What is user authentication? - React.js Tutorial

- [Instructor] Alright, well, let's start off our user authentication journey by learning the very basics. And for that, the first question we're going to look at is, what exactly is user authentication? Well put simply, when users use our applications, user authentication is how we know that they are who they say they are. Now, this is a very interesting and often very tricky topic, and to understand the reason that this is, think about when you interact with someone in real life face to face, right? When you're talking with a friend or a family member, for example, you know that it's them because of the way they look, their voice, their mannerisms, and so on. But interacting with people over the internet is quite different from this, right? Some of you may know someone who's an identical twin, and you may have had this experience when those two people are in the same room, wearing similar clothes, and you have a hard time telling who's who. And sometimes they may even prank you into thinking that one is the other, right? So let's take that a step further. Imagine that everyone on earth is identical, they all look identical, have the same voice, have the same mannerisms, et cetera. You'd have a pretty hard time ever really determining who's who, wouldn't you? And that's actually not a bad metaphor for what it's like to interact with people over the internet as a website, right? What I mean by that is that from the point of view of our website, all of our users are essentially identical, right? Sure, they might have different IP addresses, different browsers, et cetera. But those pieces of information are shaky at best for identifying our users. At the end of the day, if we were to ask any given user who are you, they could basically answer however they like, right? And we wouldn't really be able to know if they're telling the truth or not, at least not without some clever techniques. And that's where the art and science of user authentication comes in. So once again, our definition of user authentication is that user authentication is simply the technique of verifying that users of our site are who they say they are. So that's what it is on a conceptual level. But the next question is, how exactly does it work? Well, broadly speaking, there are three main strategies or tests that our sites can use to make sure that our users are who they say they are. And we'll call these the knowledge test or knowledge based authentication, the ownership test or ownership based authentication, and finally, the biological test or biological authentication. So let's go over each of these and talk about how they work and what makes them special. The first one here is knowledge-based authentication. And currently, this is probably the most commonly used form of user authentication. It involves making our users prove who they are based on the fact that they know some key piece of information. And this key piece of information is more often than not a password or a PIN. In other words, when the user wants to claim that they're say, John Doe, our site will say, okay, well if you're the real John Doe, you'll know John doe's password, what is it? And if they know it, we'll believe that they are the real John Doe. If they don't know it, then we won't believe them. And this knowledge based authentication can also be something like security questions where we say, okay, if you're John Doe, then what's your mother's maiden name, right? Sure, you've seen that one before. Now obviously, knowledge based authentication has its fair share of problems. Probably the biggest problem is that it's highly reliant on the user actually coming up with a good password. And while we can try and enforce this by forcing the user to use capital letters, numbers, symbols, et cetera, many users still insist on putting things like abc123 or their name or something completely guessable as their password. And in the case of security questions such as someone's mother's maiden name, the street you grew up on or things like that, these answers are generally pretty easy to find within 15 seconds or less on Google if you have a specific target in mind. So the next broad grouping of authentication strategies is what we call ownership based authentication strategies. And these involve requiring the user to prove that they have something that only the real user should have. Now, this could be an email address where we send them a code to make sure that they actually own and have access to that email address, or it could be a cell phone where we send a code to their phone number to prove that they have the phone or it could be something like an OTP fob or an OTP app, which displays a code that refreshes automatically every 20 to 30 seconds to make sure that it can't be guessed by brute force. Now, in general, authentication by ownership is pretty secure, but this too does have its fair share of problems. First of all, some ownership methods such as sending a code to your email address, for example, rely indirectly on knowledge based strategies, right? Since someone other than you can access your email account if they're able to guess your password. Another risk of this kind of authentication is that in the case of a phone or OTP fob, they could either be physically stolen or as many of you and myself have experienced in the past, they can also be lost, which puts the user themselves in a bit of a difficult situation since they can no longer log into anything. Now because knowledge based and ownership based authentication both have their potential vulnerabilities, what many sites recommend or require is that you use something called two-factor authentication, which usually involves a combination of knowledge and ownership. In other words, you both have to know John doe's password and have access to John Doe's phone in order to impersonate John Doe, which makes this a lot more difficult. All right, and lastly, we have the biological strategies for verifying identity, which you might be able to consider a subset of ownership strategies, I suppose. Basically, the biological methods of user authentication rely on certain biological traits such as face recognition, fingerprints, or eye scans, which are usually pretty hard for hackers to fake, and certainly one would think harder for users to lose. Now, we're not going to be going into much detail on biological authentication in this course, but I wanted to bring it up anyway. This is obviously a very important method of user authentication in the real world, such as getting into your phone by using your fingerprint or your face. And so I just wanted to mention this as another option in some cases. And those are the three main methods of user authentication.