What is user authentication? - React.js Tutorial

- [Instructor] So let's start off our user authentication journey by learning the very basics. And for that, the first question we're going to look at is what exactly is user authentication? Well put simply when users use our applications, user authentication is how we know that they are who they say they are. And this is a very interesting and often somewhat tricky topic, to understand the reason that this is think about when you interact with someone in real life face to face. When you're talking with a friend or family member, for example, you know that it's them because of the way they look their voice, their mannerisms, et cetera, but interacting with people over the internet is a little bit different. Some of you may know someone who's an identical twin and you may have had this experience when those two people are in the same room wearing similar clothing you have a very hard time telling who's who and sometimes they may even prank you into thinking that one is the other. So let's take this a step further. Imagine that everyone on earth is identical. They all look identical, have the same voice, et cetera. You'd have a pretty hard time really ever determining who's who, wouldn't you? And that's actually not a bad metaphor for what it's to interact with people over the internet, as a website. That is from the point of view of our website. All of our users are identical. Sure. They might have different IP addresses different browsers, et cetera, but those pieces of information are shaky at best for identifying our users. At the end of the day, if we were to ask any given user who are you, they could basically answer however they like. And we wouldn't really be able to know if they're telling the truth or not, at least not without some clever techniques. And that's where the art and science of user authentication comes in. So again, our definition of user authentication is that user authentication is simply the technique of verifying that the users of our site are who they say they are. So that's what user authentication is on a conceptual level. But the next question is, how exactly does it work? Well, broadly speaking, there are three main strategies or tests that our sites can use to make sure that our users are who they say they are. And we'll call these the knowledge test or knowledge-based authentication, the ownership test or ownership-based authentication, and finally, the biological test or biological-based authentication. So let's go over each of these and talk about how they work. The first one is knowledge-based authentication. And currently this is probably the most commonly used form of user authentication. It involves making our users prove who they are based on the fact that they know some key piece of information. And this key piece of information is more often than not a password or a pin. In other words, when the user wants to claim that they're John Doe for example, our site will say, okay, well if you're the real John Doe you'll know John Doe's password, what is it? And if they know it, we believe that they are the real John Doe. If they don't know it, then we don't. And this knowledge-based authentication can also be something like security questions where we say, okay if you're John Doe, then what's your mother's maiden name. Now obviously knowledge-based authentication has its fair share of problems. Probably the biggest problem is that it's highly reliant on the user actually coming up with a good password. And while we can try and enforce this by forcing the user to use capital letters, numbers, symbols, et cetera many users still insist on inputting things like ABC 1, 2, 3 or their name or something completely guessable as their password. And in the case of security questions, such as a mother's maiden name, the street you grew up on, et cetera these answers are generally pretty easy to find within 15 seconds or less on Google. So the next broad grouping of authentication strategies is what we call ownership-based strategies. And these involve requiring the user to prove that they have something and this something could be an email address where we send them a code to make sure that they actually own and have access to that email address. Or it could be a cell phone where we send a code to their phone number to prove that they have the phone, or it could be something like an OTP fog or OTP app which displays a code that refreshes automatically every 20 to 30 seconds to make sure that it can't be guessed by brute force. Now in general, authentication by ownership is pretty secure. It does have its own share of problems as well. First of all, some ownership methods such as sending a code to your email address, for example rely indirectly on knowledge-based strategies. Since someone other than you can access your email account if they're able to guess your email password, another risk of this kind of authentication is that in the case of a phone or fob, they could be physically stolen or as many of you have experienced in the past, they can also be lost, which puts the user themselves in a bit of a difficult situation since they can no longer log in. Now because knowledge-based and ownership-based authentication both have their potential vulnerabilities. What many sites recommend or require is that you use something called two factor authentication, which usually involves a combination of knowledge and ownership. In other words, you have to know John Doe's password and have access to his phone, which generally makes it a lot harder to impersonate John Doe. So lastly, we have the biological strategies for verifying identity, which you might be able to consider a subset of the ownership strategies. Basically the biological methods of user authentication rely on certain biological traits as facial recognition, fingerprints, and eye scans which are both hard for hackers to fake. And one would think harder for users to lose. Now we're not going to be going into much detail on biological authentication in this course but I wanted to bring it up anyway. They are a very important method of user authentication in the real world, but they're currently not very popular for web authentication. Although you do see them extensively nowadays on devices like smartphones.