Join us on June 5th for a Tech Talk with Bill Doerrfeld and Kenn Hussey as we discuss the future of open source. Register now
Back to blog

Effortless Authentication Solutions Your Developers Will Love

Authentication Insights with Keith Casey

Jake Beck
May 16, 2024 | 8 min read

With security breaches through the roof and the age of AI taking off with full force, there’s never been a more important time to brush up on your authentication and authorization strategy. Problem is that most developers are already having to spend too much time on the things that aren’t fun and too little time doing what they actually love—coding. We want auth to matter, but for it to be the utmost priority, it needs to be effortless.

In our latest Livin’ On the Edge podcast episode, I interviewed Keith Casey, senior product manager at Pangea and one of the co-authors of API Developer Weekly. Pangea offers security services in a single platform of API-based security services that can be stacked onto an existing tech stack.

We explored authentication and authorization as crucial aspects of building secure and reliable distributed systems, as well as some best auth practices to help make your auth process a breeze for your developer team.

Why Auth Needs to Be Effortless

“Look, I always say developers have two goals in life. They want to build something useful and then go home. Anything you can do to accelerate one of those things, you should do, and if you're doing anything that slows those things down, you should stop. Using APIs for security needs could help achieve those goals. Plug into our API. Do it in 5 minutes, validate it in a few more, and then just roll with it. Make auth easy," shared Keith.

Authentication and authorization (AuthN and AuthZ) needs to be easy for your developers, as these are crucial elements of tech products but not necessarily ones that developers want to spend a lot of time building. Wherever possible, utilizing open standards and API-based solutions can accelerate these processes.

Robust Auth Matters

But it’s not just ease of use that matters; Keith also stressed that AuthN and AuthZ services also need to be robust and flexible to handle different user roles and permissions. There is a difference between adding an additional factor in authentication and adding an additional nuisance. The former improves security, while the latter just complicates the process.

“People often don't have a good mental model of their application when it comes to authorization. They know the roles, but they don't track the relationships and how they merge together. It's important to understand the complexity and granularity required for proper authorization,” shares Keith.

People often don't consider that not all admins should have the same rights. For example, a common mistake that many developers will make is not adding an additional factor in multifactor authentication but rather adding an additional step, which is a mere nuisance and not a true security enhancement.

“Often, we start thinking about components of microservices like all those independent pieces behind the scenes so that when I log in as Keith...we've promoted it in some way to act on my behalf. There needs to be clear identity management in AuthN and AuthZ,” shares Keith.

Many devs default to Role-Based Access Control (RBAC) to combat some of this. Now, while RBAC is a common approach, it often lacks the granularity required for complex systems. Consider adopting a relational-based access control (ReBAC) model, which allows for more fine-grained control over user permissions. This model enables you to define relationships between users, roles, and resources, ensuring that access is appropriately restricted.

And Keith stressed that roles should not be treated as a one-size-fits-all solution. Within a role, there may be different responsibilities and levels of access required. For example, a billing admin should have access to billing information but not necessarily the ability to modify other system components. Define roles and permissions based on specific responsibilities to minimize security risks.

Other Auth Tips for Smooth Sailing

A couple of other authentication tips we covered in this episode included:

  1. Use Strong Password Hashing: Many applications still use weak password hashing algorithms like MD5 or SHA1, which have been compromised for years. It is essential to upgrade to more secure algorithms like bcrypt or argon2. These algorithms provide better protection against password-cracking attempts.
  2. Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide multiple forms of identification. However, it is important to note that simply adding additional steps, such as security questions, does not constitute true MFA. Consider using one-time tokens or email magic links as additional factors to enhance security.
  3. An Extra of Layer of Security With Possession Factors: Possession factors, such as physical tokens or pass keys, provide an added layer of security. However, they can be challenging to manage and may not be suitable for all use cases. Evaluate the trade-offs and choose the most appropriate authentication method for your system.

Bonus: Standardization Across Microservices & Distributed Systems

A related side note that we covered was the importance of standardization when logging across multiple microservices in a distributed system. Keith stressed that a consistent and reliable logging system is crucial for debugging and maintaining system integrity, and standardization will create that consistency for you.

“In distributed systems, there are cross-cutting concerns like logging that need to be addressed. Breaking out capabilities and making them reusable components can help ensure consistency and predictability throughout the system,” shared Keith.

I couldn’t agree more; there’s nothing worse than when you're trying to debug something, and you go and look at one service, and it's really nice with parsed-out Logs, but then you go to track it down, and it's just a jumbled mess of like no standardization!

Standardization also matters for distributed systems, where authorization becomes more complex due to the involvement of multiple components and external dependencies. Standardize your authorization policies across all components so that access control is properly managed when interacting with external APIs. This will help you maintain better security and levels of compliance.

In the End

Building secure and reliable distributed systems requires careful consideration of authentication and authorization practices, and the easier it is to integrate into your dev’s workflow, the better. Handling authorization in distributed systems requires a thorough understanding of the relationships between users, roles, and resources. By following these best practices that Keith covered with us, devs can build robust and secure distributed systems that protect user data and maintain system integrity.

That means–secure APIs, strong systems, and more time to code! I appreciate Keith coming on the show and sharing his wisdom. For more insights, check out our other podcast episodes or our blog!