In 1995, Nicholas Negroponte, founder of the MIT media lab, wrote a book called being digital. In this book he talks about the future of technology and how our lives will change as technology takes hold in the digital age.
One of the key themes Negroponte discusses is the idea that over time, there would be this big shift from<CLICK>
from atoms – that is tangible, physical objects – to bits – of course meaning digital information.
He talks about music shifting from CDs to digital files – got that one right. And he even jokes about how this book itself, made up of atoms, will someday be replaced by its digital version.
While now, nearly 20 years later, we see much of his foresight coming true, there is one aspect of technology that we deal with as software developers that really shows that shift, and that is in the area of security.
Nearly everyone in this room probably has a keychain in their pocket. On my keychain I have 2 car keys, a house key, and keys to 2 padlocks. The key chain is a basic tangible – or in Negroponte’s terms, atomic - representation of my ability to access something. If I have the key, I can open the door.
Of course, the digital analog to the keychain is the various methods by which we – as software developers – control access and identify users.
The manifestation of that access control is the login form. We’ve gotten very familiar in the modern web age with the login form.
The essential login form pattern has 6 elements to it:
The services we interact with have their own logins.
But we’ve even reached a state in today’s technical world where even your grocery store has a login.
For us as software developers, the login form itself is the easy part. But what we really worry about is what happens when you click that Sign In button. And that is where the discussion for identity management really begins.
In any given web app or system there are two essential security concepts we have to manage.
First we have to know who a user is. That is authentication. Are you who you say you are. We do this through asking for some kind of identifying information. Typically this is the username and password or PIN.
Second then, we have to determine if you have permission to use the resource you’re asking to use. This is Authorization. We do this by checking a role, or by querying an Access Control List of some kind.
I like to think of it like a hallway with lots of doors along it. Kind of like in the Matrix. Authentication gets you in the hallway. But authorization determines whether or not you can go in to any of the doors.
Historically then, we used to create our own security models and access control systems. We’d create our own database tables with a field for username and another for password.
Then in 2005, Microsoft introduced ASP.NET Membership – which gave us a head start. This system has been around for nearly 10 years. And while it has a few quirks, it is a pretty enduring platform.
HOW MANY PEOPLE have either created or currently maintain a system that uses ASP Membership?
Membership provided a flexible yet basic mechanism for providing authentication and authorization. And yet in the past 10 years a lot has changed.
This happened. Social media has taken the internet by storm, and with these huge, global user bases, suddenly there was an alternative to using my own local list of users and passwords.
Then Microsoft itself drove the concept further with Azure, OneDrive and Office 365. With these various cloud offerings, now we began to connect our internal infrastructure to the cloud – and we needed our security mechanisms to go with it. Or in the case of Azure – we might just fully outsource our Directory services altogether – so now we need the software we create to use that as its security guard.
So in lieu of these trends, Microsoft released ASP.NET Identity as part of Visual Studio 2013. This is really a ground up re-thinking of how identity management and access control should be implemented, taking in to consideration the state of the modern web and the shortcomings of the ASP.NET Membership system.
Improved Persistence – ASP Membership was oriented around a relational database model, and if you wanted to use an alternate data store it was lots of custom code. Identify uses Entity Framework Code First, making it much easier to modify the schema or the target platform. OWIN - Open Web Interface for .NET – a standard interface between .NET web servers and web applications – has authentication handlers to support pluggable modules. Not dependent on System.Web.
There have actually been 3 releases of the ASP.NET Identity framework. The 1.0 release came with the launch of Visual Studio 2013. Version 2.0 released in Spring of 2014 as a NuGet only release. It included several major updates for account lockout, password confirmation, and 2 factor authentication, as well as some code improvements. Version 2.1 just launched in August and was bundled with Update 3 for VS 2013. It introduced a SignInManager that will allow you to quickly enable or disable the log in behaviors such as 2FA.
File/New project; Explain VS2013 dialog Show Authentication selector
Build/run new app Register Login
Walkthrough Assemblies Controller Database Object Model
Update Data Schema – need to add fields in new tables for all the fields in old tables. Use SQL script to copy records from old to new tables. Compress password hash+password salt+password format in to PasswordHash table.
What's New in ASP.NET Identity - TRINUG Sept 2014
TRINUG: SEPTEMBER 10, 2014
• Update Data Schema
• Script copying of user records in to new schema
• Update ApplicationUser object
• Add PasswordHasher to handle existing passwords. Register
• Write migration code to retrieve profile data and save to user.
• Test and verify