Welcome to Topic 7 – Authentication Processes
In the 2020s, it is a basic, foundational expectation of users that their data is kept secure. Developers with a good reputation for their security processes will earn more trust from the market.
Authentication is the process of checking that someone who is trying to access a system actually has authority to do so. It could be referred to as a handshake, and it begins when a user applies for an account. Authentication also happens when they make subsequent log ins, and when they try to access new or more protected information or parts of the system.
Nowadays, usernames and passwords might be still the most common way of authenticating with an app, but it is becoming less and less accepted. To keep information and systems safer we need multi-factor authentication.
Multi-factor authentication (MFA)
Multi-factor authentication is using more than one factor/method to access an app or account. For example, you are logging in to an app and after entering your username and password, you then have to enter a 4-digit code sent to your mobile phone by text message.
Single-factor authentication, such as username & password is simply not enough anymore. Two-factor authentication is minimum and multi-factor is even better. Let’s unpack this further by looking at what other factors there are for authentication, because folks, the era of biometrics is here!
Three types of authentication factors
Systems can use all kinds of methods/factors for authentication, but they typically come under the following three categories:
- Something you know
- Something you have
- Something you are.
Something you know
This category covers things like a person’s account or client number, a password or PIN number, or a security question such as:
- What is your mother’s maiden name?
- What street did you live on when you were growing up?
- What was the name of your first pet?
Something you have
This category covers things like your phone, a key, an access code fob, or an email account. Magic links are the latest trend on the authentication factors stage. You enter your email address (something you know) on the login page, and you get a one-time 1-hour only link sent to your email account (something you have). All you need to do is click on the link in your email and that takes you back to the app, authenticates you, and lets you in.
Something you are
This is what we call biometrics – something that is unique about you, such as your fingerprint, your face, and even your retinas, these things are all being used already, by regular people as factors for authentication.
It is generally agreed however, that these biometric methods can be more secure, with finger-print scanning being the easiest to trick, and retinal scanning being the hardest to fool. In these days of mask-wearing, retinal scanning might make more sense than face scanning, but so far, only limited phones have retinal scanners. Of course, the technology is improving all the time so newer phones with these types of authentication systems will be more secure than ones with older tech. Because these technologies are quick and effective, but not fool proof, they can either be combined with other factors to provide stronger security when needed, or they can be used on their own where low level security is needed, for example just for unlocking your phone.
No need to set up your own authentication protocol
With passwords, there are ‘security’ methods that backfire or simply turn off users too, so it is very important to put thought into your security practices.
For example, businesses are now moving away from requiring users to reset their password monthly. It was found that their new passwords were often very similar to their old passwords, such as using the same password and adding a number at the end that just increments each time the password is required to change such as MyP@ssw0rd1, MyP@ssw0rd2… making the passwords easier to crack, especially if hackers found a user’s old password. This regular password change requirement also results in some users writing down their passwords and leaving them close to their computer.
A common practice that easily frustrates users is requiring all sorts of different characters and a certain character length in the password, but not laying out those requirements from the start, as shown in the following scenario.
Can you feel the exasperation?
These are just a couple of simple examples of why developers choose to use a reputable authentication service than trying to create their own, let alone the cost and time involved. Also, consider the ongoing cost of maintaining the system and keeping all that personal information safe. As an app developer, you shouldn’t have to design an identity management system or maintain a database of usernames and passwords. Leave that up to the security experts.
But how does third party security work?
Use authentication tokens and identity providers to protect personal information
As soon as you start developing apps that manage personal information, you are a target for hacking and potential identity theft. So how do we avoid that and how does it work?
Imagine you’re visiting a hotel on holiday. When you check in at the front desk, you will be asked for your passport and credit card so they can check that you are who you say you are.
Then an ‘access token’ will be issued to you – a digital hotel room key. This ‘token’ does not contain any of your personal information, all it says is that the person bearing this card (you) has access to this door until x expiry date.
This means you don’t have to keep your passport handy to reauthenticate every time you want to access your hotel room on your holiday. This means your passport and personal information is much safer.
Best case scenario is to have the user verify their identity and create their account using a third-party identity provider (IDP), who will issue the user with an access token allowing them to do X, Y, and Z in your app until a certain expiry date. This means that your app doesn’t hold or process any personal information belonging to the user, and you are not putting your users at risk of identity theft.
Introducing Google Firebase
Google is a well-respected and trusted brand. Their Firebase product is a system made up of several elements or modules that can be used to develop apps. However, if you use another way of creating your app, you can still implement just the Firebase Authentication module to help you securely manage sign up and sign in. You can use it for Android, iOS, and web apps. It is very quick and easy to implement.
With Firebase Auth you can allow users to log in using their existing log ins, such as email/password, GitHub, Google, Facebook, Twitter etc.
Watch Introducing Firebase Authentication (Firebase, 2016) [1:40] to learn a little more about how it works before you move on to setting it up.
Setting up Firebase authentication
Study this tutorial to learn how to implement email authentication on Firebase auth
Official documentation from Firebase on email authentication
Study this tutorial to learn how to implement Google authentication on Firebase auth
Official documentation from Firebase on Google authentication
Study this tutorial to learn how to implement Facebook authentication on Firebase auth
Official documentation from Firebase on Facebook authentication
Firebase database
Firebase also offers a great cloud-based, real-time database you can utilise for your app. Have a look at these links to learn all about it and how to implement the Firebase database.
Watch Introducing Firebase realtime database (Firebase, 2016) to learn more about the benefits of using this with your own app.
Have a look at this Firebase basics tutorial to learn about how to implement the basics of Firebase database with your app.
Finally, here is a guide which advises developers on how to integrate Firebase authentication and Firebase database if you wish to use both.
<p><iframe allowfullscreen="allowfullscreen" frameborder="0" src="https://cms-uped.baseux.com/h5p/5055/embed"></iframe></p>
