This document provides an overview of authentication and authorization concepts. It begins by distinguishing authentication (AuthN), which verifies identity, from authorization (AuthZ), which determines access privileges. The document then covers authentication methods like passwords, multi-factor authentication, and single sign-on. Authorization topics discussed include access control mechanisms, OAuth 2.0, and identity and access management (IAM) systems like Keycloak. The document emphasizes the importance of AuthN and AuthZ for security and provides references for further reading.
12. Boring theory
Authentication is the process of ascertaining that somebody
really is who they claim to be.
Authorization refers to rules that determine who is allowed
to do what.
14. Authentication
In contrast with identification, the act of indicating a person or
thing's identity, authentication is the process of verifying that
identity.
15. AuthN spectrum
- Passwords
- Cookies
- Single Sign-On
- Restrict Where and When Users Can Log In
- Two-Factor Authentication
- Certificate-Based Authentication
- Network-based security
23. Single Sign-On (SSO)
- Reduces password fatigue
- Reduces IT costs
- Less time spent re-entering passwords
- Mitigates risk for access to 3rd-party sites
25. OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials
3. Weak lock out mechanism
4. Bypassing Authentication Schema
5. Vulnerable Remember Password
6. Browser cache weakness
7. Weak password policy
8. Weak security question/answer
9. Weak password change or reset functionalities
10. Weaker authentication in alternative channel
26. OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials Apple issue
3. Weak lock out mechanism
4. Bypassing Authentication Schema
5. Vulnerable Remember Password
6. Browser cache weakness
7. Weak password policy
8. Weak security question/answer
9. Weak password change or reset functionalities
10. Weaker authentication in alternative channel
27. Rainbow tables attack
Huge databases of precomputed hashes
User Password Password hash (SHA1)
Alice password 5baa61e4c9b93f3f0682250b6cf8331b
7ee68fd8
Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5
7197be24
Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28
8944539
James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f
eac81bff
28. Useful links
OWASP cheat sheet http://bit.ly/2NuEqEq
Have I been pwned https://haveibeenpwned.com/
Great self-security checklist from Volodymyr Styran
https://github.com/sapran/dontclickshit
32. Access control mechanisms
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
- User-based access control (UBAC)
- Rule-based access control
- Time-based access control
...and a lot more
36. OAuth 2.0
It’s an authorization delegation protocol, letting someone who
controls the a recourse allow a software application to access that
resource on their behalf without impersonating them.
It enables a third-party application to obtain limited access to an
HTTP service.
37. OAuth 2.0 is
...about how to get the token and how to use the token
...replaces the password-sharing antipattern with a delegation
protocol that’s simultaneously more secure and more usable
...focused on a small set of problems and solving them well
38.
39. Tokens
Access token - indicates the rights that the client has been
delegated. Have an option to expire automatically
Refresh token - get new access token without asking for
authorization again.
42. Scopes
A set of rights at the protected resource.
Scopes always limit what an app can do
on behalf of a user
https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
47. AuthN + AuthZ = IAM
(Identity and Access
Management)
48. Access Management
Authentication
● Single Sign-On
● Session Management
● Password Service
● Strong Authentication
Authorization
● Role-Based
● Rule-Based
● Attribute-Based
● Remote Authorization
User Management
● Delegated Administration
● User and Role Management
● Provisioning
● Password Management
● Self Service
Central User Repository
● Directory
● Data Synchronization
● Meta Directory
● Virtual Directory
Identity Management
Identity and Access
Management (IAM):
Providing the right people with
the right access at the right time
49. IAM best practices
- Immutable Private Identifiers / Mutable Public Identifiers
- Decouple Biometrics from other PII
- Externalize Access Control Rules
- Self-Expressive Credentials
- Privilege Accounts are a Different Species
https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
57. Conclusions
For better understanding dig into system
Use heuristics to remember smth
Use cheat sheets and don’t trust your memory
Update your passwords and turn on MFA today