Contents

2.2 Authentication Attributes (認証の属性・要素)

User accounts necessarily include various pieces of information for authenticating the user – we refer to these as authentication attributes.

Some of these attributes may be persistent, such as the user’s username and password, whilst others may be transient, such as the list of currently valid authentication cookies.

For a given account, we refer to the set of authentication attributes and their corresponding values as the state of the account at that specific point in time. Figure 1 shows an example of such a state.

FooApp State: S
Username alice@example.com
Email alice@example.com
Password $ecret_pass619
IdPId FB-Id-User42h3
SessionId A2jkh2k2h55h2kn
PhNum 9886625631

Figure 1: Example state of the authentication attributes for an account at the FooApp service.

In this example, the Username attribute of this account is the user’s email address.

This need not always be the case, but a large number of online services use email addresses as usernames as these are guaranteed to be unique, and are easy for users to remember.

In this paper, we assume that the user’s
email address is always used as the account username.

The Email and PhNum (phone number) attributes can also be used to recover access to the account if the user forgets the password.

Although implementations may differ, the general pattern for a password reset is for the service to send a secret capability (e.g., a code or a URL with an embedded authenti- cation token) to the registered email address or phone number. Using this capability, the legitimate user can authenticate to the service and reset the password.

As expected, the Password attribute represents the user- chosen secret used to authenticate the user to the service. Although Figure 1 shows a representative example, real services should store the password securely (e.g., storing only a salted hash of the password). Although not shown, this attribute also encompasses any other authentication secrets, such as secret keys used in multi-factor authentication (MFA).

The IdPId attribute records the identity of the user as provided by a federated identity provider. Depending on the service, it may be possible to add one or more federated identities to an existing account, after the account has been created (e.g., the option to “Connect with Facebook” or an equivalent IdP).

In our representation, this would be recorded as a change to the value of the IdP attribute.

The SessionId attribute encompasses all currently-active sessions’ identifiers (e.g., valid authentication cookies) for the account. This is a transient attribute as sessions usually end when the user signs out, or after a period of inactivity. }}}


CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking/2/2.2 (last edited 2022-06-10 00:35:18 by ToshinoriMaeno)