Aug 05, 2019
Almost any modern web application requires a user to be authenticated both for security and personalization reasons. The importance of the authentication mechanism often neglected. This can result in poor user experience and huge security risks. Here is a checklist you can use to make sure you are not missing anything crucial in your authentication implementation.
It's very important to remember authentication and authorization are different things. Application can provide several ways for users to authenticate, but have a simple authorization scheme. Or it can have a single authentication method, but a complex authorization scheme.
Often, developers create their own authentication mechanisms, but nowadays there are many ready-to-use solutions. They can be open-source, proprietary, self-hosted, cloud-hosted, hybrid.
While some particular authentication service, framework or library can be attractive and easy to integrate, take some time to check if it integrates well with all of your platforms. Once users are actively using your application, it can become very hard to seamlessly change the authentication mechanism.
...in a case if you are changing authentication in your application. Legacy or custom authentication solutions may not allow you to easily export necessary data to be used by the new system. Even if the export is possible, the new solution may require data in a different format.
User credentials is both valuable and sensitive data. Storing backups "as is" is very dangerous. Not storing backups is irresponsible. Finding a compromise can be tricky.
Each industry has it's own requirements for storing user credentials, levels of encryption and personally identifiable information handling.
While authentication is very important, verify it doesn't turn into unbearable burden for your project. You still need to solve problems of your users and you need a budget for that.
Even the most cost-efficient solution will be useless, if it's implemented too late. Evaluate the timeline of the implementation and whether it meets critical deadlines of your business.
Proprietary systems often have either license or subscription fee. The fee itself may be tied to the number of users and can make the total cost of ownership very high. Double-check numbers before committing to anything.
Don't fall in love with the first discovered solution. Comparing available options will give you are better understanding of the market, pricing and required implementation effort.
Some of your co-workers may already have experience with the authentication solution/approach you want to implement. Prior experience of other people can be very useful and enlightning.
Don't hesitate to implement Proof of Concepts for your authentication. Most of the tools include quick start examples that will allow you to understand what you are dealing with and how good it is for you.