legacy authentication和basic authentication有什么区别 RRS feed

  • 问题

  • 请问legacy authentication和basic authentication有什么区别呢,我查资料说Legacy Authentication refers to all protocols that use Basic Authentication.

    那是不是意思是说legacy auth的概念要比basic auth的概念广泛?

    2021年5月25日 3:00


  • Legacy Authentication

    For years, Windows (and other systems) have relied on protocols like CHAP, NTLM, and Kerberos, which don’t work particularly well over the internet. Authentication for internet resources would typically use Basic Authentication, which has the benefit of being very simple. Username and password were contained in a single header field, in plain text, base64 encoding. For this reason, Basic Auth needed to be combined with SSL to encrypt the headers (Remember the adage: NEVER authenticate to a website that is not SSL protected) and protect the user’s credentials. However, even when HTTPS is used, there are still a number of vulnerabilities for Basic Auth. First, the authentication header is sent with each request, so the opportunity to capture credentials is practically unlimited. Second, the password will be cached (and possibly permanently stored) within the browser, creating another surface for compromise. Additionally, the entire basis of basic authentication is predicated on a very simplistic and archaic username\password architecture that Microsoft is trying to eliminate.

    Modern Authentication

    Modern Authentication is not a single authentication method, but instead a category of several different protocols that aim to enhance the security posture of cloud-based resources. Some examples of Modern Authentication protocols are SAML, WS-Federation, and OAuth. While each are different in their execution, they all aim to move away from the classic username\password method and instead rely on token-based claims. So, while the user may still provide a username and password (for now; see more below), it is used to authenticate with an identity provider to generate a token for access. This token has more specific information (in the form of a claim) that specifies what the requestor does and does not have access to. Tokens also expire and can be revoked, so there is more ability to govern access.

    对照以上两段文字可知,Legacy Authentication与Modern Authentication是对应的关系,而basic Authentication指的是传统username\password方式授权,非basic Authentication指的是现代token-based claims等方式授权。

    2021年5月25日 7:48