 Alright, so everyone, so I would like to kickstart this with a round of applause for BJ and Johnny because they are able to put that together, so give them a round of applause, wait, wait! They're good, they're good, they're good! So, much of a great talk is already, and I'm one of the last ones so you're kind of probably tired as I am as well. So I'm trying to keep this dynamic and try to move around a little bit. I hope to get them involved. Let's get it started. So, 90% of passwords are crackable within six hours. Freaking 90%! And if that's not enough, 65% of people use the same password everywhere. And then that's probably a good pleasure as well because I do have same passwords in some places. But the true fact is that most of the people don't care about their passwords. They care about security, but they don't care about passwords at all, and that's a problem. And that's the thing, like, we are developers, we are developing a bunch of applications, a bunch of APIs and systems and all kinds of shit that we need to take care of this kind of shit for people because we need to take that burden so they don't have to. And we start to think in this room. But before talking about authentication itself and all the technical aspects of it and how we can tackle that in a vizier and also with Phoenix, I would like to go through some cool stuff that I read on my way of writing this talk. How many of you have ever seen this kanji? So this kanji, don't correct me, but forgive me if I'm wrong, I think it's from Shoshi, probably, and it's pretty used in Buddhism and also in some Japanese martial arts, and I do like what it represents. It means beginner's mind, and I love this concept of beginner's mind. I have been using it over and over, and I think instead of trying to explain what it is, I would give you a simple test for all of you, right? So you probably have known this already in the past, but it's a very good concept. I show you a couple of lines, and the question is which one is longer, but they have the same size, right? That's the true thing. This thing doesn't have the same size. They have different sizes. So I treated all of you, and that's exactly what happens. That's what this concept is about. As we go as developers, as we learn more stuff, as we go into different technologies and start to learn about different things, we become experts and like conflict that we know how things are supposed to work, and we end up being triggered by things like this because rules can change and rules will change as time passes, and that's exactly what has happened in the technology market right now. Not only the tax changing, but also the users are changing. They are expecting different things from their application and different things from the way they do developed things, and I'm not talking only about all those new languages, I mean those are the new languages from the past 20 years I would say, maybe even more than that, so probably you see someone that you know, you're like Haskell, LASP, Maltau, Ruby, Python, Java, Perl and other stuff, but not only the technology is changing the language and the features that comes with it, but also the tech around that and how that is depending on authentication and depending on web technologies, and I'm not talking only about cell phones that doesn't explode in our pockets, I'm also talking about like drone delivery, like Amazon has been trying, also about virtual reality, also IoT stuff, so we have all these new batch of tech that is taking advantage and that is being empowered by web technologies and web authentication process, and we need to also be worth, what is the next level when we talk about authentication that will cover also these new technologies? So, I mean, it's not only a matter of that, but also about the things that have been going on lately, we have been on a lot of security breaches, like you can see like Twitter, you can see like Evernote, LinkedIn, all those companies have a bunch of like IT people only devoted for security and that has been a major issue for the people nowadays, not only security, but all you handle with priests that you might have, and that can represent a big impact on this model company as well, I'm not only talking about like Twitter and all those big companies, I'm also talking about your next one million dollar app or your next million dollar idea, I mean, there are some researchers that point that this model breaches and authentication problems can provoke a huge gap on your money if you're not treated that right. So, my name is Juan Mota, I'm a Senior Engineer at Backlane, a company based in Berkeley. How many of you have heard about Backlane? Quite a few of you, probably because of the open positions that they have. If you have interest in those, you may also talk with me or show me a Twitter, that's probably the easiest way to talk with me. That is my handle and that's how you can find me in almost every social network ever. And today we are going to talk about how to tackle authentication with Phoenix. So, what we hope to accomplish here is to put on some light on how authentication works right now and give it like some food to talk about how it should work in the future and some libraries that it has been around that can help you to achieve that and take your application to the next level, right? The thing is, when we talk about authentication all those questions start to come to you. Sorry about that. So, when you talk about authentication all those questions start to pop in. Like, ah, but what about the usability? What about, like, delegate? Maybe I should delegate it to a third app, third part servers or whatever. Should I commit like a single sign-on or not? Or maybe I should do that into a microservice and all those questions start to come in. And I don't think that's even the biggest problem in the room. I mean, we have to take a step back and handle other stuff that comes before that that's actually how authentication works and what is the difference between two main words that is authentication and authorization. And we're going to talk about both of them in this talk. I'm going to kick start with the authentication one. So, authentication is a concept that I invited here in two different strategies. The first strategy is the one that we are most used to that is based on something that you know. So, it can be like an ID, it can be a password, it can be a secret key, it can be a secret question. All those things that you know and if someone asks you, you can reply to those. But it works around for most of the applications around as long as no one knows your password or you don't pick a CD one. Like this man that I love. But we do have a password problem nowadays. I mean, people don't recall their passwords. We just have gone through all those numbers and all those statistics around password issues that is a problem. But even though that's one way of authenticating our users and we have great libraries around the elixir ecosystem that can help you with that. Like coherence. How many of you come from Ruby? Or aren't Ruby? And how many of you use Rails? Or use of Rails? And how many of you use advice? Alright, got it. So, the advice for those that doesn't know it's a pretty famous authentication library it was also developed by the formal attack the company from Tosavoli they created an elixir so you can definitely see the relation here. And coherence is basically the same thing for Phoenix and I'm not the one that's saying that. They are the one that's saying that. And they do work pretty much the same thing and they are this huge library with a bunch of options and boilerplate code that you can bring to your app and build something like get something up and running pretty quickly. And that's really cool. And it's underactive development so I think we're in a space where you still don't have a bunch of establishment libraries that you can default to but that's definitely one of the big concurrence one of the big contacts in this area. So you're going to have and you're going to be able to become a register, a way to use it to register to be invited to remember the password now this stuff out of the blue. This stuff actually, all you have to do is run mixed coherence install and it will do everything for you. It will create the modules, it will create the views, it will create the migrations, everything that you need and that works pretty well. I kind of like the way that things work in this kind of libraries but I do not like the fact that it all became some lag box because you don't actually know what's going on inside of it. And that's one of the major problems with Rails because a lot of developers know how to code and how to develop in Rails but they don't actually know how to develop in Ruby they don't know the difference between a regular model and a model with all the stuff that comes on with active record, active model and everything. So that's one of the problems that the Ruby community has and I think that at least your community doesn't have one still have. So the bad thing about this kind of library is that it comes with everything back inside and you don't really know how things work but at the other hand it enables you to get out of the floor quickly and get things out of the running so that can be a huge motivation if you're trying to grasp something new I would recommend you to get a hands dirty and give it a try so you can get some instant gratification and then you can move on into putting your own stuff and figuring out how things work. Another great library is Oberalph By the way, is Shalderer I don't know if he's not right maybe I'm not I don't think he is one of the folks I mean we have talked a lot online and I was supposed to met him in the conference but we haven't met yet so I hope that I met him after my talk So Oberalph how many of you have heard about it before? Nice! It's like how many walls for Ruby it basically enables you to have a flexible authentication system and it works pretty simple it's based for plugin based applications so you may not only use that with Phoenix but other kind of applications as well and it aims to tackle only the first part of the challenge that is authentication it doesn't care about authorization it just cares about getting your user credentials validated to make sure that he's right and from there on you can move on by using another library or doing it yourself and I do like that because it's so one simple problem in order to do that it divides the authentication process into two phases the first phase is what we call the request phase so the request phase is the phase where you ask for the user information and that can help through usual web form or you can also do that with a wall of integration by integrating with Facebook whatever you name it and most that you get that information you go to the second phase that is the callback phase where you actually validate that information and then sign in the user or not and the good thing about doing that is it tries to set a standard for how those things work and it wraps it up in something called strategies and then it enables you to use like voodian play strategies as it was so if you go to like Browse, GitHub page, you're going to see all these sort of integrations that you can use out of the box they're called strategies because they have made a standard on how to do that so you're going to have find integrations to Facebook or Square, GitHub, Google Instagram, whatever, you name it there's a bunch of those like ready so I do think that brings the better to both worlds so you can also can get like something up and running really quickly but it's not something that's big enough that you don't know what's going on so I think over and off might be a better strategy than go for coherence but it's up to you actually so back to the strategies that we have when we're talking about education that's something that you know and that's what we're talking about the second one is something that you have also as known as magical login links so it can be like a cell phone a physical key if you have logged into Slack recently you're going to realize that that's the way they're moving forward so once that you put your email they ask you for or you put your password or if you want to send if you want them to send you and you can just call whatever this login link and that's going to log you in automatically so you don't even have to have a password anymore and that's awesome because we definitely have a password problem so that eventually will help you into also can log in really quickly and we have good libraries around that and leaks it so we have this library called POT I don't know if it's POT or POT but it's similar to another Ruby library called ROTP it's basically our early library for generating one-time passwords it can generate passwords based on keyhash authentication code or time-based authentication code it's up to you and it's really cool because it works really simple and it is also compatible with Google Authenticator so if you use like two-stack authentication on Ryoko or GitHub you probably have this app installed already and that's one of the things that our users are getting used to is to have two-stack authentication so they already have this app that might be a good strategy the way that the library works is very simple, it basically takes a secret that your application knows maybe some sort of user confirmation if you would like one token per user and also the current time so you can for example get the actual date and minute that we are right now and then that will result in a token that it's going to be valid for this minute so this is actually how we do that with the library itself so we have a secret and then you'll call TOTP on the POT library and that will generate the secret for you and you can also validate the secret by using the valid TOTP method function on the POT library that's pretty straightforward I mean it's supposed to be really simple and you can definitely implement something from yourself going from there but the good stuff is when you mix the both what you have and then you end up with what we call move factor authentication or as I like to call getting away with a cheap password and that's really good because that solves one of the problems that we have that is this whole password situation that I'm going on right now and I wouldn't ruin my interview to drive that in the right I think we are talking a bit about authentication now it's time to talk about the second word that's authorization authorization is different from authentication because it's not about making sure that it's a valid user with valid credentials it's about keeping the new requests that are coming through checking if those are valid and if the user should be able to access the information that he's requesting or not but we're going to do that we need to understand a little bit about how people think that authentication works nowadays and I came up with a good a good diagram that I think I explained that very well so basically you have a client and you have a server and all starts as a joke like hey but not and then the server replies so who is there and you say like it's me and you say okay thanks and that's pretty much how most people think authentication works but in order to keep information stored from one question to another you have to have state you have to save that thing in somewhere and that's why we start using sessions and cookies in order to save the information not only the user information the server but also the cookie to store the reference for the section and also for the information for the user so we've been using those two things that a lot of developers hate and you know like just a few of the developers know how it actually works we're going to try to keep stateful authentication but the thing is that ATTB is a stateless protocol so it's not supposed to keep state over different requests so how should we implement authentication and this is basically how that would be implemented so you have a client and you have a server and whenever you say a new request you say that it's you by the way it's me so I'm saying that it's you right from the beginning and I'm saying who are who am I every time that I do a new request for you and the server then is going to decide if you should have access to that information that you're requesting or not and there's a good to around that how many of you have heard about JSON web tokens oh nice so yeah JSON web token is something that a standard like a open standard for changing information so you can change information using like a JSON hash in a more secure way and there are some people that are proposing using that as a dedication process and I do believe that is actually a good call so basically it's a digital object that you can send through like a post or the URL itself or even the HTTP header it's up to you and this is how it looks like you have three parts, you have a header you have a payload and you also have a signature and that's how they would like the header basically contains two kinds of stuff so the algorithm that you're using to compile the whole thing so the type of the token that you have in this case is a JSON web token the payload can include all sort of information it has some default parameters like the super one that is to indicate what is the record the identifier that you can find on your database or in your server whatever and you can have custom information there like the name or an admin flag, you choose it and the last part is the signature is basically a mix from both information of both together with a secret and this is what you would end up with you still can see the three information in there so you still have the header, the payload and the signature in there and that works pretty well and then you can send that as an HTTP header or whatever request that you do so HTTP headers basically enable you to do that that's why they exist and the recommendation is to use the authorization HTTP header to send this information back and forth and there's a lot of great benefits by doing that so basically you're going to start to have a stateless authentication mechanism because you're going to need to keep that information so you might not even need a cookie and because you don't need a cookie, you won't have like cross origin research sharing at first and that's a good thing if you're aiming to develop like a web app or maybe have access for a group of different clients or maybe trying to tackle single sign-on that might be really helpful for you the user state is never saved in memory and another good stuff is that it might reduce the number of calls that you have to do with the database because keep in mind that JSON web tokens also have a payload so you might also save information in there so you don't have to go to the database in order to get this information back again once that you're ready to have that on the HTTP header so this is basically how that would work out in practice so you have a client and you have a server your client do a request to sign in the user that's where the first part comes in so we're going to have like Uber off or coherence just to make sure that the user is valid and therefore the credentials are valid as well and then it will create the JSON web token so it will get the header it will get the payload in this case my name and I'm an admin and it will compile everything using a secret that is the biggest secret ever so once you do that that's the JSON web token that it will generate and that it will send that back to the client so that the browser can save that somewhere else and some people use a local storage for that, some people want to use scoop for that, it's up to you but there are some different songs the benefits that you can get and then from there all the time that the client does what you request it sends that JSON web token as the header so whenever you receive that it checks the signature of that token by separating the signature from the rest and trying to put the secret again and generate the same signature once again that prevents that someone that is watching the request tries to sneak in some information that it wasn't supposed to be in there because they can't change the two first parts of the JSON web token to add new perforators as they would but they can't generate the signature again because they know the secret so you can always validate to see if that secret is valid and therefore if there's someone trying to send the signature that you don't actually want in your app so that's a good thing about JSON web tokens and there's a lot of good frameworks that are moving in that direction so as far as I know Ember is one of the famous JavaScript frameworks that are moving that direction to implement JSON web tokens into their signature as well and then you got back to sending the response to client and everything moves on as expected in order to do that so there's a great line called Guard how many of you have heard about Guard so Guard was developed by the same people that were working with the Oberoff so I would say that it definitely should probably try to be stood up together what Guard does is basically the second part that we are discussing the authorization part it doesn't care how you look at the user if the conditions are valid or not the only thing it does is generate JSON web tokens and give you back the information that is inside of it so it's very simple to use basically all you have to do is call the sign in function on it and if we return the new token for you this is actually how a function a login function would look like so you have like this boilerplate function called openpassword that can be anything like uberoff, coherence, you name it and once that's valid it's then called the garden plug and it's really sneaking on the JSON web token in the request and you are finding from that on the other hand, give my add a pipeline into your route by including two plugs the verify section and the load resource they are basically responsible for getting the JSON web token back for valid requests validating the status to valid or not and getting the information back so that you can use that without doing another request database and you can just add this pipeline to whatever routes that you want so that's basically how garden is supposed to work and how about the authorization process I do believe there is a lot of other great libraries like you have canary to handle multiple levels of authorization and other amazing libraries that you can check that can help you out to tackle this problem but I do think that like mixing up both like some sort of JSON web token and you can choose to use garden for it or not and also for coherence or maybe your own stuff throughout the application is a good solution that will enable you to have a safe logging process a safe authentication process and you can use that as API for whatever project that you want before talking about other stuff I would like to wrap up this part so wrap it up really quickly about everything that we talk about the four main points that we took here if this talks if you don't remember anything from this talk you need to remember at least those four things the first one is that we have a password problem people are forgetting the passwords, people are using the same passwords people are having like their passwords stolen they're using like unsafe connections and everything and we need to worry about that and we need to take that burden for them the second one is that we should start with authentication it looks like it might not help it looks like it can decrease our conversion rates but it can actually help us with its success because that's not something that's fancy but it's something that users are moving on to and they're kind of expecting you to have a multi-factor authentication so you can have a more secure authentication process so that might be a good thing for you to give it a try other thing that stateless authentication is a thing so you don't have to keep using sessions and cookies every now and then you can try to score new words and even if I can do that Jason Wapitokas might be a great solution for you and I would totally recommend you to check that out because that might be really helpful the fourth point is that there are a lot of great leaves around the leexer I mean we discussed three of them here but I do believe there are a lot more than that and maybe space for even more libraries to come in and fill in the gaps like for the multi-factor authentication thing so I would totally recommend you to not only check that out but get involved in the subject as well so for those that doesn't know you might have noticed that I'm an American I came from North America at least I came from Brazil Brazil is a great place by the way I love it and it should definitely show up in there and let me know so that we can hang out this is the dream that I made to come here to talk to you it was pretty far, I mean I have done the worst but it works very well and I'm pretty happy to meet you all and I would like to do some invites for you the first invite is that Aldi's talk began when I decided that I wanted to contribute to the community and I was thinking about how multi-factor authentication is something that we should be caring more so I started my own library that I decided to not talk at this time that's called Keeper because it's a pre-order station but I'm definitely calling you all to be good Elixir developers and help me out with that so what I'm aiming with Keeper is basically implementing multi-factor authentication in an easy way maybe even integrate that with guards to use JSON-like tokens to handle authentication itself so I think that might be something that will play out with both and if you guys want to contribute free time or maybe multi-factor authentication something that is easier to part of our company you can definitely go there and help me out creating issues, checking out giving opinions, I mean it's an open search project you can do whatever you want I would like to discuss that further with you online another thing that I haven't started is a series of articles called Learn Elixir with Rubis what is funny because Jody has a similar series of articles if he's still working on it or not that have a similar title that is Learn Elixir by Rubis I'm not sure so I start this series of articles on my blog if you like to check that or if you have some friends that do Ruby that are trying to wrap their head around Elixir I would definitely recommend you to check that out we have four articles in already it's probably around in total 20 minutes reading for our articles so I recommend you to share that because a lot of people are doing great to be back around that and that might be a good thing well, I would like to end saying that's a pleasure for me to be here and to talk to you all about authentication it's something that I'm really interested about and I hope to talk to you all later in the conference, thank you