What Authentication System Should I Use For My App?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this episode of Dev questions with Tim Corey join us as we tackle the questions you are asking about a career in software development understanding the industry and new technology if you are just starting out or you want to grow stronger as a developer this is the place to get your questions answered now here's your host expert developer and online educator Tim Corey what authentication system should I use for my app this is a question that came up on the suggestion site I thought I'd tackle it in today's episode of Dev questions now if you have a suggestion go to suggestions.imcorey.com leave that suggestion there and hopefully you'll see your question answered on a future episode of Dev questions so let's dive into what's the right authentication system for my app now we're specifically talking about c-sharp apps but this really applies in general to any coding application of any type and let's start off with my philosophy on authentication and I think this is a very important philosophy I think it's one that you should adopt as well but let me see what you what your thoughts are My Philosophy is don't do it yourself that's it that's the big one I see a lot of people create their own authentication system especially they're starting out off where they say well it's just a username and password no big deal I'll just you know check the password make sure it's right and then we're good to go there is so much more to an authentication system than that don't do that think of authentication like a bank you know you can have a safe in your own house Network's fine for you uh price should be your only way of storing money but you know for small stuff no big deal and if you have your own personal application and you create your own authentication system just for yourself and it's a small little thing it's just for you and doesn't have a lot of impact if you were to lose everything no big deal but that's kind of like that little safe in your closet or or wherever in your house but imagine if you had a business maybe let's say you sell cookies and you decide you know I'm gonna store all of my customer information all of my money all of the credit card information for future charges all of that I'll store in my safe in my house does that sound like a good idea no it doesn't because there's so much more to storing and securing that besides just having it in a locked box I mean if you're strong enough you can go pick that box up and walk out of the house with it and theft does happen so you don't want to see a business do that with your information you wouldn't want to do that with somebody else's information and that's why we have Banks because Banks store our money and allow us to do a lot of stuff with it transfer money and make sure that it's you know when you take money out that's properly recorded and when you put money in it's property recorded who can take money out or put money in is important and all those other things they provide around just storing money in a safe there's a lot more to it and that's the same thing with authentication there's a lot more to it than just saying does this username matches in password match is this the correct pair there's a lot more to it and so don't roll your own now there are a few different authentication systems or types of systems let's talk about the different levels I would say of an authentication authorization system we're going to just call it authentication but really authentication and authorization are two different things they're different parts of the same thing really where one says are you who you say you are authentication and authorization says do you have access to this okay there's two different parts there they really work together in a lot of ways so it's going to call it the auth system or authentication system for Simplicity of talking okay so there's different levels of an auth system and the first one I'm going to call it level zero don't do this and that is a self-created system a system you built yourself that you create all of the security code for okay that's the don't do this level then there's the self-hosted system A system that somebody else builds but that you host for example if you use asp.net core you'll probably know there's a built-in authentication system Microsoft identity that's built in but you host it in your own Entity framework generated database that's kind of level one okay and that's built right in that can be a decent system we'll talk more about it in a minute now number two I'd say is that same self-hosted system but you use a third-party oauth provider such as Twitter Facebook Microsoft GitHub I was always to authenticate the user so they put in their Twitter credentials or their in their GitHub credentials and then you know if you play the GitHub credentials GitHub says yes that is Tim and that's the authentication part that's done by GitHub which means you've offloaded a lot of work on the GitHub because they handle password resets and they handle verification they handle um two-factor authentication possibly or many other things they can do but they handle it but then they tell you okay yes Tim is who he says he is and then you can say okay that I'm going to authenticate him for my system I'm going to authorize him to do certain things so that's self-hosted it's still that same Entity framework database or some other local thing that you own but you're using a third party oauth to authenticate a person and then there's the next level up uh which would be the third party hosted so everything is hosted by a third party uh Azure active directory or Azure active director b2c uh auth zero OCTA and as many more out there but these are systems where you probably pay something in order to have them do all the work okay that's kind of like level three on this list and then level four is that same thing Azure ad or b2c or whoever else but also using oauth from third parties as well so maybe you have an Azure ad b2c account but you also allow them to authenticate using gab okay so it's kind of the four levels that I see plus level zero which is don't do this um that's the different options you have which one is best well it does depend on your situation that's really the answer for most questions it depends but what does it depend on and we'll talk more about that but the big deal is to make sure that you choose what's right not just based off finances but also based upon what the data is and how sensitive it is okay the more sensory data the more you should spend in making sure it's secure and safe Okay so you want to have um you know ideal for third party is storage for storage that's the ideal so go with third party for storage that's probably the best option and the reason why is because what is authentication what is authorization what are you doing you're trying to secure something well what's more secure a one safe in a closet where maybe people have access even in that closet or if you want a safe inside of a warehouse that's guarded by security inside of an organization that tracks and monitors who comes on the property like there's different levels right so when it comes to your safety your data maybe it's better it is better if you let somebody else do that as opposed to your one little reheating server right um and there made some push back there and say well but we control a server and so no day goes outside and so it's all inside of our walls cool I get that but that's not really how you handle finances you don't just say well we're going to handle storing all the cash in our business because it's inside our walls because that wouldn't be safe well why is it you do the same you do that with authentication where you say we want all inside of our walls because unless you're all internal users if you have external users they're coming in out and now you have to make sure that your walls are tall enough that your walls are protected and guarded and monitored and all these other things that a third party provides and you have to have that same level of security for one authentication system as opposed to their hundreds and thousands of authentication systems the economy of scale says the person who has hundreds and thousands can do more for cheaper okay so ideal third party for storage and ideal this is again my opinion here ideal is that same third party for authentication instead of using oauth and that may blow some people's minds they're like wait wait those those all watts are great because we can reuse those same credentials and let them do half the work I get that but there's some downsides too okay let's talk through some of the downsides for instance if you say you can authenticate through my site or through Microsoft or GitHub or Twitter or Facebook right so it's four options and a person decide you know what I'm going to use GitHub and they authenticate through GitHub well now when they come back the next time and maybe it's been a year since they've come back which one did I choose I've got all four of those things which one did I choose now there are some systems to help you with okay I selected this but actually I do this with sessionize which is a way for speakers to submit sessions for potential conferences and speaking of conferences and they have I think six different authentication options besides login and I use one of those social logins but I always have to remember which one wasn't I think it was Google but in order to do it I click on the wrong one it goes no I think we've got an account over here but here's a tricky bit not all of my socials use the same email address so how it know that my work email address is the same as my personal email address it doesn't always do that so now you have two different accounts with that same platform so that can be tricky but also here's another thing what if I use my GitHub credentials and somebody you know has access to those GitHub credentials maybe for whatever reason you shouldn't do this but maybe I shared my GitHub credentials with with someone in order to get them into my GitHub real quick to do something well now they could also log in to your site so that the the third party oauth systems are nice and they do offer a quick way in I love it when people support uh the Apple login because on my phone I say yep Apple login boom done but now we're relying on Apple log and not being stolen so there's a lot of question marks around that where it adds to your your ability to quickly get in it reduces the number of passwords people have it makes it easier but does it make it safer that's the question and the answer is it's going to depend on your situation so if you want the safest you probably want to have that third party do the authentication separately from an oauth system that way you don't have to alert people if hey if your password is still on Twitter then you should also check to make sure you reset the password here or reset tokens or and yes there's a lot of assistance in place to help with that already and they've made things a lot better so it's a lot harder to have a person who steals your credentials over here use it over here but it still can't happen so ideally I would say use a third party for your authentication system and use that same third party to do the login and password to factory authentication all the rest for that user don't try to separate that out if you want the most secure and that's what we're talking about here is the most secure it you need to choose what's bait best for your sliding scale of risk and that's an important part to talk about is security is a matter of risk assessment and mitigation okay you need to figure out what is the risk compared to the reward all right so really simple example if you go to I am Tim corey.com you don't have to log in well that's because there's no reward for logging in there's no reason to ask people to log in what's the risk there isn't one because there's no data being protected behind a password there now if you were to put your credentials in buy something from me and you want to manage your subscription to the all access pass well yes that's behind some protections because of the fact that the risk of not having it behind Productions is people will steal your information so I have to I use a third party system to handle authentication in that case and they protect your data so you gotta figure out that balance there between risk and reward if you're doing a small app that protects basically nothing then you can have a much lower bar for your security I used a pretty decent bar for my security for the suggestion sect so you got suggestions.intemcorey.com again you can leave a suggestion for a future Dev question but in there what are you gonna steal okay let's just say for whatever reason I decide to publish your usernames and passwords now I can't because I don't have access to them but let's just pretend I did and I published it what's the worst that can happen someone can post a suggestion as you like that's not a big deal so the the risks are pretty low now that means I can be a lot more free with what things they offer as far as ease of ease of use um how long I I keep the token open for and you know what authentication systems I can allow and if I allow third-party oauth and all this stuff I could be pretty open because there's not very risk now if I am storing your credit card information your social security information or your person NFL personally identifiable information that's sensitive um your health records those are really important things to make sure you have a high level of security on you probably shouldn't just say whatever now just to be clear I didn't say eh whatever either I use Azure active directory b2c in order to authenticate you on suggestion site that is a third-party system and I currently do not have third party oauths turned on so you can't use Twitter or Facebook or Microsoft or GitHub or any of those at this point we're just saying hey you have to create an account through us and through our b2c account that way it's totally separate separate login and password and it's protected now that's a pretty high Walled Garden around not much the suggestion site but just kind of a feature preview We're not gonna just stop there with suggestion site there's more things coming where you can reuse those same credentials so that's why we want to keep the bar pretty high on that site but it's up to you to make the right choice for your situation so make the best possible decision for your business and your customers all right so when I say business and customers sometimes he'll come to me and say well this one's free and that's great for a small application that's great for an application with no real stop to secure but as soon as you have real customers as soon as you have real data to secure and real data can just be email addresses it can be just you know your middle name or your ZIP code or things that you probably shouldn't just publish without permission so once you get to that point you need to start thinking about not just what is it costs but how do I safely protect your customers because if you don't protect your customers and let's say you have a data breach that could be a major issue and you want to be able to say I did my best not I did my cheapest okay so when you're thinking about authentication there's a wide spectrum of options um again don't choose to do your own like build your own security system that's really I almost want to say never but there is a very very very very very slight case where you're doing a personal application on your personal computer it's never going anywhere that doesn't talk to the internet at all and that does something little but you want to make sure you protect it a little bit okay maybe but there is such a small percentage of cases where you would build your own authentication system now Microsoft identity that's not building your own that's using what Microsoft has created and you're hosting it locally and yet the code has been built by Microsoft and has maintained and updated by Microsoft so that's not quite the same thing but it's still a lower level of security than say hosting it in Azure active directory and letting them handle the authentication and even authorization of your users so figure out what works best for you but try to think about not just the bottom line of cost but also the bottom line of cost of what happens when this gets breached because security breaches happen all the time and they're not always because this super Elite hacker got you know crazy access and did some crazy stuff sometimes it's you were cheap and there's a known exploit that you didn't know about because you didn't pay attention to it you didn't read up on your security system you didn't know how to configure it and someone just used the default credentials or something else like that so be careful know your system and make the best choice for both your business and your customers okay so that's a kind of a broad answer I can't give you a specifics because it does depend on your situation um but think that through think through what you want to be able to say if your data is breached do you want to be able to say it was cheap or do you want to be able to say I did my best based upon circumstances okay so that's my answer to the question which authentication system should we use all right if you have a question again go to suggestion sites thanks for listening and as always I am Tim Corey [Music] thank you

Info

Channel: IAmTimCorey

Views: 48,099

Rating: undefined out of 5

Keywords: .net, C#, Visual Studio, code, programming, tutorial, training, how to, tim corey, C# course, C# training, C# tutorial, .net core, vs2022, .net 6

Id: 4BItolSqIyU

Channel Id: undefined

Length: 20min 40sec (1240 seconds)

Published: Thu Nov 17 2022