Authentication is a developer nightmare

preview_player
Показать описание


Let's talk about authentication. I would like to show how easy it is to implement authentication with 3 different methods. Password, Oauth2 (or social login) and passkeys. They all have their benefits and drawbacks but hopefully this video is a fun way to understand how the systems powering authentication actually work.

I've also made a demo little website to help show how registration and sign in works. It's just a toy project so hopefully it doesn't break under the pressure.

Full disclosure: the demo website is hosted on the cloud. My little MacBook didn't too well with the traffic from the last video so I'm committing this cardinal sin until I upgrade my home server.
  1. Tom Delalande
Рекомендации по теме
Authentication is a 0:15:58

Authentication is a developer nightmare

WHY DEVELOPERS HATE 0:13:53

WHY DEVELOPERS HATE WORDPRESS...AND HOW TO MAKE ONE

OMG😱😱😱😱😱..!!!! Ransomware Menyerang..... 0:00:16

OMG😱😱😱😱😱..!!!! Ransomware Menyerang.....

everything is open 0:13:56

everything is open source if you can reverse engineer (try it RIGHT NOW!)

Did You Know 0:00:13

Did You Know That In Morbius

Part 1 #shorts 0:00:26

Part 1 #shorts #dantheman #tvshow

Satoshi Nakamoto, 2014 0:00:54

Satoshi Nakamoto, 2014 | “I have nothing to do with Bitcoin”

Official Shadow of 0:00:30

Official Shadow of War: 'Not Today, Brian' TV Spot

S01E03: Solving a 0:06:24

S01E03: Solving a 2 factor authentication 2FA nightmare involving Circle and Bitcoin

Nightmare Creatures - 0:04:37

Nightmare Creatures - Cartridge Authentication & Manual

Gotham Freaks After 0:00:36

Gotham Freaks After They’ve Defeated Batman

BSMaaS 2020 - 0:27:13

BSMaaS 2020 - Kubernetes Security: A Developer's Nightmare?

GAME OVER 🕹️ 0:00:11

GAME OVER 🕹️

When VR goes 0:00:19

When VR goes too far. 😂😅 #shorts

Windows Recall (was) 0:37:04

Windows Recall (was) a Security Nightmare

raining MILK in 0:00:16

raining MILK in roblox #shorts

Diablo III: A 1:55:13

Diablo III: A Cautionary Tale | 12 Years of Development Hell

don’t play this 0:01:00

don’t play this game ever

Somewhere in the 0:00:33

Somewhere in the forest

How to reset 0:05:17

How to reset multi-factor authentication (MFA) on a new device or if a device is lost | Microsoft

Which one should 0:01:00

Which one should you choose? AWS or Firebase or Digital Ocean 🔥🤯👨‍💻

Hazem, was hiding 0:00:25

Hazem, was hiding this secret to earn ROBUX for free! 🤯

The Ballerina Twins 0:00:17

The Ballerina Twins ❤️ #atomicheart

S3 Is A 0:16:47

S3 Is A Security Nightmare (Common Exploit Showcase)

Комментарии
Автор

It should be noted that SHA256 and other SHA functions are not well suited for password hashing and storing because of the efficiency of attacks. Functions like Argon might be more adequate solutions.

world
Автор

Boring stil sounds complicated. For a 15 minute video, you had to fast forward through MFA and didn’t even mention protection from repeated login attempts, keeping logs of every access, session expiration… It really is what happens when you roll your own auth, it’s hard to do everything right.

rickdg
Автор

I spent so much time on my first SaaS to understand that a boring authentication doesn’t mean it’s bad. Simple doesn’t mean bad either. Thanks for your video. It killed many of my concerns and I wish I had watched it a long time ago hahah

Laukar
Автор

best part about this video is the warning about OAuth and companies shutting you out...
It's really important for devs to push back on business owners encouraging unhealthy levels of power to be given to few companies.
simply cause ""but i want da google login"

blipojones
Автор

If you gave this video the same energy (voice & tone I think I mean) that your "The cloud is over-engineered and overpriced (no music)" video, then this video would thrive way more. As some positive critic to your video here, is that you sound very tired, compared to the last one. However the content that the video convey is top notch. Great video either way! I learned tons!

_vr
Автор

I started working as a programmer 45 years ago. I've been thru all jobs in the hierarchy, but now, I'm back at what I like the most : designing and programming solutions for the users. I really appreciated the video. I would really like to see the server code to handle the little demo you provided. I used your video in a presentation to the team/clients to explain why we do need more than a simple cleartext password, but don't need/want a big external framework. They still haven't approved the plan, but they commented that the video extract that I shown them were easy to understand.

mbeware
Автор

Using a 3rd party does not make logging-in issues easier. Imagine if someone doesnt remember if they signed in with google or if they signed in with Facebook. So they do the wrong one and now they have two accounts on your site. And now that is your problem when they contact you and ask you why all of their stuff is gone.

DemiImp
Автор

Every piece of information is well explained and connected. I also love your approach to avoiding unnecessary complexity. Thank you for doing this.

Digo-eu
Автор

Bro changed to neovim during the video and thought we won't notice.

aka.theos.
Автор

Also when implementing passkeys take the time to change some (quite bad) default parameters. Namely the platform and resident key parameters. The current standard requires passkeys to be resident keys, thus not requiring a username and allowing single click logins. This excludes hardware keys as they have limited storage (8 to 25 slots) for those keys. By setting resident keys to optional or encouraged you get best of both worlds, allowing passkey storage on device, password manager and security keys. The only drawback being programming in an optional username field.

zuighemdanmaar
Автор

This is a big topic to cover in this amount of time. It gives me an appreciation for what Django gives me out of the box. I know it isn’t right for every project, but it lets me focus on building differentiating features rather than building auth *again*.

shaunkruger
Автор

Sha-algs aren't made for hashing passwords, you should use something that's made for that, like argon2 or bcrpyt. Cracking a sha256 hash, while right now is unfeasable if salted, still makes you more vulnerable to wordlist attacks, as you can test more than 1.000.000x as many hashes per second compared to bcrypt

alvesvaren
Автор

2 minutes in and we're running out of Tenor gifs on the entire internet

thefrub
Автор

Your content is so good! Please keep going ❤

Laukar
Автор

Authentication is not that terrible when you have a user that needs to log in to do an action. I always find it much harder when its just system-to-system calls. Like how to manage and maintain it and how to decide if some other system should be allowed to do specific actions.

Growlizing
Автор

I wish you talked about MFA in this video and implemented it.

Stalgicmusic
Автор

4:30 UUIDs are not crytographically random and should not be relied upon for salting (or other cryptographic functions like initialisation vectors, etc.)

mjddev
Автор

I use AWS Cognito with the built-in hosted UI as a default auth for my apps. I just need to implement a few endpoints (I have a template for this) to navigate to/from the hosted UI.

It's great, I don't need to worry about MFA, social sign on, email verification, cost or the liability of leaking data. If AWS gets hacked, I'll be the least interesting product that's affected.

Liability is also the main reason many companies choose to outsource authentication. Don't have to put out a press release if AWS/Auth0/Okta/etc is hacked, but you do if your own self-hosted database is.

DavidAlsh
Автор

Secure remote password protocol (SRP) is a method I've been wanting to implement myself for some time now. An SRP based OAuth would be so neat in addition

jonathancrowder
Автор

At some point people have to realize we cannot optimize for factor X, X being idiots.

owlmostdead