Best Practices for Web App Authentication in Industrial Settings

Question

I'm creating a web application intended for a heavy industrial setting. Would like the operators to be able to use a central tablet or computer as an interface to the application, so multiple operators would be sharing a device during a given work shift. Plenty of information on standard personal devices, but not shared industrial settings.

Question - What is the best way for web app security/authentication and what are the various alternatives?

Would they all use the same authentication session (this is not preferable, as I'd like to uniquely identify the active user)?
Obviously I could use standard username/passwords with token based sessions that expire, however, this leaves a lot of potential for account hijacking.
Ideally, they'd be able to log on very quickly (PIN, perhaps?) and their session would end when they are done.

How is "heavy industrial setting" special? Should we expect the users to be wearing protective gear (thus limiting typing/swiping)? How important is security and authentication - can they launch a nuclear strike via this app, or is it a line-of-business app? You say "tablet or computer" - can you rely on operating-system-level authentication options - for instance, if it's a computer on a network, can you use the network authentication, inc. fingerprint readers etc.? — Neville Kuyt, Aug 05 '20 at 14:01
@NevilleKuyt good questions. More like line-of-business app (manufacturing products, app is used for operators to enter data and records). It will be on a network, yes. Part of the question is the recommendation for hardware, Tablet is what I figured would be nice to have. With that said, fingerprinting could be an option, though I don't know why or why not do that. — karns, Aug 05 '20 at 14:05
@NevilleKuyt furthermore, the application is web-based, so I don't know if network authentication can integrate well with that. I'm still trying to figure out best practice here if you have some tips. Thx — karns, May 10 '22 at 19:33
It may be worth reading up on the RFCs for web authentication: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes. For instance, NTLM authentication can use your windows identity to authenticate a web app... — Neville Kuyt, May 12 '22 at 08:29

Neville Kuyt · Answer 1 · 2020-08-06T07:58:15.787

In industrial settings, you typically want ruggedized hardware. This is fairly specialist kit, and typically much more expensive than "vanilla" computing hardware. Depending on the environment, you may need waterproof and dustproof enclosures. Google will provide a range of options. Non-ruggedized equipment will usually not withstand the harsh conditions, and is likely to fail quickly or unpredictably.

If you want to audit who made particular entries, you'll want some kind of authentication mechanism. Biometric logins - fingerprint etc. - are available on a range of devices, and will make it easy for people to log in without entering usernames and passwords (which are often shared). In this model, the user authenticates to the operating system, not the web application; gluing those together is do-able, but heavily dependent on your enterprise identity management system and the frameworks you're using for building your web application.

Another option is to use RFID cards - again, many ruggedized computers support RFID readers which can read a card or keyring style physical object. This is less secure than biometric authentication as people do share cards. Again, authentication here is at the operating system level.

The benefit of using the operating system's authentication tools is that you benefit from all the work done to secure access in a range of environments. For instance, most OSes allow you to set a policy to lock screens after a certain time out (and unauthorized users cannot override this).

Building authentication into the web application is also an option, but AFAIK biometric solutions are still a little esoteric for web apps. Username/password is easy enough in most frameworks, and if you set a short session time out, the chances that someone will forget to log out and leave the browser logged in are slim. Not good enough for the nuclear launch codes, but for a line-of-business app, probably OK.

You could also look at alternatives to username/password authentication, without using biometrics - e.g. a passcode or image recognition option ("here are 16 random images, which is your grandmother?"). AFAIK, that's not a standard feature in most web development frameworks, so you'd have to roll your own.

Appreciate this. In regards to enterprise identity management, we don't really have much in place for that. I know you said it's early in it's development, but couldn't we stick with fingerprinting or passcodes all web based? In regards to biometric log ins at the operating system level, how would this prevent leaving the device while still logged in? Wouldn't it be similar in that I'd have a "timeout" similar to sessions? — karns, Aug 05 '20 at 16:11

stringy05 · Answer 2 · 2020-08-05T22:28:42.370

Can you do smart card auth? That's how we used to do it in the old days. This was circa 2006, using Windows XP. Smart Card reader was a USB device, the auth was standard windows with smart card, however I can't recall anything about the cards.

Login to the device by reading the operators smart card, then do kerb auth against the service. If kerb is too old school, you could probably turn OS auth into OIDC without too many dramas using something like Okta or Auth0.

Alternatively have the device use the same credential for all users, but get the os user name from the request context somehow.

EDIT

For some more concrete examples of this:

Here's the windows article on smart card auth: https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows Getting hold of the cards / card reader is not something I've got any experience with, but it's usually bread and butter for industrial sites where a user has to clock on / clock off.
Once the user is authenticated to the OS then it's a matter of use that auth context to get a web friendly auth scheme.
- You could also use SAML Federation between an IdP and ADFS/AzureAD which would allow you to issue a OAuth2 access token
- Okta supports can do SSO (by effectively hiding the SAML Federation) using a browser plugin: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Browser_Plugin.htm.
End result is that for a user logged in to Windows you can issue an Oauth2/OIDC access token
The web app can use standard OAuth2 access token authentication

A lot of this is nothing to do with the web app, it's all about how to take the OS auth context and use that to get something "normal" for the web app to consume.

Good luck!

I'm a millennial XD I'm sure I could research hardware for scanning RFID cards that each employee would have their own of. If you had more information on how to implement that with more modern web technologies, that would be great. — karns, Aug 05 '20 at 17:46

score 0 · Answer 3 · answered Aug 05 '20 at 13:57

0

Thank you for posting this cool problem.

Is the device in a controlled setting, where only authorized workers can have access to it? Is the possibility of theft of the device low, as in the people who have access to it are unlikely to move it?

Is your main interest, in other words, identification and not authentication? If so, how do you quickly identify who is operating the computer without interfering with the work or making it too cumbersome to use? Do you need to identify the person in order to carry-out the work, or is having the identity merely a precaution for later audit, to answer the who did it question?

One option is to use face recognition or simply capture a photo. Other biometrics are possible such as voice and fingerprint. An id card or dongle can be passed around, has to be fished-out in order to use, and the worker has to remember to bring it. A pin or other secret can be readily shared as well. Capturing a biometric is a reliable way to identify the worker.

answered Aug 05 '20 at 13:57

Douglas Lovell

1,549
17
27

1

Thanks! In this use case, It's not a big concern that employees will act maliciously by sharing credentials or stealing. Secure setting where all people can be assumed to be employees. For the sake of discussion, let's assume these are not a concern. What do you see the difference is between identification and authentication? To me they may be one in the same. Identification is important for both auditing and for permission sets. – karns Aug 05 '20 at 14:09
Thank you for your clarification. Here is a useful article from IBM: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009740_.htm "Identification is the ability to identify uniquely a user of a system or an application that is running in the system. Authentication is the ability to prove that a user or application is genuinely who that person or what that application claims to be." In your case, authentication might not be a concern. It might be a useful distinction. – Douglas Lovell Aug 06 '20 at 08:58
Douglas, I'm still trying to come to a final decision on what best practice would be for this. Your advice would be much appreciated! I think I've figured out that I don't need to worry about device-level, but rather how I can create an effective solution via the web application that doesn't require each user change to logout and log back in with a different account (password). Do you feel it's reasonable to require a pin code for instances where identity is important rather than authentication? – karns May 10 '22 at 19:39
sure. keep it simple. consider testing your solution quickly before investing too much in it. paper prototypes are great. best wishes – Douglas Lovell May 11 '22 at 20:57

Best Practices for Web App Authentication in Industrial Settings

3 Answers3

Linked