This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:Web Application Authentication Schemes"
(added overview to the web application authentication schemes category page) |
(→Overview) |
||
Line 1: | Line 1: | ||
− | + | This category is used to mark articles that describe authentication schemes and frameworks. | |
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from ''identification'' in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call. | In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from ''identification'' in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call. | ||
Line 14: | Line 14: | ||
* How are credentials transferred from one to other? | * How are credentials transferred from one to other? | ||
* How are credentials verified? | * How are credentials verified? | ||
− | * How to | + | * How to inform an entity that it is successfully authenticated? |
* How can we avoid replay attacks? | * How can we avoid replay attacks? | ||
* How to ensure that we don't expose the plain credentials? | * How to ensure that we don't expose the plain credentials? | ||
Line 21: | Line 21: | ||
* What if we need to scale up? | * What if we need to scale up? | ||
− | An authentication scheme addresses such questions. Time to time authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. | + | An authentication scheme addresses such questions. Time to time authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. |
+ | |||
+ | This category page contains pages related to authentication schemes and frameworks. | ||
+ | |||
+ | |||
+ | [[Category:Technology]] |
Revision as of 02:58, 14 September 2018
This category is used to mark articles that describe authentication schemes and frameworks.
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from identification in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.
The secret can be one or more of the following.
- some secret that you know(e.g. password)
- something that only you have(e.g. a smart card)
- something you are(e.g. fingerprint)
- somewhere you are(particular IP address)
Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.
- How to verify if an entity is already authenticated or not?
- How to inform an entity that it needs to authenticate first?
- How are credentials transferred from one to other?
- How are credentials verified?
- How to inform an entity that it is successfully authenticated?
- How can we avoid replay attacks?
- How to ensure that we don't expose the plain credentials?
- How do we achieve mutual authentication?
- Are we going to ask the user to have different credentials to each system in the enterprise?
- What if we need to scale up?
An authentication scheme addresses such questions. Time to time authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them.
This category page contains pages related to authentication schemes and frameworks.
Pages in category "Web Application Authentication Schemes"
This category contains only the following page.