工业设置中Web应用程序身份验证的最佳做法 [英] Best Practices for Web App Authentication in Industrial Settings

问题描述

我正在创建用于重型工业环境的Web应用程序.希望操作员能够使用中央平板电脑或计算机作为应用程序的接口，以便多个操作员在给定的工作班次中共享一个设备.有关标准个人设备的大量信息，但没有共享的工业设置.

I'm creating a web application intended for a heavy industrial setting. Would like the operators to be able to use a central tablet or computer as an interface to the application, so multiple operators would be sharing a device during a given work shift. Plenty of information on standard personal devices, but not shared industrial settings.

问题-Web应用程序安全性/身份验证的最佳方法是什么?有哪些替代方法?

Question - What is the best way for web app security/authentication and what are the various alternatives?

• 他们是否都使用相同的身份验证会话(这不是可取的，因为我想唯一地标识活动用户)?
• 很明显，我可以在过期的基于令牌的会话中使用标准的用户名/密码，但这为帐户劫持留下了很大的潜力.
• 理想情况下，他们将能够非常快速地登录(可能是PIN码?)，并且会话将在完成后结束.

推荐答案

在工业环境中，通常需要坚固的硬件.这是相当专业的套件，并且通常比香草"套件贵得多.计算硬件.根据环境的不同，您可能需要防水防尘的外壳. Google将提供一系列选项.非加固型设备通常无法承受恶劣的条件，并且可能会迅速或无法预测地发生故障.

In industrial settings, you typically want ruggedized hardware. This is fairly specialist kit, and typically much more expensive than "vanilla" computing hardware. Depending on the environment, you may need waterproof and dustproof enclosures. Google will provide a range of options. Non-ruggedized equipment will usually not withstand the harsh conditions, and is likely to fail quickly or unpredictably.

如果要审核谁输入了特定条目，则需要某种身份验证机制.生物识别登录信息(例如指纹等)可在多种设备上使用，使人们无需输入用户名和密码(通常是共享的)就可以轻松登录.在此模型中，用户向操作系统而不是Web应用程序进行身份验证；将它们粘合在一起是可行的，但是在很大程度上取决于您的企业身份管理系统和用于构建Web应用程序的框架.

If you want to audit who made particular entries, you'll want some kind of authentication mechanism. Biometric logins - fingerprint etc. - are available on a range of devices, and will make it easy for people to log in without entering usernames and passwords (which are often shared). In this model, the user authenticates to the operating system, not the web application; gluing those together is do-able, but heavily dependent on your enterprise identity management system and the frameworks you're using for building your web application.

另一种选择是使用RFID卡-同样，许多坚固耐用的计算机都支持RFID读取器，该读取器可以读取卡或钥匙圈式的物理对象.由于人们共享卡，因此这不如生物识别认证安全.同样，这里的身份验证是在操作系统级别上进行的.

Another option is to use RFID cards - again, many ruggedized computers support RFID readers which can read a card or keyring style physical object. This is less secure than biometric authentication as people do share cards. Again, authentication here is at the operating system level.

使用操作系统的身份验证工具的好处是，您将受益于为保护各种环境中的访问而进行的所有工作.例如，大多数操作系统允许您将策略设置为在一定时间后锁定屏幕(未经授权的用户无法覆盖此策略).

The benefit of using the operating system's authentication tools is that you benefit from all the work done to secure access in a range of environments. For instance, most OSes allow you to set a policy to lock screens after a certain time out (and unauthorized users cannot override this).

将身份验证内置到Web应用程序中也是一种选择，但是AFAIK生物识别解决方案对于Web应用程序仍然有些深奥.在大多数框架中，用户名/密码都非常容易，如果您设置较短的会话超时时间，则有人忘记登出并保持浏览器登录的可能性很小.对于核发射代码来说还不够好，但是对于一个行业应用程序，可能还可以.

Building authentication into the web application is also an option, but AFAIK biometric solutions are still a little esoteric for web apps. Username/password is easy enough in most frameworks, and if you set a short session time out, the chances that someone will forget to log out and leave the browser logged in are slim. Not good enough for the nuclear launch codes, but for a line-of-business app, probably OK.

您还可以查看用户名/密码身份验证的替代方法，而无需使用生物识别技术-例如密码或图像识别选项(这里有16张随机图像，这是您的祖母吗?"). AFAIK，这不是大多数Web开发框架中的标准功能，因此您必须自己动手.

You could also look at alternatives to username/password authentication, without using biometrics - e.g. a passcode or image recognition option ("here are 16 random images, which is your grandmother?"). AFAIK, that's not a standard feature in most web development frameworks, so you'd have to roll your own.

这篇关于工业设置中Web应用程序身份验证的最佳做法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！