Introducing Ultimate Web Authentication Handbook
Amazon Links:
USA: https://www.amazon.com/Ultimate-Web-Authentication-Handbook-Cryptography/dp/8119416465/
India:https://www.amazon.in/Ultimate-Web-Authentication-Handbook-Cryptography/dp/8119416465/
Others: Please refer to the country-specific Amazon sites based on your location.
Here is an outline of the book from the preface.
The COVID-19 pandemic affected not only approximately 640 million people worldwide but also resulted in 6.6 million casualties1. The disease spared no one, affecting people from developing nations to the most developed ones. Despite all lockdowns and travel restrictions, the world has moved on. Life has not come to a standstill. The pace at which the world embraced digital technologies added to overcoming some need for physical interaction. People could work from home, share personal and private information, and continue communicating securely. Industries not used to remote working opened to employees working from home. The internet was a great enabler in all these. However, the ability to trust the person accessing the corporate resources is equally important. Organizations deployed authentication systems, and they helped in providing secure access.
India launched a massive vaccination program to inoculate its 1.3 billion
population. To date, 2.2 billion dosages of the vaccine have been administered2. The vaccination must reach all the deserving people based on priority with tracking of dosage. A vaccine management platform COWIN developed by the Govt of India was used to track patients and medical practitioners. SMS OTP-based authentication is used for the COWIN portal. India has only about 60% smartphone penetration3; a sophisticated authentication platform could not have reached the masses.
As much as networking and the internet have become a need for digitization, there is a growing need to keep information and user identities secured in this connected world. Computers and user authentication have always run together. However, technologies are constantly evolving. Today, almost all our transactions are carried out using the web as the communication interface. Only a few books provide a holistic view of all the user authentication platforms relevant to web authentication. We endeavor to bring a ready reckoner for programmers to understand the authentication protocols and work on them to integrate them into their application development. The book is composed of the following chapters:
Chapter 1: Introduction to Web Authentication: The World Wide Web has evolved organically. It started as a simple platform for information exchange. However, today it has become the backbone of Internet commerce, business, education, governance, etc. If we were to design a system as complex, keeping so much extendibility in mind, it would have been almost impossible. The underlying protocol of Internet HTTP is stateless. It did not have any native security model in place. The state architecture was established at the application layer using some constructs like headers and cookies. Similarly, there are restrictions placed on the protocol to ensure that browser communications remain secure. In this chapter, we will explore some classic security aspects of Web Architecture.
Chapter 2: Fundamentals of Cryptography: HTTP, although developed for information exchange, did not have many safeguards for state and user management. The transport protocols for HTTP did not have any default protection on information exchange. TCP/IP sends a packet to all the network devices without restriction. The network device that is the only intended recipient analyses the network packet and consumes it, while others ignore it. In such an open communication world, for any information to be protected, the data itself should be encrypted such that a non-intended audience cannot decipher the message. We will review some of the encryption technologies in this chapter.
Chapter 3: Authentication with Network Security: In the earlier chapters, we discussed how we can encrypt information. We did not show the application in exchanging information. Fortunately, the network protocol designers realized this complexity and solved it with two distinct architectures. One is in the transport layer called Transport Layer Security (TLS), and the other at the IP layer called IPSec. While both technologies utilize similar encryption techniques, the protocols and usage are very different. We will be focusing on TLS in this chapter. HTTP over TLS as transport is known as HTTPS and is used in most browser communication today.
Chapter 4: Federated Authentication-I: So far, we have only discussed individual services the users are connecting to, authenticating themselves, and getting access to the system. However, in an organization, there are several systems based on functions or roles. An employee connects to the HR system for leave application, the payroll system for salary, or an IT incident management system for reporting the failure of a laptop. An HR team member will have administrative rights over the HR system, while even the CEO may have user-level rights. These granular policy controls are hard to maintain in every individual service. It started the domain of Identity and Access Management (IAM). IAM is a complex domain. It caters to applications and network configurations, one of the significant complexities seen was with Web Applications in terms of session management. A user who has logged in once to the organization servers does not have to reauthenticate for access to any other server. This concept is called Single Sign-On (SSO). SAML was one of the most used protocols for Web SSO.
Chapter 5: Federated Authentication — II (OAuth and OIDC): While SAML started to solve the SSO problem for enterprises, there was a need for mutual trust between the service provider (SP) and identity providers (IdP). In the Web 2.0 world, this was quite limiting. Users wanted to show their Twitter and Facebook feeds on their web pages as mashup content. While such content is viewable on web pages, it should not be editable. A new paradigm of access control or authorization was needed to address this. In SAML, some attributes or membership of groups are good enough to establish access control for a user. OAuth started as an authorization protocol with restricted access to a resource by the owner. However, it got extended as an authentication protocol with the Open Identity Connect (OIDC) protocol. We will see some aspects of the OAuth and OIDC protocols and review Java Web Token (JWT) to transmit authentication and authorization information.
Chapter 6: Multifactor Authentication: Passwords are open to brute-force or social engineering attacks. Hence, the industry is trying to move to a password-less model. However, the investment in passwords is so significant that moving away may take a few more years. In the past few decades, other factors of authentication as something you have (tokens) and something you are (biometric authentication) have developed. They are used alongside password-based authentication providing another layer of authentication. This is known as Multifactor Authentication (MFA). We saw one such technique with digital certificates. We will delve deeper into two standards: Open Authentication (OATH) and Fast ID Online (FIDO) based WebAuthn.
Chapter 7: Advanced Trends in Authentication: We have discussed users producing credentials to justify a claim on their identity. An identity represents a human being, and the biometric, possessory, or knowledge attributes are mere credentials. There is a need to justify if the identity is in existence supported by government records or documentation. This process is called identity proofing. Earlier, ID-proofing systems depended on physical verification by agents and manual approval. With advances in AI, such systems have moved into automated document feature extraction, face recognition, and other biometric data collection mechanisms. Governments have started developing citizen ID databases containing biometric information for verification. In industries where Know Your Customer (KYC) is a policy requirement, faster digital eKYC systems are in use. The KYC systems provide an authoritative database for identity. Additionally, network and device insights and assessment from security practice are making organizations use a Zero Trust Network Security, where authentication is becoming the backbone.
About the Author
Sambit Kumar Dash is passionate about bringing technology product ideas to reality. He has over 25 years of experience in product and business management, architecture, and research and development. His interests in technology expand to document technologies, computer security, artificial intelligence, and natural language processing. Sambit has conceived and developed a PDF reader library in the Julia language. This library is available on GitHub (https://github.com/sambitdash/PDFIO.jl). He is passionate about developing new technologies and has eight patents in document technologies, computer security, virtualization, and human-computer interfaces. Additionally, he provides product management consultancy to start-ups and early-stage ventures through Lenatics Solutions Private Limited (https://lenatics.in). He can be reached at sambit@lenatics.in.
About the Publisher
AVA™ is the newest addition to the Orange Education family, providing learners with a unique opportunity to learn about technology and business. Our label is focused on providing top-notch learning resources to help you polish your skills and stay up-to-date with the latest industry trends.
We believe that technology and business are inextricably linked, and mastering both is crucial to success in today’s ever-evolving world. Our carefully curated learning resources will help you bridge the gap between technology and business, enabling you to excel in your career.
Whether you’re a student or a professional, AVA™ is here to help you unlock your full potential. Our label is committed to providing you with the best learning experience, and we’re excited to showcase our resources on LinkedIn.
Let AVA™ — An Orange Education Label be your go-to resource for all things technology and business.
