Preface

Now you're going to build a system . Regardless of the function of the system , User authentication is always a function . Implementing it should look simple —— just “ Drag the ” Some off the shelf authentication modules , Or use some basic options （ for example Spring Security） Configure it , It's done. .

Is that right , No, it isn't . The above is a superficial description ( For example, to implement a search engine, just an input box and a search button ？？), Correct identification is extremely complex . It's not just a login form -> Check the user name / password -> Set up cookie, There are many other issues to consider ：

• Cookie Security How to ensure cookie Will not leak or cannot be forged . Whether to use cookie, Or use JWT Such stateless methods , Use SameSite Loose or strict ？

• binding IP If IP change , take cookie Bound to the IP And log off the user ？

• Password requirements Minimum length 、 Special characters ？ User interface to help you choose your password ？

• Password storage Store passwords in the database ——bcrypt、scrypt、PBKDF2、SHA Multiple iterations ？

• Password free login Allow storage in the browser , It's usually “ yes ”, But some applications deliberately hash it before sending it , Make it impossible to automatically store

• Account style E-mail 、 User name and mobile number —— Do you need a user name ？ Allow changes to email 、 Phone number ？

• Limit login errors several times Restrict authentication attempts – How many failed login accounts should be blocked , How long should the administrator receive notification or at least record the locked account ？ Every IP、 Is the limit per account a combination of these ？

• Verification Code Do you need a verification code , Which one , How many attempts are allowed ？ Is refreshing the verification code an option ？

• Password reset Password reset token database table or with HMAC Expired Links ？ Restrict password reset ？

• SSO Should your service support LDAP/ActiveDirectory Authentication （ May be ）, Whether it should support SAML 2.0 or OpenID Connect, If the support , Which? ？ Or all ？ Whether it should only support SSO, Instead of internal authentication ？

• 2FA – TOTP Implement the whole 2FA( Two factor certification ) technological process , Includes enabling / Ban , Or backup code ; Do not request... For a specific device for a period of time 2FA To add options ？ Based on some group memberships , To configure AD/LDAP User subset Authentication ？

• Force configuration 2FA Configure the mandatory settings through the administrator 2FA – Activate after global option is enabled 2FA Time window of ？

• One time login Log in through the link – Whether the option of sending a one-time login link via email is supported ？

• XSS Protect Make sure there is no XSS Loophole , Especially on the login page （ XSS Can steal cookie）

• Authentication log Private authentication log - Keep a history of all logins , Including time 、IP、 The user agent

• Force cancellation Whether you need to log off the function of the logged in device .

• Allow mobile devices to remain logged in Whether to keep the mobile device logged in —— What should the client store ？（ Of course not password plaintext ）

• Save user login address Capture the user's login time zone and store it in the session to adjust UI Time in ？

• TLS Mutual authentication If we need to support token authentication using private keys , We should enable TLS Mutual authentication . What should be in the certificate Library ,Web Whether the server supports two-way per page TLS Or should we use subdomains , If there is a load balancer / Reverse proxy , Whether it supports and how to forward certificate details ？

• Whether the activation step is required Need to activate the account or let the user log in immediately after registration ？ Back office account approval is required ？

• Initial password settings Initial password settings for the account created by the Administrator - Generate the initial password and force changes on first login ？ Instead of generating a password and starting with the password reset process ？

• Login exception detection How to detect login exceptions , Should users be notified by any means ？ Whether to rely on third-party tools （ for example SIEM）, Or built-in such functions ？

Authentication is a basic function of every application . But many developers or PM Don't pay attention to it .IT It's a complicated world , Nothing is simple . Sending email is not easy , Authentication is not easy , Logging is not simple . Handling strings and dates is not easy , Cleaning up input and output is not easy .

We're building frameworks and tools , To help us do all these things well enough . We should actively deal with these problems , Think about them and make the right plan .