Opportunity to innovate?

[rkujawa]

Hi all. I've noticed you started writing a new authentication system. I truly wish you good luck - I believe there is a niche for a modern open source solution in this area.

Currently I am managing IT in a relatively small organization (over 30 users). I wanted to share my thoughts about possible innovation in this area, as seen from the perspective of IT. Sadly, in many open source projects dealing with security and identity management, developers think they know best and rarely consult people actually running software in the wild. Then users end up with things that are neither easy to use nor secure. Nevertheless, I am not here to rant, but present a few ideas, which you may find interesting.

Passwordless authentication as first class option

From IT perspective, dealing with passwords in 2021 is still a major hassle.

I would happily do away with passwords completely. I can't because of stupid apps that still expect them. Please don't make the same mistake. Implement passwordless authentication methods (WebAuthN, U2F, Kerberos, X.509 certificate authentication etc.) and make these options viable. Anything but the damn passwords.

Buying a Yubikey or similar device for all employees is a negligible cost, compared to the hassle of dealing with passwords (ever thought how much time of both users and IT people is wasted on resetting passwords, changing them, etc?). It would be way easier to just give the user their Yubikey and be done with this.

If you want to differentiate from existing solutions, discourage people from using passwords with Authentick. Make passwordless operation as painless as possible, make it a major feature.

Btw. retyping OTP codes from phone to make password more secure is not fun. I agree that OTP is necessary if you have passwords, but... OTP would not even be necessary if we didn't use passwords in the first place.

Directly support OpenID Connect and SAML

For an authentication server to be usable in 2021, it has to support at least the two major authentication protocols to integrate with web applications. I would see no point in deploying an authentication system that is unable to support these two. A lot of major web apps are already using them.

Good integration with existing user directories

The truth is that almost everyone and their dog already have some kind of user directory. In a classic IT the need for user directory appears the moment when the admin has to manage more than a few machines and users. I find it highly unlikely, that anyone in a real world environment will want to manage users and groups directly in your server. At least not unless you provide features on par with FreeIPA or Microsft Active Directory. Which is unlikely - these systems are very good at what they do and most orgs will use one of them sooner or later.

Therefore, I think management of users and groups in a web-centric system is not a major concern. Such system should mostly be concerned with integration with existing user directories and do its best to ensure a valid representation of structure already existing there.

Additionally, web-centric authentication server should be able to utilize any Single Sign-On mechanisms exposed by the underlying user directory (like Kerberos). Why even authenticate the user again, if they just logged into their workstation and have credentials obtained from their user directory? Authentick could automagically perform Kerberos authentication for a user accessing any web resource protected by Authentick, then issue appropriate token depending on technology used to integrate with application (OAuth etc.). Ideally, the user would never even see the Authentick login page.

Anyway, it is just a set of my opinions ;). Thanks for your work. Even though I am unable to directly contribute, due to my other responsibilities, I'll be checking out your progress.