Most Devs Forget These Steps When Adding Authentication

In todays fast-paced and ever-evolving digital landscape, security has become a top priority for businesses. One crucial aspect of any secure system is authentication the process of verifying the identity of a user or device. What might seem like a simple concept at first glance is in fact a complex and multifaceted endeavor when it comes to integrating it into software.

Each new step in authentications evolution has brought new methods to fix the errors of earlier ones, resulting in a complex system with numerous aspects to consider.

In this article, we will deep dive into the reasons why authentication has become such a complex part of software development and explore the different aspects that must be considered in order to ensure a seamless and secure user experience.

1. A brief history of authentication

1.1 Plaintext passwords and hash functions

The need for authentication first became apparent in the 1960s.

Computer science student Fernando Corbató noticed, that every user of MITs shared computer could freely access any other user's files and fixed that issue with the first rudimentary password system (in case you wondered about the origins of our company name, there you have it).

However, to compare these first passwords to the passwords users typed in, they were saved as plaintext within the system. This realization spurred programmers to hash the password in storage via cryptographic hash functions calculating a secret value that is difficult to transition back to the original password.

1.2 Dynamic passwords and asymmetric cryptography

The next leap in authentications evolution occurred in the mid-1980s. Dynamic passwords dynamic because they constantly change based on variables such as location or time (one-time-passwords) were introduced to combat the vulnerability of traditional static passwords. Still in use as one of the components of many modern two-factor authentications, they left quite some login legacy.

With the longest development time of them all, asymmetric cryptography saw the light of day in the late 1990s. First proposed as a mode of encryption by mathematician William Stanley Jevons in the 1800s, the concept was kept secret since the 1970s by US and UK authorities and then introduced to the market as public key infrastructure (PKI).

1.3 Modern days auth jungle

Multifactor authentication, which combines various of these authentication methods, gained widespread adoption in the 2000s, while single sign-ons (SSO) first allowed users to verify their identity through a trusted third-party. But it wasn't until the late 2010s that biometrics took the authentication world by storm,with fingerprints and facial recognition becoming the norm for smartphone unlocking. Finally, in 2022, big tech giants Apple, Google, and Microsoft united in the FIDO alliance announced to push passkeys into the market, making passkeys the new standard for web logins. With their unmatched security (based on PKI) and ease of use (based on biometrics), passkeys were set to revolutionize the world of authentication once again.

Todays world of authentication is as turbolent as ever, with passkeys, multifactor authentication, SSO, and traditional hashed passwords all being common authentication options in developers minds. Alongside the methods mentioned in the timeline drawn above, we have seen the rise of smaller yet impactful innovations such as social logins and email magic links. Software solutions like password managers have also become increasingly popular, empowering users to take control over their authentication experience. As we move towards a more decentralized web, web3 authentication is taking shape, promising to keep the wheel of evolving authentication spinning.

2. The different aspects of authentication and why they matter

By now you should have gotten a grasp on why building authentication for your website or app isnt just writing 10 lines of code and you're good, but rather choosing between 10 highly difficile solutions. But from a broader perspective lets now zoom in and ask, which of authentications exact characteristics make developers lives so hard during implementation:

2.1 Password requirements

First of all, you have to set password requirements, such as minimum length, the use of special characters or the requirement to change passwords on first login. If youve gone as far as to decide, your software should have authentication, you wont want your users to create "hello" and "cat" as their passwords.

Building a complex password, however, will most likely frustrate your users and even discourage them from using your service. Only by taking the time to consider the user experience when designing password requirements, youll not walk into that. Providing a UI that helps users select strong passwords can make the processless cumbersome and increase the likelihood that they will create a secure password. By taking the time to design password requirements that are both secure and user-friendly, you can enhance the overall security of your authentication process while also providing a positive user experience.

2.2 Password storage and protection

Secondly, storage and protection of passwords are critical aspects of authentication that can significantly impact the security of your software. Storing passwords in a database requires the use of salting and hashing algorithms such as Argon2id, bcrypt, scrypt, PBKDF2, or SHA with multiple iterations to prevent attackers from obtaining the actual password.

Additionally, you should consider whether to allow users to store their passwords in their browsers. While this may seem like a convenient feature, it can also increase the risk of password theft or unauthorized access. Some applications deliberately hash passwords before sending them, so they can't be stored automatically.

By carefully considering the storage and protection of passwords, you can greatly enhance the security of your authentication process and provide your users with a more secure experience.

2.3 Authentication security measures

Next, you'll need to implement various authentication security measures, including detection of login anomalies, cookie security, rate-limiting authentication attempts,and CAPTCHA implementation. Ensuring that cookies are not leaked or forged is crucial to prevent unauthorized access.

When it comes to rate-limiting authentication attempts , finding the right balance between security and user experience is essential. While it can help prevent brute-force attacks, overly strict rate-limiting can frustrate users and discourage them from using your service.

CAPTCHA implementation is another useful tool for preventing automated attacks, but it's important to get it right. Poorly implemented CAPTCHA can create a negative user experience, leading to decreased engagement and customer satisfaction.

Moreover, it's crucial to enforce logout when needed. By allowing users to stay logged in, they can quickly access your service, but it can also create a security risk if their device is lost or stolen. Therefore, providing the option to log out from all devices and enforcing it when necessary can enhance the security of your authentication process.

2.4 Account management

Account management is a crucial aspect of authentication that requires careful consideration, too. Before you decide between using email or username for your login, youll need to gain clarity on the particular use case and the service's preferences.

Implementing a secure password reset flow that includes a token database table or expiring links with HMAC can help prevent unauthorized access to user accounts.

Also, you might want to capture the user's login timezone to adjust UI accordingly.

With a robust user management system in place, you can ensure the security and convenience of your users' accounts.

2.5 Infrastructure

Finally, infrastructure considerations need to be taken into account, such as working behind a proxy and parsing the 'X-Forwarded-For' header.

Working behind a proxy can create challenges in identifying the actual client's IP address, as the proxy can mask it. Therefore, parsing the X-Forwarded-For header can help to retrieve the client's IP address even when working behind a proxy.

By carefully considering these factors, you can create a stable authentication system that provides a positive user experience while keeping sensitive information secure.

3. Corbado will help your prioritize security in your software development

Authenticating users just isnt a simple task anymore. It has evolved into a complex and multifaceted system that demands careful attention. As software developers, we must prioritize the various aspects of authentication to ensure our systems remain secure. From password requirements and storage to authentication security measures and account management, every element plays a crucial role in providing a secure and seamless user experience.

If you dont have the time to delve into the intricacies of authentication or prefer to allocate your resources to other areas of your project, that's where Corbado comes in. As a leading authentication aggregator, we offer a fully GDPR-compliant solution that is easy to implement, saving you time and resources while keeping your system secure.

Get started today with Corbado - forever free - to streamline your authentication process and enhance your user experience!