Best Practices for Web App Authentication in Industrial Settings

Question

I'm creating a web application intended for a heavy industrial setting. Would like the operators to be able to use a central tablet or computer as an interface to the application, so multiple operators would be sharing a device during a given work shift. Plenty of information on standard personal devices, but not shared industrial settings.

Question - What is the best way for web app security/authentication and what are the various alternatives?

• Would they all use the same authentication session (this is not preferable, as I'd like to uniquely identify the active user)?
• Obviously I could use standard username/passwords with token based sessions that expire, however, this leaves a lot of potential for account hijacking.
• Ideally, they'd be able to log on very quickly (PIN, perhaps?) and their session would end when they are done.

Answer 1

Can you do smart card auth? That's how we used to do it in the old days. This was circa 2006, using Windows XP. Smart Card reader was a USB device, the auth was standard windows with smart card, however I can't recall anything about the cards.

Login to the device by reading the operators smart card, then do kerb auth against the service. If kerb is too old school, you could probably turn OS auth into OIDC without too many dramas using something like Okta or Auth0.

Alternatively have the device use the same credential for all users, but get the os user name from the request context somehow.

EDIT

For some more concrete examples of this:

• Here's the windows article on smart card auth: https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows Getting hold of the cards / card reader is not something I've got any experience with, but it's usually bread and butter for industrial sites where a user has to clock on / clock off.

• Once the user is authenticated to the OS then it's a matter of use that auth context to get a web friendly auth scheme.

  • You could also use SAML Federation between an IdP and ADFS/AzureAD which would allow you to issue a OAuth2 access token
  • Okta supports can do SSO (by effectively hiding the SAML Federation) using a browser plugin: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Browser_Plugin.htm.

• End result is that for a user logged in to Windows you can issue an Oauth2/OIDC access token

• The web app can use standard OAuth2 access token authentication

A lot of this is nothing to do with the web app, it's all about how to take the OS auth context and use that to get something "normal" for the web app to consume.

Good luck!

Answer 2

Thank you for posting this cool problem.

Is the device in a controlled setting, where only authorized workers can have access to it? Is the possibility of theft of the device low, as in the people who have access to it are unlikely to move it?

Is your main interest, in other words, identification and not authentication? If so, how do you quickly identify who is operating the computer without interfering with the work or making it too cumbersome to use? Do you need to identify the person in order to carry-out the work, or is having the identity merely a precaution for later audit, to answer the who did it question?

One option is to use face recognition or simply capture a photo. Other biometrics are possible such as voice and fingerprint. An id card or dongle can be passed around, has to be fished-out in order to use, and the worker has to remember to bring it. A pin or other secret can be readily shared as well. Capturing a biometric is a reliable way to identify the worker.

Answer 3

In industrial settings, you typically want ruggedized hardware. This is fairly specialist kit, and typically much more expensive than "vanilla" computing hardware. Depending on the environment, you may need waterproof and dustproof enclosures. Google will provide a range of options. Non-ruggedized equipment will usually not withstand the harsh conditions, and is likely to fail quickly or unpredictably.

If you want to audit who made particular entries, you'll want some kind of authentication mechanism. Biometric logins - fingerprint etc. - are available on a range of devices, and will make it easy for people to log in without entering usernames and passwords (which are often shared). In this model, the user authenticates to the operating system, not the web application; gluing those together is do-able, but heavily dependent on your enterprise identity management system and the frameworks you're using for building your web application.

Another option is to use RFID cards - again, many ruggedized computers support RFID readers which can read a card or keyring style physical object. This is less secure than biometric authentication as people do share cards. Again, authentication here is at the operating system level.

The benefit of using the operating system's authentication tools is that you benefit from all the work done to secure access in a range of environments. For instance, most OSes allow you to set a policy to lock screens after a certain time out (and unauthorized users cannot override this).

Building authentication into the web application is also an option, but AFAIK biometric solutions are still a little esoteric for web apps. Username/password is easy enough in most frameworks, and if you set a short session time out, the chances that someone will forget to log out and leave the browser logged in are slim. Not good enough for the nuclear launch codes, but for a line-of-business app, probably OK.

You could also look at alternatives to username/password authentication, without using biometrics - e.g. a passcode or image recognition option ("here are 16 random images, which is your grandmother?"). AFAIK, that's not a standard feature in most web development frameworks, so you'd have to roll your own.