Cybercrime has now become a global problem. For example, Dmitry Samartsev, director of BI.ZONE in the field of cybersecurity, cited the following figures at the World Economic Forum. In 2018, the damage to the global economy from cybercrime amounted to $ 1.5 trillion, he said. In 2022, losses are predicted already at 8 trillion, and in 2030 the damage from cybercrimes may exceed 90 trillion. To reduce losses from cybercrime, it is necessary to improve the methods of ensuring the safety of users. Currently, there are many authentication and authorization methods that help implement a robust security strategy. Among them, many experts identify token-based authorization as the best.
Before the advent of the authorization token, a system of passwords and servers was widely used. Now this system is still relevant due to its simplicity and availability. The traditional methods used ensure that users can access their data at any time. This is not always effective.
Consider this system. As a rule, the ideology of their application is based on the following principles:
Accounts are generated, i.e. people come up with a combination of letters, numbers or any known symbols that will become a login and password.
To be able to log into the server, the user needs to save this unique combination and always have access to it.
If it is necessary to reconnect to the server and log in under his account, the user needs to re-enter the password and login.
Stealing passwords is far from unique. One of the first documented cases of this kind happened back in 1962. It is not easy for people to remember different combinations of characters, so they often write down all their passwords on paper, use the same version in several places, only slightly modify by adding characters or changing the case of an old password to use it in a new place, from - why the two passwords become extremely similar. Logins for the same reason are often made the same, identical.
In addition to the danger of data theft and the complexity of storing information, passwords also require server authentication, which increases the load on memory. Every time a user logs on, the computer creates a transaction record.
โ , . . , . , , . . - , , . , , .
. :
, . : , . , - USB- - , .
, , , . "magic ring" Microsoft.
, .
- , . , . , .
. . . , . : , , USB - . . , . , . , , .
. , , . .
?
- -, . , . , 3 :
( )
( , , FaceID)
, ( ), . ( (2FA)). , , . . .
?
, 60 . - , . , , .
, . , . , . , . , .
, , -. , , , . , 30 60 , . - , SMS.
, . , .
?
. - โ โ, , , .
, , 2FA, , . , - , .
, , , . , , . , , , . , .
, , . , , :
-. -, , - JSON (JWT). JWT (RFC 7519) . .
.
HTTPS-. HTTPS- , , . HTTPS-, HTTP , .
JSON -?
JSON Web Token (JWT) - (RFC 7519), JSON. . JWT ( HMAC) , , RSA ECDSA.
- JSON , : , , . JWT : ยซxxxx.yyyy.zzzzยป.
: , JWT, , HMAC SHA256 RSA.
- , . , .
- , , . , iss - , , exp - Unix Time, , , .
, JWT. - IANA JSON URI, . - , , . Base64Url.
, .
, , , , , JWT , .
Base64-URL, , HTML HTTP, XML, SAML.
:
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm5hbWUiOiJKb2huIEdvbGQiLCJhZG1pbiI6dHJ1ZX0K.LIHjWCBORSWMEibq-tnT8ue_deUqZx1K0XxCOXZRrBI
JWT - ; - , ; - , , .
- JWT , - , ; - JWT , - , , , ; - , .
?
, ( ), - . .
, , .. , . .
, .. , . .
. , . .
. , .