Discussion about Auth and Security

authAndSecurity.md

Discussion Questions on Authentication and Security

1. Why is it important to secure a backend application, and what are some potential risks if it remains unsecured? Discuss how attaching data to a user identity can mitigate some of these risks.

2. How does the use of tokens enhance the security of a web application? Explain the process of generating and using tokens for user authentication, and compare it with the use of plain email and password combinations.

3. What are the benefits of using modern hashing algorithms for passwords compared to older methods? Discuss the role of salting in preventing attacks and the concept of an adjustable cost factor.

4. Explain the steps that take place when a user signs in to a website. How is the authentication data handled and stored, and what are the implications of these storage locations on security and user experience?

5. Differentiate between authentication and authorization. Provide examples of scenarios where both are necessary to ensure the security and privacy of user data in a web application.

6. Which technologies are considered stateful and which are stateless? What are the differences between both, and what are the advantages and disadvantages of each in managing user authentication?

@Hophneylen
@samuelthis
@thewesss

1. securing a backend application is essential to protect sensitive data, maintain trust, comply with regulations, and prevent malicious activities. Attaching data to a user identity strengthens security by enforcing access control, increasing accountability, and enabling dynamic responses to potential threats.

• Tokens enhance web application security by acting as temporary, encrypted credentials for user authentication and authorization. Unlike session cookies, tokens are stateless and don't require server-side storage, reducing the risk of session hijacking. Additionally, tokens can be easily revoked or expired, adding an extra layer of security in case of compromise.
• When a user successful login with their email and password, the server generates a unique token containing encrypted user information and sends it to the client. This token is then included in subsequent requests, verifying the user's identity without repeatedly sending sensitive credentials. Unlike plain email and password combinations, which are vulnerable to interception, tokens offer enhanced security due to their temporary nature and encrypted payload.

• The benefits are Increased Security, Resistance to Rainbow Table Attacks, Slow Hashing-This intentional slowness makes brute force attacks significantly more difficult and time-consuming.
• The role of salting in preventing attacks is creating unique hashes for identical passwords, gives enhanced security for reused passwords and provides protection against rainbow table attacks.
• An adjustable cost factor in modern hashing algorithms (like bcrypt, Argon2, and PBKDF2) determines the computational complexity of the hashing process. By increasing the number of iterations or rounds, the cost factor makes password hashing more time-consuming and resource-intensive. This enhances security by slowing down brute force attacks.

• You type in your username and password on a website login page.
• The website checks if what you typed matches what it has stored. This is usually in a database, but can be in other places too.
• If it's a match, the website creates a special code (like a token or session ID) to remember you're logged in.
• This code is sent back to your browser, usually stored in a cookie.
• Every time you request a new page, your browser sends this code, proving you're still logged in.

5. Authentication verifies a user's identity. Authorization determines what resources or actions the authenticated user is allowed to access.

• Banking Application: Authentication confirms the user is legitimate; authorization ensures they can only access their own accounts.
• Healthcare Portal: Authentication verifies the identity of a doctor; authorization grants access to patient records relevant to their care.
• Online Shopping: Authentication logs the user in; authorization controls access to order history and personal information.

6. Stateful technologies - keep information about a user’s interactions across multiple sessions.

• Databases(SQL)
• Stateful firewalls
• Session-based authentication systems
  Stateless technologies- do not keep information about previous interactions. Each request is treated on its own.
• RESTful APIs
• Stateless firewalls
• Token-based authentication systems (e.g., JWT)
  Difference...
  Stateful
• keeps session data on the server. Each user session is tracked, allowing for personalized experiences.
• More challenging to scale due to the need to manage session data across servers.
• Less fault-tolerant as losing a server can result in lost session data.
  Stateless
• Does not retain session data. Each request is independent, requiring all necessary information to be included in each request.
• Easier to scale as each request can be handled by any server without needing to share session data.
• More fault-tolerant since each request is independent and does not rely on previous interactions.
  Advantages of stateful
• Security: More secure as session data is stored on the server, reducing the risk of token theft
• User Experience: Provides a seamless and personalized user experience by retaining session data.
  Disadvantages
• Harder to scale as session data needs to be shared across servers
• Resource Intensive: Requires more resources to manage and store session data]-stateful-authentication).
  Stateless....
  Advantages:
• Scalability: Easier to scale as each request is independent
• Resource Efficiency: Less resource-intensive as no session data is stored on the server
  Disadvantages:
• Security: Potentially less secure as all session information is stored in the token, which can be intercepted
• Complexity: Can be more complex to implement securely

Sinethemba Zulu
Sakhile Motha
Nonhanhla Mazibuko

1. It is important to secure an application because users may share their sensitive data such as financial information or personally identifiable information, securing the application ensures that this sensitive data is protected from online risks/threats such as unauthorized access to data, identity theft, scams, file loss, etc. Attaching a user identity to data will ensure that only authorized users can access the data that is associated with their identity. It also allows for the tracking and logging of user activity which will be helpful when investigating data breaches and threats.

2. Token-based authentication enhances web application security by enabling stateless authentication, where the server does not store session data, reducing the risk of session hijacking. Tokens, usually JWTs, are generated upon user login with valid credentials and contain user information and an expiration time, signed with a secret key. These tokens are stored client-side and sent with subsequent requests in the Authorization header, allowing the server to verify and process requests without repeatedly exposing plain text credentials. Compared to plain email and password combinations, which increase exposure risk and require server-side session management, tokens offer a more secure and scalable solution, with a limited lifespan and easy invalidation enhancing overall security.

3. Using modern hashing algorithms for passwords offers significant advantages over older methods,
   they incorporate multiple hashing rounds, which increases the time required to compute each hash, enhancing security.
   Salting plays a crucial role in password security by adding a unique, random string to each password before hashing.
   This practice ensures that even if two users have identical passwords, their resulting hashes will differ. Salts also defend against rainbow table attacks, as attackers would need to generate a new table for each unique salt, significantly increasing their workload.
   An adjustable cost factor allows for scalability in the hashing process. This factor determines the number of iterations the hashing function performs, making it more computationally expensive for attackers as hardware improves

4. When a user signs in to a website, they provide their credentials (e.g., email and password), which are sent to the server for validation. If valid, the server generates a token (like a JWT) and sends it back to the client. The token is stored client-side, usually in local storage or cookies. This token is then included in the Authorization header of subsequent requests for authentication. Storing tokens client-side reduces server load and improves scalability but requires secure handling to prevent XSS attacks. Proper storage and security measures enhance user experience by enabling seamless, stateless authentication while maintaining data protection.

5. Authentication is the process of confirming the identity of a user when signing in on an application. It is when a user is supposed to provide their username and password. Authorization is the process of checking whether a user whose identity has already been verified has permission to access data or do some action on the application. For example, In online banking, both authentication and authorization are necessary. A user may log in using their username and password and a user may need additional verification to perform a transaction

6. Stateful technologies, like traditional server-side sessions, store session data on the server, maintaining a persistent state between client interactions. Stateless technologies, like token-based authentication (e.g., JWT), do not store session data on the server, instead embedding all necessary information within the token itself. The main difference is that stateful systems require server storage and management of session data, while stateless systems embed state within the token, reducing server overhead. Stateful authentication ensures greater control and security over session data but can be less scalable and more resource-intensive. Stateless authentication improves scalability and performance by offloading session management to the client, but it requires careful handling of tokens to prevent security risks like XSS attacks.

Emihle
Ntandoyenkosi
Konanani
Thabiso

1.- Protecting Sensitive Data
-Preventing Unauthorized Access to not allow just anyone to have access
-Maintaining Trust so users know that their personal information is safe

2.Tokens make web applications safer by creating random tokens. When a user logs in, the server makes a special code for them. This code is stored securely on both the server and their device. It's used for future logins and actions, so the user doesn't need to type their password every time. Tokens have time limits for safety and can be canceled if there's a problem. They make it easier for users to keep using apps securely without having to remember and type their password repeatedly. Using passwords are easy to remember since they were created by the user.

3.Modern hashing algorithms, provide considerable security improvements over older methods like MD5 and SHA-1. These algorithms include features such as salting, resistance to brute-force attacks, memory hardness, and adjustable cost factors, all of which enhance password security. Salting ensures that password hashes are unique and prevents attacks using precomputed hashes. The adjustable cost factor allows the computational difficulty of hashing to increase alongside advances in hardware capabilities, thereby maintaining strong security over time.

4. When a user signs in to a website, they provide their username/email and password, which are sent securely to the server. The server checks these credentials against stored, hashed passwords. If valid, a session is created, and a token or session ID is generated and stored on both the client (e.g., in a cookie) and server sides. This token allows subsequent access to protected resources without re-entering the password. Secure handling and storage of authentication data, including hashing passwords and using tokens, ensures both security against breaches and a smooth user experience

5. Authentication verifies the identity of users, ensuring they are who they claim to be through methods like passwords or biometrics. Authorization determines what authenticated users can access or do within the application based on their roles or permissions. Both are crucial for securing user data in web applications: authentication ensures only legitimate users access the system, while authorization controls what actions and data each user can interact with, thus safeguarding privacy and maintaining security.

Example scenarios :
Login Page (Authentication):
Users authenticate with credentials (username/password) to access their account.
Proper authentication ensures only legitimate users can log in.
Two-Factor Authentication (2FA) (Authentication):
Combining password and OTP for enhanced security.
Adds an extra layer of protection against unauthorized access.
Role-Based Access Control (RBAC) (Authorization):
Different roles (e.g., user, admin) have varying permissions.
Admins can manage users, settings, and critical functions.
Resource-Level Authorization (Authorization):
Limiting access to specific data (e.g., user profiles).
Protects sensitive information and ensures privacy.
Privacy Settings (Authorization):
Allowing users to control who sees their content.
Empowers users while safeguarding their data.

6. Stateful Technologies:

• HTTP Sessions
• Cookies with server-side storage

Stateless Technologies:

• JWT (JSON Web Tokens)
• OAuth Tokens

Stateful technologies maintain session data on the server, allowing for continuous client-server interactions with preserved state. In contrast, stateless technologies do not store session data on the server, relying on tokens or self-contained requests for each interaction. The choice between stateful and stateless depends on application complexity, scalability needs, and security requirements.

Pros for statefull:
They use the information they’ve saved to give customers what they want, which increases customer engagement.
Remember what the user was doing before and pick up where they left off, retaining useful information and improving the customer journey.
Secure apps save user login and session data, which protects important information.
Cons:
Developers have to work harder to keep state info, which makes it challenging to develop and maintain stateful apps.
Creating a stateful app is not an easy task. It’s hard to keep track of state info across instances.
Stateful apps use more resources, especially memory, and storage, which slows them down.
In the event of a loss, it is hard to get the application back to the way it was because you also have to recover the lost data.

Pros for stateless:
Stateless apps scale better because each request is processed separately. Adding more application instances without state consistency concerns improves load balancing and horizontal scaling.
Stateless applications require less state management logic, making them easier to design, create, and maintain.
Stateless applications don’t store state across requests, thus one failure doesn’t affect the others. System fault tolerance improves

cons for stateless:
Stateless apps must send all data with each request and response, which may increase overhead. Stateless applications may have lower performance and latency as they do not have to send all the data with each request.
Chat, gaming, and real-time collaboration apps require state management. These cases may not suit stateless architecture.
Stateful activities can complicate stateless apps. Developers must implement mechanisms for managing state across multiple requests, such as cookies, tokens, or databases to manage state across requests.

@Nhlanhla-advocate @Letagoeve @mpilomthiyane97

1.A backend application must be secured for a number of reasons:

The Value of Backend Application Security:
-Data protection: Sensitive data, such as financial and personal information as well as confidential company information, is frequently handled by backend applications. This data is shielded against breaches and unwanted access by security measures.
-Integrity of Business Logic: Vulnerabilities in business logic can be exploited by insecure backends, giving attackers the ability to alter the intended functionality of the programme.
User Trust: Users anticipate the security of their data. A breach can undermine confidence, costing the company business and harming its reputation.

Potential Risks of an Unsecured Backend
-Data Breaches: Unauthorized access can lead to theft of sensitive data, resulting in financial loss and reputational damage.
-Injection Attacks: Attackers can exploit vulnerabilities to inject malicious code, compromising the application and its data.
-Service Downtime: Attacks can cause outages, affecting service availability and user experience.
Malicious User Activity: Unsecured systems may allow users to perform actions they shouldn’t, such as accessing or altering data without proper authorization.

2.Enhancing Security with Tokens
Process of Generating and Using Tokens for User Authentication:
-User Login: The user provides their credentials to the application, which is typically their email address and password.
-Verification of Credentials: The server compares the stored user data with the credentials. The server generates a token if it finds the request valid, if it’s invalid it lets the user know to input correct credentials.
Token Generation: JSON Web Tokens (JWT) and other standards are commonly used by the server to produce tokens. The token has the following contents:

Information or claims provided by users
-Time of expiration
-A signature
-Storage of Tokens: The client receives the token, which is often kept in a cookie or local storage.
Future Requests: The client appends the token to the HTTP headers for upcoming requests.
Token Verification: With every request, the server confirms the token's validity by examining its integrity and expiration. If valid, the request proceeds; if not, the server denies access.

Importance of Securing a Backend Application:
-Data Protection: Backend applications often handle sensitive data, including personal information, financial details, and proprietary business information. Security measures protect this data from unauthorized access and breaches.
-Integrity of Business Logic: Unsecured backends can lead to exploitation of business logic vulnerabilities, allowing attackers to manipulate the application's intended functionality. Like when hackers hacked banks and demanded a ransom in Bitcoin.
-User Trust: Users expect their data to be secure. A breach can erode trust, leading to loss of customers and damage to the brand's reputation.

3.Security Against Attacks:
-Brute Force Attack Resistance: Attackers are slowed down by modern algorithms, which makes brute force attacks more challenging and time-consuming.
-Protection Against Rainbow Tables: Precomputed hash attacks (rainbow tables) are rendered useless by the use of salts in advanced hashing algorithms.

Adaptive hashing:
With the support of an adjustable cost factor, modern algorithms (such as bcrypt, Argon2) enable the computational effort to grow with faster technology while preserving security over time.
Memory-Hardness: Some contemporary algorithms, like Argon2, are made to be memory-intensive, which causes additional challenges for attackers that have specialised hardware.

4.. Handling and storage of authentication data:

• Password storage: Passwords are hashed and salts are added for security.
• Session tokens: Tokens are stored securely and have expiration times.
  -Database security: Access controls and encryption are used to protect user data.
  Implications on security and user experience:
• Security measures like encryption, hashing, and session management enhance security.
• Ensuring a balance between security measures and user experience is crucial.

5.Authentication is verifying the identity of a user, like logging in with a username and password. Multi-Factor Authentication adds an extra layer of security, like a code sent to a phone. This confirms who the user is.

Authorization determines if an authenticated user can access resources, like different permissions for various roles or only accessing personal data. It controls access based on identity and permissions.

Both are necessary for scenarios like online banking, where users log in (authentication) to access account info (authorization). In healthcare, doctors can view records and patients can book appointments, both after logging in.
User roles in a content management system determine actions. In corporate intranets, employees have different access levels. E-commerce platforms use authentication for orders and authorization for managing customer data.
Both are crucial for security, privacy, and compliance with regulations like GDPR and HIPAA, protecting user data and limiting access.

6.Stateful technologies link user data or session information to a particular server instance by storing it on the server-side. Although this method has scalability issues and can result in session data loss in the event of a server crash or restart, it is simpler to deploy and manage user sessions. Cookies, server-side sessions, and session-based authentication are a few instances of stateful technology.

Conversely, stateless solutions are scalable and adaptable since they do not retain user data or session information on the server-side. Although this method is more difficult to set up and maintain, it provides greater flexibility and makes load balancing and failovers easier to handle. Stateless technologies include OAuth, API keys, and token-based authentication (like JWT). Stateless methods provide greater scalability and flexibility in user authentication management, however

NokulungaM

1. Securing a backend application is crucial to protect sensitive data, ensure regulatory compliance, maintain trust and reputation, and prevent unauthorized actions. An unsecured backend is vulnerable to data breaches, data manipulation, denial of service attacks, privilege escalation, and injection attacks. Attaching data to a user identity mitigates these risks by enabling access control, accountability, personalized security measures, data segregation, and effective session management, ensuring only authorized users can access and interact with the data and system functions securely.

2. The use of tokens enhances web application security by enabling stateless, secure, and scalable user authentication. Tokens, typically JSON Web Tokens (JWT), are generated upon successful user login using a combination of email and password. These tokens contain encoded information about the user and are signed by the server. The client stores the token and includes it in the header of subsequent requests, allowing the server to verify the token's authenticity and authorize access without repeatedly querying the database. Unlike plain email and password combinations, which require persistent sessions and can be vulnerable to various attacks, tokens offer a more secure and efficient method by ensuring that sensitive credentials are not sent with every request and reducing the risk of session hijacking.

3. Modern hashing algorithms for passwords, such as bcrypt, Argon2, and scrypt, provide enhanced security compared to older methods like MD5 or SHA-1 by being resistant to brute-force and rainbow table attacks. These algorithms incorporate salting, which adds a unique random value to each password before hashing, ensuring that identical passwords result in different hashes and preventing attackers from using precomputed tables to crack passwords. Additionally, they support an adjustable cost factor, allowing the hashing process to be made deliberately slow, which can be adjusted over time to counteract increasing computational power and further protect against brute-force attacks.

4. When a user signs in to a website, the following steps typically occur: the user enters their credentials (email and password), which are sent to the server over a secure connection. The server verifies the credentials against stored hashed and salted passwords in the database. Upon successful authentication, the server generates a token, such as a JWT, and sends it back to the client. The client stores this token, usually in local storage or a secure cookie, and includes it in the headers of subsequent requests for authentication. Secure storage of authentication data on the server (hashed and salted passwords) and client (tokens) is crucial for protecting against unauthorized access and ensuring a smooth user experience by avoiding repeated logins. However, improper handling or storage can lead to security vulnerabilities like token theft or unauthorized access.

5. Authentication verifies a user's identity, while authorization determines what resources and actions the authenticated user is allowed to access. Both are necessary for security and privacy in web applications. For example, in an online banking app, authentication ensures the user is who they claim to be by verifying their credentials. Authorization then ensures the authenticated user can only access their own account information and perform allowed transactions, not access other users' data or perform unauthorized actions.

6. Stateful technologies, like traditional server-side sessions, store user authentication data on the server, while stateless technologies, like JWT tokens, store this data on the client. Stateful authentication keeps track of user sessions, allowing for centralized control and easy session invalidation but can become resource-intensive and less scalable. Stateless authentication, being client-side, is more scalable and reduces server load but can be harder to manage securely and invalidate. Each method has trade-offs: stateful provides better control and security at the cost of scalability, whereas stateless offers better performance and scalability with potential security challenges.