Securing your app
A key goal of any product is minimal friction for user interaction. We can’t simply allow everybody to access sensitive data. Catering the right information to right user becomes a integral part of the process. If not you’ll be an easy picking for data leaks & your’e at risk. Authentication and authorisation method is one of the key aspects which makes user’s first impression with the product.
But how can we authenicate a user? Some of general ways of identifying a logged in user are:
Password based authentication: Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options.
Token-based authentication: Token-based authentication enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital token proves that you already have access permission. Use cases of token-based authentication include RESTful APIs that are used by multiple frameworks and clients.
Muti factor authentication: An average person has around 25 online accounts, maintaing different passwords become a tedious process, So people tend to duplicate passwords across accounts. Your multiple accounts are at risk, when your’e phished or attacked.
In order to avoid above scenario, we can add an additional authentication layer by verifying the user from other source apart from username and password like sending a unique code to his/her phone or email.
Biometric authentication: Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. It can be fingerprint,eye scanning,voice recognition or face recognition. You can add biometrics into your multi-factor authentication process.
Certificate authentication: Certificate-based authentication identify users, machines or devices by using digital certificates.
The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority.
Users provide their digital certificates when they sign in to a server. The server verifies the credibility of the digital signature and the certificate authority. The server then uses cryptography to confirm that the user has a correct private key associated with the certificate.
Passwordless authentication: Passwords have always been vulnerable for attacks & hard to mantain strong and unique passwords for different accounts. By minimizing reliance on passwords, or eliminating them altogether, you automatically diminish their value to bad actors and improve your security posture. It uses more secure alternatives like possession factors (one-time passwords [OTP], registered smartphones), or biometrics (fingerprint, retina scans) or magic links sent in emails.
