentication providers below!