openseced / auth Goto Github PK
View Code? Open in Web Editor NEWA learning module on Authentication
A learning module on Authentication
The students' reality is identity-based authentication with passwords that must be at least eight characters, upper and lower case, digit and special characters. This is reinforced every day and is so wrong.
How do we unlearn what is reinforced every day? How can we make them learn how it should be, how can we make them retain this? How long will they retain it?
There is some detailed password coverage in infotheory/basics, maybe some of that should be moved here. It's good to keep those parts closely related to entropy there, that'll make that material better. Other things should move here, and a copy should be brought here too.
The Private E-Commerce Company wants to strengthen consumer privacy in the area of e-commerce. We have three entities; the Seller, the Shipper and the Buyer. The Seller sells the Product to the Buyer. The Seller then ships the Product to the Buyer using the Shipper's shipping service.
Make the case concrete, like an online bookstore. How can we maximize security and privacy? I.e. principle of least privilege and data minimization.
When the buyer has paid the seller generates a public--private key pair, gives the private key to the buyer and the public key to the shipper. The buyer uses the private key to sign the receipt of delivery, the shipper can verify it's the right person and the seller can verify that the package has been delivered to the right person.
The "securing authentication" section should be reviewed.
Add authenticated-key exchange and authenticated key-exchange.
Since we must use password managers to cope with passwords, we might just as well replace the passwords with crypto keys anyway. Once we have crypto keys we can do anonymous credentials. There will be no leaked password databases as the server only stores public keys.
We need a lab that pushes the students beyond identity based authentication. What do they actually need to authenticate? Usually not the identity.
However, sometimes a password is the right thing, like protecting the password/key manager. (Sometimes a biometric can be used here, which is a password of sorts.)
Evaluate user authentication from user--machine, machine--user perspective.
We should evaluate purely password-based authentication, two-factor authentication and key-based authentication (e.g. BankID), both from a security and a usability perspective.
passwd
).passwd
module.This is related to #1.
We cover some parts of biometrics. Maybe it's good to have that as a separate module.
We should have a lab where the students focus on designing user authentication. This is better than current state of passwd/pwdpolicies
, where they just focus on passwords for user authentication.
We can provide a few scenarios for which the students should design the needed authentication --- after first identity the needs.
The time-of-check, time-of-use problem is general for all auth, better have that in the intro and let it come back in the other parts.
The area of authentication that we are interested in can be divided into these categories:
There is some purely authentication-related parts in the usability overview, this should be moved here.
The passwd module is specialized on passwords, maybe we should move that coverage (at least detailed coverage) there.
Ask the students: how do you know I'm the teacher for this lecture?
This should be asynchronous. But I can use FeedbackFruits for the students to discuss it.
Possible ways to authenticate: I'm the same as with Sonja. How do they know I'm the same? Deep-fake? How do you know Sonja was the one to teach that lecture?
Use this contrast to talk about different forms of authentication in a new area.
Interesting?
https://phishingquiz.withgoogle.com
Add descriptive figures, e.g. for password guessing.
To ensure freshness we need challenge--response. Thus to make biometrics secure (i.e. authenticated) we need challenge--response: we give a challenge to the biometric sensor, which incorporates the challenge into the reported data. It's crucial that you cannot take this challenge and just process it with previously recorded data.
Currently it's just a traditional lecture.
This would be details on crypto protocols for authentication. Basically, we can reduce much of user-machine and machine-user to machine-machine due to the user using e.g. a smartphone.
We have Schnorr which is zero-knowledge. Add an example where the public key is not known, where you prove you know a signature on a public key for which you know the private key.
This would allow for greater modularity. There is also some material on federated identity management which can also be moved to its own module.
Like using the credit card information for authentication.
Add material on SSI and FIM.
Some students want to use MFA to protect a one-time code for a box to fetch a package.
Currently each session broken out from overview
has the old abstract from overview as an abstract. Obviously this is not accurate anymore. The affected sessions are:
intro
bootstrapping
user-machine
something-you-know
something-you-have
something-you-are
machine-user
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.