Flutterby™! : Auth Sucks

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Auth Sucks

2014-04-21 01:36:24.491497+00 by meuon 5 comments

I'm having to build a set of normal human facing web interfaces that allow "logging in" in multiple ways, that include the possibility of a person logging in with an email address and password that is on multiple accounts. It's wrong for many many reasons, but for this possible business process flow, it's needed. Normally, I force a 1:1 relationship of the login to the account and use "basic auth" for everything. It sure solves a lot of issues from the programming perspective.

As I do my "updating my thought processes, process" I found a helpful overview of securing sessions with PHP, and as good as it it, it also grates on me how bad authentication is on the web as a whole. Cookies and sessions and encryption and hashes and identity and.. and.. are just intertwined in terribly b0rken and complex ways and we keep breaking the rules to "make it work" and be easier for the end users...

[ related topics: Software Engineering Work, productivity and environment Cryptography ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2014-04-21 06:00:49.261041+00 by: Shawn

You may be interested in Secure Quick Reliable Login (SQRL). My only exposure to it has been listening to him talk about it on his podcast, Security Now, but it sounds worth investigating and is on my short list.

#Comment Re: made: 2014-04-21 14:51:44.102739+00 by: meuon [edit history]

I like it: SQRL looks really kewl and useful for tech savvy users and specific places for not so savvy users. My issue is I'm enabling the general population to pay some bills online. So I have to get them to enter in some information from an invoice to match them up with an existing account and billing information so they we can make sure they are paying on the correct account. It's a little softer info. You'd love the discussions:

They need to be able to login with their email address. do you have valid email addresses for your customerz? No. Our billing system is from 1990, we have a place for fax numbers but it only takes numbers.

#Comment Re: made: 2014-04-25 08:19:28.869058+00 by: Shawn

I started cringing halfway through your comment :-|

#Comment Re: made: 2014-04-28 19:56:22.51254+00 by: Jack William Bell

Seen this post by Tim Bray? https://www.tbray.org/ongoing/When/201x/2014/04/28/Auth0

#Comment Re: made: 2014-04-29 01:14:37.787812+00 by: meuon

Re: Auth0 not my kind of thing for religious reasons, but I have to admit: Active Directory Integration is a powerful nut to crack for an enterprise hosted web application when the client wants to use it.