Ask HN: What are all the things that can go wrong during authentication?

Check out OWASP’s cheat sheet: <a href="https:&#x2F;&#x2F;cheatsheetseries.owasp.org&#x2F;cheatsheets&#x2F;Authentication_Cheat_Sheet.html" rel="nofollow">https:&#x2F;&#x2F;cheatsheetseries.owasp.org&#x2F;cheatsheets&#x2F;Authenticatio...</a>

Spoofing. I start up faceb0ok.website or whatever and theme it to look identical to Facebook. I then make a viral Facebook post that tells you Facebook will send you a $50 Amazon gift card if you click on this link. You click, then instinctively log in with your Facebook credentials because you can&#x27;t tell that you&#x27;re not on the real Facebook anymore. I now have your credentials.<p>Man-in-the-Middle (MITM). I&#x27;m at the same coffee shop as you and I&#x27;ve taken control of the router. You request your bank&#x27;s web site and I&#x27;m able to route that request through my laptop, fetch the web page, and return it back to you. You log in to the web site. The connection is still encrypted, but the termination of the encryption is actually happening on my laptop. You log into the bank site. I now have your bank account credentials.<p>Cross-site scripting (XSS). Your site allows visitors to embed content (for example, message board posts) without that content being properly filtered. I use that to embed some JavaScript that watches for users using the log in form on your site and send those credentials to me, or sends the content of the cookie of users already logged on.<p>Poor hashing. You mentioned that above so you&#x27;re probably aware of it already, but it&#x27;s disturbing and surprising how many sites don&#x27;t have this figured out yet.<p>I&#x27;m not sure what problems network dropouts could cause, at least in terms of security - which is the big problem here.<p>Of course there&#x27;s more, but this is what comes to mind. In summary, I strongly suggest you don&#x27;t try to reinvent a new authentication system. use one already in common use. It&#x27;s probably already fairly battle-tested and validated for correctness and security. This goes for most other types of software as well.

One that is often not mentioned: cache errors. When systems face scaling issues, caching is often a first line tool. Imagine a bug gets deployed with an off by one error in your cache, or the cache serves the latest entry instead of the right entry.<p>If you add caching (esp. to your auth-chain), you need automated tests covering every access pattern. Concurrent access, cache timeouts, cache full, cache invalidation, etc.

Normally I might try to enumerate examples, but I agree with bdibs that OWASP generally holds the canonical text for authentication of web apps.<p>Alex Stamos, former head of security at Facebook, described the security issues they got as a pyramid where the vast majority of issues were basic fraud, friend&#x2F;family trust, fake login pages &#x2F; fake emails, reused credentials, and email takeover. You won’t be able to help with most of these unless you can help your users change their behavior.<p>For the other stuff, use the best SDLC techniques, never commit secure strings to version control (assume your source repo is misconfigured), use 12 Factor principles, read OWASP docs, search for relevant HackerOne disclosed reports (or blog articles, CTF write ups). There is no amount of coding that can replace red team user testing &#x2F; a security audit.

Just use keycloak.

As the founder of FusionAuth (<a href="https:&#x2F;&#x2F;fusionauth.io" rel="nofollow">https:&#x2F;&#x2F;fusionauth.io</a>), let me relay 5 years of experience in building our platform in bullet points (not exhaustive by any means, but a rough overview). Also note that these aren&#x27;t all authentication related, but once you build your own authentication, most everything else has to be done by hand as well:<p>- OAuth 2 IdP and SP federation plus theming<p>- SAML v2 IdP and SP federation<p>- Nested federation (i.e. OAuth to SAML to OAuth to another OAuth)<p>- JWTs (issuing, validation, introspect, user_info, numerous certificate and key-pair concerns, reconciliation, introspection)<p>- Refresh tokens (managing, revoking, exchanging, securing, and more)<p>- Lambdas to handle claim mapping and JWT population plus all the security around sandboxing JavaScript so it isn&#x27;t an attack vector<p>- Key management<p>- Certificate management<p>- User indexing and searching (when you have 100+ million users, this isn&#x27;t easy)<p>- Password rules (HIPAA, PCI, SOC, ISO, NIST)<p>- Breached password detection (Have I been Pwnd style)<p>- Password hashing (making it configurable, changeable, upgradeable, etc)<p>- Devices (trust, OAuth Device Grant, MFA, passwordless)<p>- Threat modeling and detection<p>- Brute force prevention<p>- Account locking<p>- Event management (login, account creation, deletion, etc)<p>- CORS<p>- CSRF<p>- XSS<p>- Injection attacks (JS, SQL, etc)<p>- Privilege escalation attacks (tunnels, backdoors, script injection, etc)<p>- Replay attacks<p>- JWT header attacks<p>- Click-jacking attacks<p>- IFraming<p>- CVE management (libraries, OS, database, frameworks, APIs, etc)<p>- MFA (authentication apps and SMS)<p>- TOTP<p>- MITM and spoofing<p>- HSTS<p>- Passwordless logins<p>- Network management (firewalls, public and private access, intrusion detection, logging, auditing)<p>- Pen tests (i.e. these aren&#x27;t cheap)<p>- Compliance (also not cheap and very time consuming)<p>- Family management (multiple parents, divorces, multiple kids, roles, ages, consents)<p>- Consent modeling (CCPA, GDPR, and many more are coming)<p>- Group management<p>- Roles and permissions<p>- All the email things (forgot password, passwordless, email verification, templates, localization)<p>- Reporting (DAU, MAU, etc)<p>Every line of code, every API, every HTML page, every button click, every form submit, every layer, every network hop, every operating system, every third-party tool, every library, and every browser must be secured and tested. If you have a big team and a lot of free time, you can probably get something workable that is secure in a year or two.<p>Of course, YMMV. ;)<p>Or like other folks have said, you can always use FusionAuth, Keycloak and others. They are all free and do all of this already. Though, I&#x27;d be suspicious with some projects. The compliance, auditing and testing pieces are expensive and probably not something they do much of.<p>And who knows what is going on with IBM and RedHat. I&#x27;d run screaming from that disaster if I were you. :)