Hi friends,
I try to remember myself what is the normal and secure flow of an authenticated vs unauthenticated user. I've been using the web for eternity but I would like to be sure and maybe you guide me through this.
What are authentication rules ?
For instance, an authenticated user cannot sign-in until he/she sign-out. He cannot sign in while being signed in already. What about redirections after these actions... etcetera.
Is there any web resource to follow on this ?
Of course I'm using no library and implementing it myself via JWT.
All I need is a list to follow.
Thanks a lot ๐
Top comments (3)
Glad to see you found the OWASP guidelines, they should help with technicalities!
Personally, I would recommend you start with articles like this one (found with a search for "authentication UX")::
uxmag.com/articles/app-login-desig...
which explain what decisions you as the service owner need to make about the user experience: based on the ease of access / convenience required, balanced with the damage that could occur if a malicious actor gained access to someone else's account / data (ie: a data breach occurred).
Questions to ask yourself: is this a regulated service (such as banking or medical records, as the regulations may stipulate the access controls and UX); does the service hold / process information that is subject to GDPR (ie: personal data about individuals), where you have a legal obligation to protect information, and process it correctly; would your service / organsation / company suffer material damage if there is a data breach? Given this understanding of the data you hold / process, would you be comfortable delegating authentication to a social network (ie: Facebook, Github, etc. where account takeovers are a regular occurrance), or delegating to a commercial user-management service (eg: Okta, Azure, that focus on strong authentication), or would you need local account management (along with all the extra work this involves building user account management processes and software) to ensure sufficient control?
Taking dev.to as an example - it's a social network itself, does not hold any information that is subject to GDPR and is not a regulated industry - as such they are happy to allow authentication from some social networks (Apple, Twitter, Github), or to create a local account (Forem).
Thank you so much Phil, very nice article indeed. I don't think my service would hold or process information subject to GDPR. Of course it is to keep an eye on,
again thank you the article in the link is a gift.
Update:
I'm aware of owasp security checklist.
Also I found this one which is nice cloud.google.com/blog/products/ide...
But still, I'm looking for an overall strategy for the perfect user experience.