Hey, it looks like a resource failed to load. If you have an ad-blocker, please turn it off.

Light Mode

Authentication sure is wacky!

A pizza parable

Let's assume for a moment that you're a restaurant owner. You've got a number of employees who all need to clock in/out when they enter/leave the building for work. So, how do you do that?

The Naive Solution

Just have them report their hours worked! Why bother with anything complicated? You know and trust your employees, so you figure you can just rely on them to tell you how many hours they worked when you're filling out their paychecks at the end of the week.

This works fine for a few months. Every week, they come in and tell you 20, 30, 40 hours worked. You check the first few times, but you trust them and that trust wasn't misplaced.

Then, you hire a new kid. He's young, spry, willing to work. His paycheck's going to help his dad's hospital bills. A young go-getter, you could call him, if you thought his reason for needing to work was one to commended instead of held in outrage that it was necessary. He starts working, and a few weeks pass.

October, he reports that he worked 34 hours. This raises an eyebrow; you know he didn't come in Tuesday, and he only worked for 5 hours total on Monday and Wednesday. He doesn't work Wednesday so he can help his dad, so that would mean he would need to have worked 6 hours a day for all of them, which is... odd? But you brush it off, thinking your memory's faulty.

November, he reports that he worked overtime 5 hours for a total of 45 hours that week. Now, you know that's not right, because you personally approve overtime. So you ask him point-blank: are you lying to me young man? And he says yes, he's sorry, but his dad's bills are stacking up and he needed the money and--

You tell the boy to breathe. That you want the money taken worked off, and that you'll give him more hours so that he can pay for his dad's bills. But then you get to thinking; his intentions are good now, but how can you verify that the hours worked are valid? You don't have security cameras because you don't trust them, so you can't track it like that. What you decide on is

The Initial Solution

You announce: Hey gang, I'm gonna need to start tracking your hours. You hold up a special pen (unbeknownst to them) and say, when you clock out, you need to report your shift hours to your manager, who will write down how many hours you've worked on a time tracking sheet. If you don't do that, your hours aren't counted. Capiche?

They're not happy about this, but you need to be sure you're not getting ripped off. So time goes by. End of the week, the manager gives you the timesheet. You pull out a special tool, which checks the ink in the pen for interactions with ultraviolet radiation. Surprise! The pen is how you verify that the hours worked are correct. If the ink doesn't react, you know it was faked.

Lo and behold, one was! Little Mandy tried to pull a fast one on you. You mark it and pay out her paycheck minus those fake hours, then everyone else's. Seems to work!

Then, your manager points something out; Tristan, on the sheet, worked 10 hours on Wednesday. But he remembered Tristan leaving after 3 hours. You object, because the ink is reacting! But then you realize.

The pen you bought is one of many. One of the rapscallions could've just bought a different pen that reacted the same, and written it down!

You put your head in your hands. You just want to make good pizza. Your manager pipes up; there's a system he saw, that allows people to clock in and out automatically using their fingerprint. It'd solve their problem right up.

You give him free rein to buy it, and start to drink at your desk.

The Electronic Solution

The next week, the fingerprint system is installed.

Every employee clocks in by pressing their finger against a reader when they arrive, and clocks out the same way when they leave. The system records the time automatically, stores it electronically, and produces a report at the end of the week.

You and the manager tested it together; it is incredibly hard to fake a fingerprint, and it automatically outputs the hours worked. The only way that they could fake having hours worked is if they came in, left for a few hours, and then came back in later. Your manager would catch that, though.

And after a few weeks, then a few months, you find that your worries about payroll and time tracking evaporate. Finally, you can just be stressed out about making pizza.

What the hell did that mean?

What I was trying to illustrate is different ways of handling authorized input.

The first version had no authentication. It was all self-reported; akin to you telling your computer "Yeah, I'm Bill Gates" and expecting to be given his desktop. Which like, what? That's not how anything works.

Second version's weak authentication. We have a unique way of tracking valid data, which is easily replicated due to insufficient validity checks. However, it does weed out obviously fake data, which is sometimes enough.

The final one uses a piece of proof that is tied to an identity being authenticated (a username + password, or fingerprint) and ties that to some permissions via authorization scopes. Mandy can't clock in for Tristan and vice versa, because they've got different prints and different permissions.

I just completed an upgrade for my management portal from the weak authentication to the strong one, and it taught me a lot about OAuth2 integration. I'm also completely sure that authentication is a pain in the ass, and I'd much rather just go back to making pizzas.