jiten Profile picture
Apr 4 41 tweets 6 min read
Passwords are insecure, and in-memory session storage doesn't scale. The second part of this series describes how I have seen developers solving these two problems.
The era of in-memory session storage

When my team started using in-memory session storage to remove database bottleneck, unknowingly, my team had hit upon a solution that lasted for a long time (and continues to be used by many companies).
The standard operating procedure with Memcached (and later Redis) was simple- The in-memory cache/database stored session and login information. Applications and services queried the session service on every request.
Things were terrific; Facebook contributed a lot to Memcached.

Redis became very popular for storing sessions because it provided disk-backed storage. Even if the in-memory database crashed, all customers didn't have to log in again (which was the case with Memcached)
Facebook and the rest of the industry soon realized these session stores were the Achilles' heel for their evergrowing empire.
Password insecurity

My friend Sanjog reminded me that the excellent developer community solved the dictionary attack problem for /etc/password nearly 35 years ago with /etc/shadow.
Password insecurity

Unfortunately, I got to see many platforms that were vulnerable to this attack well after the year 2000.
Password insecurity

Developers and security experts knew they had to do something about passwords. One of the earliest attempts I recall was from RSA (Wikipedia tells me that RSA tokens came out in 2006, I almost forgot it was called keyfob).
Password insecurity

RSA sold hardware dongles, and I saw some of my friends using them to access financial information. RSA hardware tokens were my first introduction to OTP (one-time-password).
Password insecurity

I didn't use the RSA dongles myself, so I don't know if they were part of a multi-factor authentication paradigm, but I am sure they did inspire the industry.
Single Sign-On

Another way the industry has tried to get rid of password security (partially) is by introducing various single sign-on methods. OAuth2 and SAML are popular technologies that allow this in entirely different environments.
Single Sign-On

B2C (business to customer) environments prefer OAuth2, and B2B (business to business) environments often prefer SAML integrations.
Single Sign-On

In 2002, I met a prominent Indian media conglomerate with 34 island properties and ways to log in to each property; unfortunately, the single sign-on project didn't go through. Sometimes I think about how solving that problem in 2002 could have taught me so much.
Single Sign-On

Between 2003 and 2007, I had moved to telecom and only heard about OpenID from developer websites like Slashdot.

For some reason, I thought Yahoo got the short end of the stick with the OpenID project, and their engineers were responsible for implementation.
Single Sign-On

While OpenID is not very popular, and Facebook is not part of the project, a similar OAuth2 has become extremely popular.

Until I looked up the details for OAuth for this post, I didn't know Twitter was a big player in the OAuth journey.
Single Sign-On

I can still recall how early Twitter clients asked users to enter their user names and passwords and how bad apps could use the credentials for nefarious activities.
Sessions, move over. JWT to the rescue

At this point, the developers decided it was super costly to have all services (or centralized API gateways) hitting in-memory session stores for all requests. What's the best way to avoid this lookup?
Sessions, move over. JWT to the rescue

Interestingly, the solution goes back to the naive implementation of sending user id, logged-in state, etc., in cookies or headers.
JWT to the rescue

Applications sign the payload and ensure someone can not tamper with the login id and logged-in status like they could in plain text cookies.
JWT to the rescue

JWT or JSON Web Tokens standard first came out in 2010 officially. I remember failing an interview a couple of years later for not knowing about the technology.
JWT to the rescue

My knowledge was limited to HMAC, one of the available options for implementing JWT integrity.

With JWT, a token once issued by the login service is valid for a custom-defined duration, and everyone receiving the token can validate the token to allow access.
JWT to the rescue

It was surprising for me to know that the first version of Angular2 didn't even implement cookies, and JWT was the only way to authenticate by default.
JWT is not free of issues

JWT makes it challenging to implement features like logout and "log out of all devices" it's also tricky to invalidate selective tokens for blacklisting users. But competent engineers have found some great solutions.
JWT is not free of issues

JWT has tried to solve cookie protection by using HttpOnly cookies; this was an old trick that developers started using for security session cookies and is equally effective for JWT.
JWT is not free of issues

My security friends tell me that XSS, XHR Response Chaining, and other exploits exist, but this is an excellent first-level defense.
JWT is not free of issues

I have had instances where JWT's (or cookies carrying them) became too big for our CDN or API gateway. It's natural for my team and me to think about opaque sessions at these times because large JWT sizes contribute to request latencies.
JWT is not free of issues

The central session storage doesn't look too bad with API gateways in place.

We (the developers) found a way to store extra information with sessions; I see developers applying the same poor practice to JWT.
JWT is not free of issues

It's very tempting to send PII (Personal Identifiable Information) in JWT, and for most compliance and security practitioners, PII in JWT becomes a nightmare.
JWT is not free of issues

Another thing that bothers me about JWT is that we have two choices to validate tokens: 1) Share JWT secret with all services. 2) Share JWT with CDN edge or API gateway so that JWT verification is possible outside of the application.
JWT is not free of issues

I'm not too fond of either option. From what I have read so far, I like what Netflix has done with its passport mechanism.
OTP and its cousins

While my first brush with OTP was with RSA tokens, I now regularly see SMS OTPs, Email OTPs, and even URL OTPs. SMS or Email OTP is an excellent path to go password-less.
OTP and its cousins

My favorites are HOTP and TOTP. Hardware tokens used HOTP or HMAC based OTP, and I have also used a variant of HOTP to simulate signed URLs.

I haven't used TOTP in production, but the technology and standard are fascinating.
Future of authentication

I don't have much direct experience with biometric auth, but I am confident we will see it being used in online services too. Biometric + multi-factor auth that Edna Mode from The Incredibles used might be unusual, but I expect to see a combination.
Future of authentication

While I can't claim to predict the future of authentication, I expect to see new methods that make authentication faster. Even newer methods that plug the security gaps, the faster methods exposed would follow, and the cycle would repeat.
Future of authentication

Astute readers would point out that I am talking about authentication here but sometimes get into authorization territory. I wish I could keep them separate in writing or coding consistently.
Future of authentication

While writing this article, a friend told me that there are now standards for device authentication- I haven't used FIDO2, WebAuthn-2, but they are a step in the right direction.
Tell me about your authentication stack. Are you using JWT or central session storage? Are you using password-based or password-less logins?
I have written more about this topic on my blog: jeet.world/how-authentica…

#jeetkagyan
If you liked this thread, please RT
I regularly write about technology, mobile, web, product, and startups. If you are interested in these topics, please follow me.
You can read the first part here:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with jiten

jiten Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jiten

Mar 22
What do engineers want from their PM (product manager) counterparts?

I have discussed this topic with several PMs and engineers in the past and sharing what I learned in this thread.

#jeetkagyan
In this two-part series, I want to first write about what I have learned about what engineers want in the last 20 years before we go to what they desire from PMs in the second part.
☠️ Disclaimer 1: I don't claim to be an expert who has conducted scientific research on the topic. A lot of this understanding comes from a relatively small sample set and may have a lot of biases.
Read 38 tweets
Feb 21
I have done a few startups and joined some startups as an early employee; nowadays, I talk to and mentor multiple startups today. The startups I focus on are internet startups, and here are some tools and methods that I invariably see them using. 🧵 👇

#jeetkagyan #startups
1️⃣ Internal Communication

After buying a domain, one of the first things is to set up an email and other team communication systems. I have been exclusively using Google Suite and Slack for the last 7-8 years and recommend the setup for new startups.
2️⃣ Version Control

If you are writing code, collaborative code version control is a must-have from day one. After using CVS, Clearcase, SVN, and git, I have stuck with git for the last decade. Bitbucket, Github, and Gitlab are good enough services. I have used Github the most.
Read 23 tweets
Feb 7
JavaScript has come a long way in the last 20 years. When I started working on the web in 1997, most websites were static. When I clicked on a button or link, the web page was refreshed.

A thread on how I saw JavaScript evolving 🧵 👇

#jeetkagyan #javascript
👴 The early days

Things changed quickly, and we started to recognize the power of JavaScript. Making pages interactive became fashionable, and HTML was briefly renamed to DHTML (Dynamic HTML) by part of the industry.
👴 The early days At this point, we used JavaScript primarily for simple interactions, and many developers used Flash for websites that genuinely wanted to be interactive. Flash at that time was better than the Java Applets we were developing a year ago.
Read 39 tweets
Jan 17
I was a lousy manager. I want to talk about my top 6 mistakes here.

These are also the mistakes that most of us starting on the managerial path make, and hence I hope some of the readers will learn from my mistakes and avoid making them on their own.

#management #jeetkagyan
ℹ️ Not giving critical feedback properly

I managed a small team and project; I was not happy with some of the crashes we saw in production. I reviewed the code for this product and found several glaring mistakes. I blasted the developer in front of everyone.
ℹ️ Not giving critical feedback properly

Years later, one of the team members became friends and told me it was her first day, and she was petrified of me, and her focus was on avoiding mistakes instead of creating innovative products.
Read 27 tweets
Jan 15
My team today uses React Native and while I might still consider native iOS and Android apps for some applications, I would invariably look at React Native (RN) as a worthy option.

What are your favorite React Native features? Here are mine - 🧵 👇
🔥 Hot reloading - Anyone who has done serious Android development or testing knows that they end up spending upwards of an hour every day in 20+ compilations they do daily. Hot reloading in RN saves a lot of this time.
💫 Code Push - I have already written about how Code Push can be a savior a lot of times for developers trying to fix a nasty bug in production. Code Push also manages to short circuit the slow iOS approval process.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(