O'Reilly logo

Identity and Data Security for Web Development by Tim Messerschmidt, Jonathan LeBlanc

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 3. Identity Security Fundamentals

After discussing the ongoing issues with current security models in the first chapter and introducing secure passwords, hashing, and salting in the second chapter, we now focus on using a person’s identity across multiple sites to handle different authentication and authorization scenarios.

Merriam-Webster defines identity as “the qualities, beliefs, etc., that make a particular person or group different from others.” These qualities are what make identity relevant to the concept of security.

Understanding Various Identity Types

While using the Internet, an individual establishes an online identity that represents certain elements or characteristics of that person. This form of identity can—and often will—differ across multiple sites and leads to a fragmentation that we can group into different areas based on a website’s use case.

In this section, we introduce three types of identity that we will then discuss in detail: social identity, concrete identity, and thin identity. These types of identity often overlap and can share the same attributes, as shown in Figure 3-1.

These three identity types can be considered federated identities and are applied through technologies such as SAML, OpenID, OAuth, and tokenization. Often applied through single sign-on—known as SSO—Federated Identity Management (FIM or FIdM) is the practice of using a set of identity attributes across multiple systems or organizations. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required