MODERN METHODS OF USER AUTHENTICATION AND AUTHORIZATION IN DISTRIBUTED WEB-ORIENTED SYSTEMS

I.S. Zinovieva, O.M. Potapchuk

Èlektron. model. 2024, 46(3):39-56

https://doi.org/10.15407/emodel.46.03.039

ABSTRACT

The analysis was carried out and the results of a comparative review of the most common methods of authentication and authorization of users of web-oriented systems with a distributed architecture were presented. Considering the relevance of cybersecurity issues in the digital age, the research focuses on identifying effective strategies for protecting user data in the development of distributed web-oriented systems within the trade sector. The most likely threats to data access, characteristic of distributed web-based systems, have been studied, and the potential causes of these vulnerabilities have been determined. Particular attention in the publication is devoted to assessing the risks and benefits of various approaches, including basic authentication, session-based authentication, JWT tokens, and access and refresh tokens (OAuth 2.0 standard). Various aspects of each method have been analyzed, particularly their reliability and vulnerability to attacks. The work discusses real cases of vulnerabilities in distributed web-oriented systems and offer recommendations for their elimination to enhance the security of online trading platforms.

KEYWORDS

authentication, authorization, security, data protection.

REFERENCES

  1. Fruhlinger, J. (2020). Equifax data breach FAQ: What happened, who was affected, what was the impact? CSO Online. https://www.csoonline.com/article/567833/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.
  2. Holmes, A., Leskin, P., Sonnemaker, T., & Davis, C. R. (2020). Hackers took over dozens of high-profile Twitter accounts including those of Barack Obama, Joe Biden, Elon Musk, Kim Kardashian, and Apple, and used them to post bitcoin scam links. Business Insider. https://w<span< a=""> style="letter-spacing: -.2pt;">businessinsider.com/hackers-bitcoin-crypto-cashapp-gates-ripple-coindesk-twitter- scam-links-2020-7</span<>.
  3. Karpinsky, M., Voit, S., & Alyashevych, Y. (2007). Algorithms and models for organizing access to web resources based on one-time user authentication systems. Bulletin of Ternopil State Technical University, 14, 115-126.
  4. Maznychenko, N. (2017). Increasing the security of information resources of computer systems based on user identification systems. Actual issues of modern science: materials of the All-Ukrainian scientific and practical Internet conference, 1, 236-246. https://dspace.nlu. ua/bitstream/123456789/14290/1/Maznichenko_236-246.pdf.
  5. Lyashenko, G.E., & Astrakhantsev, A.A. (2017). Study of the effectiveness of biometric authentication methods. Information processing systems, 2, 111-114. https://www.researchgate. net/publication/323728995_Doslidzenna_efektivnosti_metodiv_biometricnoi_avtentifikacii.
  6. Polishchuk, M., Semenyuk, O., Polishchuk, L., & Lomakin, M. (2023). Possibilities of authorization and protection of user data during the development of cloud web applications for IoT. Computer-integrated technologies: education, science, production, 52, 94-103.
    https://doi.org/10.36910/6775-2524-0560-2023-52-12
  7. Kosareva, A., & Regida, P. (2021). A tool for biometric authentication based on user behavioral characteristics. Technical sciences and technologies, 2, 114-122.
    https://doi.org/10.25140/2411-5363-2021-2(24)-114-122
  8. International Organization for Standardization. (2022). Information security, cybersecurity and privacy protection information security management systems requirements (ISO/IEC 27001:2022). https://www.iso.org/standard/27001.
  9. International Organization for Standardization. (2022). Information security, cybersecurity and privacy protection information security controls (ISO/IEC 27002:2022). https://www.iso.org/standard/75652.html.
  10. International Organization for Standardization. (2013). Information technology security techniques entity authentication assurance framework (ISO/IEC 29115:2013). https://www.iso.org/standard/45138.html.
  11. International Organization for Standardization. (2019). IT security and privacy a framework for identity management part 1: terminology and concepts (ISO/IEC 24760-1:2019).
    https://doi.org/10.55621/idpro.18
  12. International Organization for Standardization. (1996). Information technology open systems interconnection security frameworks for open systems: overview (ISO/IEC 10181-1:1996). https://www.iso.org/standard/24404.html.
  13. International Organization for Standardization. (1996). Information technology open systems interconnection security frameworks for open systems: authentication framework (ISO/IEC 10181-2:1996). https://www.iso.org/standard/18198.html.
  14. (No date). SQL Injection. https://www.w3schools.com/sql/sql_injection.asp.
  15. OWASP Foundation. (No date). Cross Site Scripting (XSS). https://owasp.org/www-community/attacks/xss.
  16. OWASP Foundation. (No date). Cross Site Request Forgery (CSRF). https://owasp.org/ www-community/attacks/csrf.
  17. OWASP Foundation. (No date). Cross-Site Request Forgery Prevention Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html.
  18. Yasar, K. (2022). Man-in-the-middle attack (MitM). TechTarget. https://www.techtarget.com/ iotagenda/definition/man-in-the-middle-attack-MitM.
  19. (2024). The OWASP Top 10: Broken Authentication & Session Management. https://www.sitelock.com/blog/owasp-top-10-broken-authentication-session-management/.
  20. (No date). Basic Authentication. https://www.twilio.com/docs/glossary/what-is-basic-authentication.
  21. Kamran, A. (No date). Session Based Authentication. Roadmap. https://roadmap.sh/ guides/session-based-authentication.
  22. (No date). What is JWT (JSON Web Token)? How does JWT Authentication work? https://www.miniorange.com/blog/what-is-jwt-json-web-token-how-does-jwt-authen­tication-work.
  23. Sobers, R. (2022). What is OAuth? Definition and How it Works. Varonis. https://www. com/blog/what-is-oauth.
  24. (No date). Password Grant. https://www.oauth.com/oauth2-servers/access-tokens/ password-grant.
  25. Parecki, A. (2018). What is the OAuth 2.0 Authorization Code Grant Type? Okta. https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type.
  26. Silverman, M. (2019). Implement the OAuth 2.0 Authorization Code with PKCE Flow. Okta. https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce.
  27. (No date). OAuth 2.0 Implicit Grant. https://oauth.net/2/grant-types/implicit.
  28. Okta. (No date). What is OpenID Connect? https://www.okta.com/openid-connect.

Full text: PDF