The latest articles on Forem by Vincent Dal Maso (@urriel). https://forem.com/urriel https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F150277%2Fff8283c0-449e-4c8d-9685-335b625861fd.jpeg https://forem.com/urriel en Vincent Dal Maso Mon, 30 Mar 2020 09:53:21 +0000 https://forem.com/urriel/authentication-in-2020-3joa https://forem.com/urriel/authentication-in-2020-3joa <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--C5b3ROZg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.pixabay.com/photo/2017/02/19/23/10/finger-2081169_1280.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--C5b3ROZg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://cdn.pixabay.com/photo/2017/02/19/23/10/finger-2081169_1280.jpg" width="600"></a></p> <h1> Authentication in 2020 </h1> <p>First of all, in light of the different leaks of user profiles and passwords happening all over the world, it seems like authentication in the web is broken. And nothing is seriously done to prevent user accounts from being hacked. Historically, it is not new to get hacked and it is connected to our authentication method.</p> <h2> Authentication before 2015 </h2> <p>Since the avent of internet, users have always been required a username and password in order to get authenticated by a web application. With our lousy memory, we tend to use the same password several times or change only a letter to uppercase when needed by the password validation. In most cases, we use <a href="https://thehackernews.com/2017/12/data-breach-password-list.html">extremely simple passwords</a>, and it result on our account being hacked. It is even easier now that the past leaks have created a huge database of logins available to anyone.<br> As a developer, passwords should be handle with uttermost care. Although, some careless developer still keep those passwords as plain text in their databases. Consequently providing easy data for future leaks.</p> <h2> Authentication after 2015 </h2> <p>For the sake of security, around 2015 started a new trend in authentication, "Two Factor Authentication" or 2FA. This method of authentication is mainly based on a username and password in addition of a code sent one way or another to a user's owned device. It has been confirmed that 2FA could prevent <a href="https://enterprise.verizon.com/resources/reports/dbir/">95%</a> of attacks on a web application. Still, in 2020 it is not commonly used, Why ?<br> Their is several causes:</p> <ul> <li>Users tend to get bothered by multi steps authentications.</li> <li>Security is not a first priority for Management or developers, even if it can damage the company's reputation.</li> <li>Including 2FA is time consuming.</li> <li>Entrusting another company with its users database is tough.</li> </ul> <h2> Authentication in 2020 </h2> <p>Nowadays "Multi Factor Authentication" or MFA is becoming a buzzword when we talk about authentication. But we are still years behind when it comes to securing user accounts. Nevertheless their is options to remedy to the situation.</p> <h3> Multi Factor Authentication </h3> <p>MFA is a standard today, used by most of the tech giants and it should be democratized. It can be added to your software by open source libraries or third party services. Although it can be sensitive to entrust another company to handle your user database, even so, they put their reputation on the line by providing this sort of service.</p> <h3> Passwordless Authentication </h3> <p>With the avent of MFA, a new trend is now emerging. Passwordless authentication. The goal is to replace the username/password step commonly used on the web, by a link sent to your e-mail address, only or combined with other authentication steps. This prevent the user from typing its password and thus remove the human issue from the equation.</p> <h2> Conclusion </h2> <p>It is a duty to secure our user accounts. If it is not for the company reputation, it should be for our self-esteem as a developer, architect or manager. Delivering a secure web application to our users should be a goal in 2020. So which decisions are you going to take to secure your users ?</p> <p><em>MFA -&gt; <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication">https://en.wikipedia.org/wiki/Multi-factor_authentication</a></em></p> <p><em>Microsoft Passwordless white paper -&gt; <a href="https://www.microsoft.com/en-us/security/business/identity/passwordless">https://www.microsoft.com/en-us/security/business/identity/passwordless</a></em></p> <p>Initially posted on my <a href="https://urriel.github.io/Urriel/authentication-2020/">blog</a></p> authentication security webdev Vincent Dal Maso Fri, 07 Feb 2020 07:29:28 +0000 https://forem.com/urriel/rust-in-web-applications-3agk https://forem.com/urriel/rust-in-web-applications-3agk <p>Hello everyone,</p> <p>I have been thinking about using rust in web development for the past 2 months but in light of the recent events surrounding actix, I am wondering if is it worth it to commit a whole project to a single library.</p> <p>Since the standard library is focus on low level programming and all the library available on cargo seems to rely on a huge amount of other external library. How do you assess the potential threat to the security or longevity of your project ?</p> <p>For me, node modules or python libraries were already a pain to check against security and company policies. But in my perspective the problem is even worse for rust.</p> <p>I’m a huge fan of the language, and follow very changes, but I keep coming back to go when it comes to write a simple service, without over head.</p> discuss rust