Web authorization: what could it be?
I would like to collect all currently known "simple" methods of authorization / registration on web resources and their features in one place. (simple - in the sense of not requiring special devices, such as smart cards, devices for scanning fingerprints, retina, etc.) Well, let's try ...
At the moment I know of such methods:
1. Simple authorization on the site
It is found everywhere, naturally possible only after registering on the final resource, and for implementation it usually requires a login-password pair provided by the user.
Pros: ease of implementation, reliability.
Cons: for different sites different credentials that need to be remembered, and it is not always possible.
2. OpenID Authorization
Quite an interesting authorization method, which requires registration with a so-called. "Identity Provider" and "dependent party" - the final resource (site) that tries to identify the user. The peculiarity of this method is that registration on the site itself is not required, and the identification provider may be one for many sites.
More details can be found, for example, here: http://ru.wikipedia.org/wiki/OpenID
Pros: one common username and password for one provider, and therefore for all resources, convenience (no need to remember multiple accounts for different sites), speed of use, security (password from the provider's account is not transferred to the final resource (except phishing) , and also excluded interception)
Cons: for the time being, the low prevalence of the method, the sites needed by most users and supporting OpenID can be counted on the fingers, and centralization is also not always good.
Examples of sites using the method: LJ , My Circle
Identity Provider Example: MyOpenID.com
Variations of the method: “.NET Digital Passport” is a proprietary development by Microsoft, but it has received some distribution.
')
Well, it's from more or less popular. Now consider the "exotic":
3. Enum - authorization
The essence of the method: the binding of the "account" mobile phone number. When registering on the site of such a provider, the user is given a link by which he installs a java-application to his phone. For authorization, on sites that support this method, the user enters his email address, the site in response shows the user the number that must be entered into the previously installed application. After entering the control number on the mobile phone screen, the number-result is displayed, which then must be entered back into the site where authorization takes place.
Something like OpenID, therefore inherits some of its features:
Advantages of the solution: ease of implementation and use, security (the method eliminates the interception of credentials suitable for re-authorization)
Disadvantages: low distribution of the method, linking to a phone that may be stolen or lost, or simply may not be near at the right time. Example enum provider
four.
I even find it difficult to somehow call this method. Universal account chtoli. I first saw it on the site of the Russian Jabber-community. The essence of the method is that to write comments on this site you need a registered account, but not necessarily at jabber.ru itself, but in general on any jabber-server! Conveniently really.
(at the time of writing the method, the method does not work, a connection error to the remote server occurs and the engine considers the entered password to be incorrect, tried it on the gmail.com account, it used to work here ...)
Well, with pluses and minuses, it seems obvious: Jabber is now for many, there are accounts - it’s convenient. But then the question of trust in the site immediately arises, because by going under your account once - a dishonest administrator can do it again - this is a minus. Still, the site can be considered “thematic” and a similar method on another site would simply be unjustified, due to different audiences.
5. Authorization by certificates
I do not consider it necessary to describe in more detail for the reason that it can be implemented in very different ways, from installing a certificate on a computer (the same OpenID providers, for example MyOpenID.com ) to a simpler way ... I saw the live implementation of this method and used only one Once - on the Anti - Scam forum - after normal registration you can go into the profile and download a “certificate” for yourself - a file with a key, then hide it in a secluded place and forget it. And to remember about it only in case of loss of the password - the certificate will help to reset the forgotten password. Not authorization in its pure form, but about certificates :) You can also read more about certificates .
6. "One-time" authorization link
Just an example: after the usual registration on any forum, send an e-mail with a link - confirmation of the address to the specified e-mail address. The link works only once, the goal is also the same - to confirm that the owner of this address registered on that forum, but sometimes when clicking on such a link, the user enters his account right away without entering a login and password, which is also convenient. A similar method is also used to reset the password. In general, also the authorization method.
Findings:
Some of these methods are somewhat similar to each other, but have a different set of advantages and disadvantages. At the same time, the 2-6 method does not do without the initial “simple” registration and authorization.
And this is what I am for? And the fact that creating a regular project, the issue of authorization / registration of users must be well thought out.
Threat I am waiting for constructive criticism.
UPD:
Thank you all for the comments and corrections. I also apologize for not being able to take an active part in the discussion - it was not possible because of my studies. :)
At the moment I know of such methods:
1. Simple authorization on the site
It is found everywhere, naturally possible only after registering on the final resource, and for implementation it usually requires a login-password pair provided by the user.
Pros: ease of implementation, reliability.
Cons: for different sites different credentials that need to be remembered, and it is not always possible.
2. OpenID Authorization
Quite an interesting authorization method, which requires registration with a so-called. "Identity Provider" and "dependent party" - the final resource (site) that tries to identify the user. The peculiarity of this method is that registration on the site itself is not required, and the identification provider may be one for many sites.
More details can be found, for example, here: http://ru.wikipedia.org/wiki/OpenID
Pros: one common username and password for one provider, and therefore for all resources, convenience (no need to remember multiple accounts for different sites), speed of use, security (password from the provider's account is not transferred to the final resource (except phishing) , and also excluded interception)
Cons: for the time being, the low prevalence of the method, the sites needed by most users and supporting OpenID can be counted on the fingers, and centralization is also not always good.
Examples of sites using the method: LJ , My Circle
Identity Provider Example: MyOpenID.com
Variations of the method: “.NET Digital Passport” is a proprietary development by Microsoft, but it has received some distribution.
')
Well, it's from more or less popular. Now consider the "exotic":
3. Enum - authorization
The essence of the method: the binding of the "account" mobile phone number. When registering on the site of such a provider, the user is given a link by which he installs a java-application to his phone. For authorization, on sites that support this method, the user enters his email address, the site in response shows the user the number that must be entered into the previously installed application. After entering the control number on the mobile phone screen, the number-result is displayed, which then must be entered back into the site where authorization takes place.
Something like OpenID, therefore inherits some of its features:
Advantages of the solution: ease of implementation and use, security (the method eliminates the interception of credentials suitable for re-authorization)
Disadvantages: low distribution of the method, linking to a phone that may be stolen or lost, or simply may not be near at the right time. Example enum provider
four.
I even find it difficult to somehow call this method. Universal account chtoli. I first saw it on the site of the Russian Jabber-community. The essence of the method is that to write comments on this site you need a registered account, but not necessarily at jabber.ru itself, but in general on any jabber-server! Conveniently really.
(at the time of writing the method, the method does not work, a connection error to the remote server occurs and the engine considers the entered password to be incorrect, tried it on the gmail.com account, it used to work here ...)
Well, with pluses and minuses, it seems obvious: Jabber is now for many, there are accounts - it’s convenient. But then the question of trust in the site immediately arises, because by going under your account once - a dishonest administrator can do it again - this is a minus. Still, the site can be considered “thematic” and a similar method on another site would simply be unjustified, due to different audiences.
5. Authorization by certificates
I do not consider it necessary to describe in more detail for the reason that it can be implemented in very different ways, from installing a certificate on a computer (the same OpenID providers, for example MyOpenID.com ) to a simpler way ... I saw the live implementation of this method and used only one Once - on the Anti - Scam forum - after normal registration you can go into the profile and download a “certificate” for yourself - a file with a key, then hide it in a secluded place and forget it. And to remember about it only in case of loss of the password - the certificate will help to reset the forgotten password. Not authorization in its pure form, but about certificates :) You can also read more about certificates .
6. "One-time" authorization link
Just an example: after the usual registration on any forum, send an e-mail with a link - confirmation of the address to the specified e-mail address. The link works only once, the goal is also the same - to confirm that the owner of this address registered on that forum, but sometimes when clicking on such a link, the user enters his account right away without entering a login and password, which is also convenient. A similar method is also used to reset the password. In general, also the authorization method.
Findings:
Some of these methods are somewhat similar to each other, but have a different set of advantages and disadvantages. At the same time, the 2-6 method does not do without the initial “simple” registration and authorization.
And this is what I am for? And the fact that creating a regular project, the issue of authorization / registration of users must be well thought out.
Threat I am waiting for constructive criticism.
UPD:
Thank you all for the comments and corrections. I also apologize for not being able to take an active part in the discussion - it was not possible because of my studies. :)
Source: https://habr.com/ru/post/28443/
All Articles