Reasoning on authentication
At leisure, for a long time I pondered on the existing methods of authentication: wondering about the pros and cons of different concepts, etc. In general, from the solutions that are viable in my opinion, we now have the following:
1. Classic method:
Following the registration on the site, enter the login, password and voila - went. A time-tested method, but rather burdensome for the end user.
Pros: versatility, run-in scheme of work, familiarity for the user due to long time use.
')
Minuses: time spent on registering on each of the necessary resources, the need to store / remember a set of login / password bundles
A little ad-libbing: I don’t know how you are, but I’m often bothered by the need to remember and enter various logins and passwords a hundred times, even if there are a lot of tools to automate this process, but they are imperfect according to the logic of their work and in my opinion look like crutches (saving personal data by the browser, a variety of password stores, etc.).
A possible, partial way to solve the problem of remembering a login is to use e-mail instead, but you need to have different passwords for security - and therefore partial.
2. OpenID:
Briefly quoting wikipedia.org, OpenId is:
“OpenID is an open, decentralized, single sign-on system for sites, portals, blogs and forums. OpenID support for multiple sites allows the user to use a single login for authorization on any of these sites. ”
In my opinion, a very interesting scheme of work and, moreover, convenient for the end user - registered once - you can go wherever this technology is supported. And here come the minuses: the technology is relatively young and in my opinion is poorly implemented at the moment.
Pressing, pros: relevance, convenience for end users
Disadvantages: relative youth of technology (unusual for users, doubtful), lack of support from large and popular resources (everything would follow the giants at some speed or other, but these are their problems).
Technical moments (criticism from wikipedia.org, partially support):
1. The OpenID provider may introduce itself as its user. This is possible either in the case of the dishonesty of the provider, or in the case of its hacking.
2. The user must trust the provider, since he can find out which sites the owner of OpenID has visited. Although, on the other hand, the provider usually gives the OpenID user the ability to check on which sites his login was used to notice the password theft.
3. OpenID does not have built-in phishing protection (to enter a user password, they may not be redirected to the provider's page, but may display a fake page that looks like the provider’s page). However, many providers and additional programs (for example, extensions for Firefox) provide this protection.
Considering all the above, I conclude:
The most acceptable way is to combine the classical method and openID, with giving the right of choice to the user.
However, by your old habit, let me dream on this topic :)
Imagine the possibility of storing the necessary amount of personal data necessary both for authentication and for presenting partial information about yourself in one place (since this is a dream I propose to lower the moment of privacy), with a convenient way to register and update personal data with a high level of protection, and of course for sweetness - technology support by at least the largest projects.
Until complete happiness, it would be very nice to add the ability to access such an ID to the data warehouses a la ftp, to various IM (well, icq probably disappears, but with jabber, it will be possible) and also personally I would be comfortable with something like a history of actions with your ID, both for security and for manifestations of sclerosis: which file you upload to where, from where you downloaded, on which sites you roam, etc.
Here, I planned - it turned out something like a slightly patched openID with a touch on sociality. If interested, I’ll try to write a separate topic with an abstract implementation scheme described above.
I also add that, indeed, a real opportunity to do this is a large corporation with extensive experience in the field of web technologies, such as google.
Thank you for your attention, out of habit, I will say that everything that is above my IMHO, that I am glad for meaningful and critical comments, and, of course, constructive discussion, because in my opinion the problem is quite urgent, even if it may not be the most acute.
ZY if you add some more interesting ways (preferably with links) or reasonable ideas regarding the described ones, I will gladly add to the topic.
1. Classic method:
Following the registration on the site, enter the login, password and voila - went. A time-tested method, but rather burdensome for the end user.
Pros: versatility, run-in scheme of work, familiarity for the user due to long time use.
')
Minuses: time spent on registering on each of the necessary resources, the need to store / remember a set of login / password bundles
A little ad-libbing: I don’t know how you are, but I’m often bothered by the need to remember and enter various logins and passwords a hundred times, even if there are a lot of tools to automate this process, but they are imperfect according to the logic of their work and in my opinion look like crutches (saving personal data by the browser, a variety of password stores, etc.).
A possible, partial way to solve the problem of remembering a login is to use e-mail instead, but you need to have different passwords for security - and therefore partial.
2. OpenID:
Briefly quoting wikipedia.org, OpenId is:
“OpenID is an open, decentralized, single sign-on system for sites, portals, blogs and forums. OpenID support for multiple sites allows the user to use a single login for authorization on any of these sites. ”
In my opinion, a very interesting scheme of work and, moreover, convenient for the end user - registered once - you can go wherever this technology is supported. And here come the minuses: the technology is relatively young and in my opinion is poorly implemented at the moment.
Pressing, pros: relevance, convenience for end users
Disadvantages: relative youth of technology (unusual for users, doubtful), lack of support from large and popular resources (everything would follow the giants at some speed or other, but these are their problems).
Technical moments (criticism from wikipedia.org, partially support):
1. The OpenID provider may introduce itself as its user. This is possible either in the case of the dishonesty of the provider, or in the case of its hacking.
2. The user must trust the provider, since he can find out which sites the owner of OpenID has visited. Although, on the other hand, the provider usually gives the OpenID user the ability to check on which sites his login was used to notice the password theft.
3. OpenID does not have built-in phishing protection (to enter a user password, they may not be redirected to the provider's page, but may display a fake page that looks like the provider’s page). However, many providers and additional programs (for example, extensions for Firefox) provide this protection.
Considering all the above, I conclude:
The most acceptable way is to combine the classical method and openID, with giving the right of choice to the user.
However, by your old habit, let me dream on this topic :)
Imagine the possibility of storing the necessary amount of personal data necessary both for authentication and for presenting partial information about yourself in one place (since this is a dream I propose to lower the moment of privacy), with a convenient way to register and update personal data with a high level of protection, and of course for sweetness - technology support by at least the largest projects.
Until complete happiness, it would be very nice to add the ability to access such an ID to the data warehouses a la ftp, to various IM (well, icq probably disappears, but with jabber, it will be possible) and also personally I would be comfortable with something like a history of actions with your ID, both for security and for manifestations of sclerosis: which file you upload to where, from where you downloaded, on which sites you roam, etc.
Here, I planned - it turned out something like a slightly patched openID with a touch on sociality. If interested, I’ll try to write a separate topic with an abstract implementation scheme described above.
I also add that, indeed, a real opportunity to do this is a large corporation with extensive experience in the field of web technologies, such as google.
Thank you for your attention, out of habit, I will say that everything that is above my IMHO, that I am glad for meaningful and critical comments, and, of course, constructive discussion, because in my opinion the problem is quite urgent, even if it may not be the most acute.
ZY if you add some more interesting ways (preferably with links) or reasonable ideas regarding the described ones, I will gladly add to the topic.
Source: https://habr.com/ru/post/82834/
All Articles