• Tokyo+81-3-5321-3111
  • Nagoya+81-52-269-8016

Some parts of this page may be machine-translated.

 

【Overseas Event Introduction】Jamstack Conf 2021 Security is the "s" in Jamstack by Maricris Bonzo

【Overseas Event Introduction】
Jamstack Conf 2021
Security is the "s" in Jamstack
by Maricris Bonzo

This time, we will introduce the content of "Security is the "s" in Jamstack" from the presentation at "Jamstack Conference 2021"!

 

The "Jamstack Conference" with over 10 years of history is hosted by "Netlify", the creator of Jamstack. Developers from around the world gather to discuss the latest website design and development concepts based on Jamstack. The language used for presentations is English, but we will introduce it in Japanese on this blog.

 

Table of Contents

The speaker for this session is Maricris Bonzo, an engineer from the company Magic.

 

We provide distributed authentication services.

 

How can security be ensured in Jamstack?

 

They introduced four approaches as methods for personal authentication.

Security-related issues

It is a common method to have users log in and register their personal information when using the system.

 

However, at the same time, you will also be faced with the following risks.

 

[Service Provider]

As the scale expands, the need and pressure to manage data properly increases.

[User Side]

Worried about how personal information is managed and data leaks. (How will my data be managed...)

 

How can we address this issue when using Jamstack?

Authentication Methods

As a major premise, there are two main types of authentication methods.

 

1. Centralized Authentication

Traditional authentication method. Aggregates and manages user's personal information data.

 

It seems that terms such as centralized authentication, consolidated authentication, centralized authorization, and centralized authentication are used in Japanese, but there is no established expression.

 

In this report, we will refer to it as "centralized authentication".

 

2. Decentralized Authentication

New authentication method. Each user manages their own personal data.

 

"Distributed authentication" is a commonly used term.

4 Approaches

This is the main topic.

 

Approach 1: Creating a Centralized Authentication System

 

There are ways to use IDs and passwords, or issue tokens.

 

There are advantages to the system being able to manage data, making it easy to create and customize according to its purpose.

 

On the other hand, from the perspective of managing data, we cannot overlook the risks. Even if we use libraries, it is extremely difficult to find reliable open source ones.

 

Approach 2: Creating a Distributed Authentication System

 

To reduce the risk of managing data on our own, the concept of distributed authentication has emerged. Instead of the system centrally managing data, each user manages their own data.

 

Store keys and certificates on your mobile phone, etc., distribute them on the blockchain, and present only the necessary data as needed.

 

However, it may be difficult to create on your own and it may also be difficult to ensure reliability.

 

Approach 3 Outsource Centralized Authentication

 

This is a common method that is currently used to authenticate with other services using APIs.

 

Multi-factor authentication (MFA) and single sign-on (SSO) are applicable.

 

This is also an easy way to create a website on Jamstack.

 

Services with high compatibility include Auth0 and Firebase. It is a great attraction that you can easily incorporate them just by learning how to use their APIs.

 

However, no matter which centralized authentication service you use, there will always be a risk in having all data managed in one place. If that service goes down, it becomes unusable. Additionally, there is no doubt that the number of people who resist not being able to manage their own data will continue to increase in the future.

 

Outsource Approach 4: Distributed Authentication

In a decentralized authentication service, instead of a user ID and password, a secret key and public key managed by blockchain are provided.

 

The company Magic, where the speaker works, is a specialized service provider.

 

Those secret keys and public keys are, so to speak, "something that physically strengthens traditional user IDs and passwords".

 

These keys generated by elliptic curve cryptography do not contain any personally identifying information.

 

Therefore, it is also possible to migrate and use other services.

 

Usage methods may vary depending on the service provider. Magic provides an API that can be used with plug and play (implementation is very easy!).

 

User information and data belong to the user. It can be said that they are in line with the future trend of thinking.

 

However, being in the process of growth in a new field is both an advantage and a disadvantage.

 

There is no established standard yet, and it varies depending on the provider.

 

In addition, you may feel somewhat limited in what you can do because authentication will be outsourced.

Comparison of Approaches

We have compared the four approaches introduced so far.

 

 

The result is that the third or fourth outsourcing approach is advantageous.

 

In addition, the following points should be taken into consideration.

 

1. Developer's Ease of Use

 

2. User Experience

 

3. Provided Functions

 

4. Level of Support

 

5. Current and Future Expenses

 

6. Strictness of Privacy and Security

 

7. Can users have sovereignty over their data?

Summary

The concept of distributed authentication seems to be gradually gaining popularity.

 

Microsoft

https://www.microsoft.com/ja-jp/security/business/solutions/decentralized-identity

NTT Data

https://www.nttdata.com/jp/ja/data-insight/2020/122302/

 

Recently, there has been a trend towards extreme strictness in managing personal information.

 

With regulations such as the EU General Data Protection Regulation (GDPR) becoming increasingly strict, it is becoming difficult for Yahoo Japan to be accessed from Europe, and even Facebook may become unusable...

 

As a result, there are benefits to managing personal information data in a decentralized manner, rather than aggregating it through a centralized method where others are not involved.

 

In addition, obtaining authentication through an API is in line with the design philosophy of Jamstack, and can be considered a good approach in that it does not incur unnecessary responsibilities.

 

However, the reality is that there are few people who have actually implemented it, making it difficult to find talent.

 

That's why it might be a big advantage to touch on this method early on!

 

Thank you for reading until the end.

 

Human Science Co., Ltd. offers unique solutions for web content and platforms using the combination of "document creation know-how" and "the latest web development technology (Jamstack)" that other companies do not have.

 

If you are interested, please contact us here!

 

Human Science Co., Ltd.

https://www.science.co.jp/document/jamstack.html

 

Source of this document: https://www.youtube.com/watch?v=FFQctR6w11M

[jamstack_blog_tag]

Related Blogs

[Column] Creating a System for Reducing the Burden on Engineers through Manual Creation
【Column】From Word to Web Manual - Expanding Options with Jamstack
Features of the high-performance headless CMS "Storyblok"
[Column] From an Engineer's Perspective to a User's Perspective - Achieving User-Friendly Manuals
【Column】Smartly Managing Manuals with Jamstack! ~Avoiding Security Risks~
Beginner's Guide to Static Site Generators Part 1
[First Column] Is Human Science Building Jamstack? A Manual Production Company Shares Their Serious Thoughts.
【Overseas Event Introduction】Developing Fast at Scale: How to Maximize the Netlify Workflow
【Overseas Event Introduction】Quantifying the Value of Modern Web Development
【Overseas Event Introduction】The Jamstack and Your Data
[Overseas Event Introduction] Headless vs Traditional eCommerce Platforms
【Overseas Event Introduction】Developer Productivity Conference 2021 3 Productivity Hacks for Jamstack by Brian Rinaldi
【Overseas Event Introduction】Jamstack Conf 2021 Security is the "s" in Jamstack by Maricris Bonzo
【Overseas Event Introduction】Bet You Didn't Think Your Browser Could do That by Monica Dinculescu
【Overseas Event Introduction】The next generation of Jamstack is less JS! by Yang Zhang
【Overseas Event Introduction】 The Future of the Jamstack – Exciting Frameworks, and Tools, and More with Cassidy Williams
【Overseas Event Introduction】Speeding up Singapore's COVID-19 response with the Jamstack by Kwa Jie Hao
【Overseas Event Introduction】The COVID Tracking Project: 0 to 2M API Requests in 3 Months
Finanzchef24: Content Structure and Acquiring Core Web Vitals
Pros and Cons of Serverless Architecture
【Overseas Event Introduction】Jamstack is eating the world
Migration to Jamstack: Mambu Case Study
Reduce your online carbon dioxide emissions! What is the way to create an environmentally friendly website?
Jamstack & Nature: Reducing Carbon Dioxide Emissions by Charm Industrial
Optimize DrSmile's website to enable quick execution of cutting-edge experiments
Case Study: 3x Performance Improvement for Emerging Dynamics' New Website
Stack Upgrade: Newfront Case Study
Editor-friendly Jamstack website: Armorblox Case Study
Build fast Progressive Web Applications (PWA) with Jamstack
Reasons Why Revamp Agency, Based in New York, Switched from WordPress Shop to Jamstack [Second Half]
Reasons Why Revamp Agency, Based in New York, Switched from WordPress Shop to Jamstack [First Half]
Migrating to Headless WordPress and Next.js with Backlinko [Part 2]
Migrating to Headless WordPress and Next.js with Backlinko [Part 1]
Beginner's Guide to Static Site Generators Part 4
Beginner's Guide to Static Site Generators Part 3
What is a static site generator?
Beginner's Guide to Static Site Generators Part 2
Jamstack SEO Guide: Content SEO [Second Half]
Jamstack SEO Guide: Content SEO [First Half]
Jamstack SEO Guide [Second Half]
Jamstack SEO Guide [First Half]
Case Study: Radio Program Analysis App for Swiss Federal Government Agencies
Striving for Better Education: Avenues Case Study
UN COVID-19 Response Creative Content Hub Case Study
What is Jamstack? [Second Half]
What is Jamstack? [First Half]
Blog List
Jamstack Site Construction Support Service
Popular Article Ranking

For those who want to know more about manual creation and instruction manual creation

Contact Us (Free)

Tokyo: +81-3-5321-3111
Nagoya: +81-52-269-8016

Reception hours: 9:30 AM to 5:00 PM JST
FacebookTwitterLinkedIn

Return to the top of the page

Contact Us / Request for Materials