TL;DR: Last-mile customization can transform an out-of-the-box solid solution into the one you need for your business right now. But did you know that the same extensibility (the ability to write custom authentication workflows and integrate no-code third-party applications) can be used to increase security? You can use extensibility to create a layered defense. This post will show you how.
Why You Should Build In Security
According to the 2022 Verizon Data Breach Investigation Report (DBIR), 82% of security incidents involved a human element. Threat actors overwhelmingly rely upon social engineering and phishing attacks, not to mention simple everyday errors, in their quest to plunder company data. And so, identity is now the first line of defense.
Identity plays a massive role in security. Customer Identity Access Management (CIAM) solutions like Auth0 are designed to strengthen your defensive posture with out-of-the-box security features, like the ability to detect brute force attacks and warn users when their credentials have been leaked.
These features address the security needs of many companies. But no two businesses are the same. Some, particularly those in highly-regulated markets, need even higher levels of vigilance. Their threat profile requires them to introduce additional friction into the authentication process beyond what their CIAM platform offers by default.
Auth0 makes it easy to add that protection. Because it's designed for extensibility, users can build custom functionality or create custom workflows by writing their own Actions or installing no-code integrations from the Auth0 Marketplace. In turn, businesses can create a robust, layered defense, allowing them to meet their own security needs.
This post will focus on the concept of a layered defense. We'll explain it on a high level and then look at the practical side of things. You'll learn how Auth0's extensibility features allow for the custom authentication workflows and rules that are fundamental to a layered defense.
What is a Layered Defense?
It's often useful to describe technical concepts with a real-world metaphor. Let's imagine you just bought a new house. It's beautiful. Your dream home, even. But there's a catch. It's a big one. As you unloaded your possessions from the moving truck, your new neighbor warned you about a recent spate of break-ins. You want to keep your family safe, so you begin adding new security features.
Fortunately, the front door is made of thick, solid wood. Your windows are the strong double-glazed kind. And so, you look elsewhere to make changes.
With boxes piled around your feet, you begin to install locks on your internal doors. A video doorbell and CCTV cameras come next. You deploy motion detectors around the ground-floor windows and even start thinking seriously about buying a dog. With each new security feature, your home becomes more resistant to burglars. You started from a good place, thanks to your solid wood doors and double-glazed windows. But you know that no security system is invulnerable. And so, you built upon those strong beginnings.
In a business technology context, a layered defense involves taking the strong underpinnings of a product and enhancing them further. No security product is perfect. Risk levels vary between businesses, and some may be enticing enough to convince an attacker to systematically test your defenses in the hope of finding a weakness they can exploit.
As you add additional layers of security, introducing new surveillance and mitigation measures, you reduce the likelihood of an attacker finding a loophole. You introduce redundancies. If an attacker circumvents one protection, they're blocked by another.
Let's return to the home example. Suppose a burglar smashes their way through your sturdy, double-glazed windows. They must still face the motion detection sensors, the CCTV system, and the dog. Their odds of successfully robbing your home while remaining undetected are still vanishingly thin.
Protect The Gateway, Protect the Application
Risk varies wildly between industries. But it's also contextual.
A logistics company might want to re-authenticate users when they perform a potentially-unauthorized action — like changing the delivery address of a package whilst it's in transit. Banks often will challenge users when they add a new payee or send a wire transfer to a new account. Many applications add friction when they detect suspicious behavior, like when a user logs in from a new location or from a new previously-unseen device.
There's a reason for this. Identity is the most logical place to add extra protections. It's a necessary component for accessing an application. It's the part responsible for session management. Identity is how you can block and revoke access.
CIAM tools like Auth0 make this process even easier, as they're inherently centralized. There's one place to look for suspicious login activity and one place to act. If you rely on a custom identity system, which in turn relies on several external components, it becomes a lot harder to take swift action against the potentially-harmful activity and even more time-consuming to add new security features.
If you're curious, we've explored this issue at length in the past. On so many levels — but especially security — it makes more sense to use a purpose-built CIAM tool over an in-house identity system. For a deeper look into the build-vs-buy debate, check out this white paper.
Okta provides low-code and pro-code tools to build a robust, multi-layered, and context-aware defense. We also make it really easy. Read on to learn more about Auth0 Actions and Integrations and how they can combine to bolster your security posture.
How Actions Power Your Layered Defense
Actions are small, tenant-specific scripts written for the Node.js framework that execute at specific points during the authentication workflow. They're a quick, effective, and versatile way to add custom functionality to the stock Auth0 platform.
The Auth0 platform defines several contexts where an Action can be executed. We call these flows. Put simply; flows describe linear user interactions within an authentication context. Things like changing a password, creating a new user account, or logging in.
Flows define the broader authentication and access control pipeline. They represent a linear user or machine interactions within an authentication. Examples include account creation, password changes, or logging in.
Within flows, you'll find something called 'triggers.' These identify specific parts of the pipeline where you can introduce custom business logic.
Flows are either blocking (synchronous) or non-blocking (asynchronous), depending on the context. In practice, the vast majority of the Actions-based layered defense measures will be blocked as you halt the authentication process until a specific condition is met.
For a good example of this, look at the login flow. It's here you'll check the location or IP range of the user or ask them to verify their identity with multi-factor authentication (MFA).
Putting Code First
The Auth0 platform treats code like a first-class citizen. In practice, this means we deliver a modern developer experience and try to limit the number of restrictions placed on customer Actions.
Because Actions are proper node.js applications, they can use the majority of third-party libraries available within the public NPM registry, provided they don't rely on any native add-ons. In short, if a dependency doesn't require you to compile anything, it'll likely work. We support two ways of adding dependencies to an Action: through our web interface or via the Auth0 Management API.
Developers can build Actions using their preferred text editor (Vim or Emacs, we don't judge). We also provide a browser-based editor with native syntax highlighting. And, because version control is at the heart of good software development, the Auth0 platform allows you to track changes over time and quickly revert to the last known good version of an Action.
We designed Actions to be easy to test, debug, and audit throughout the entire lifecycle. Using the browser-based editor (or the Auth0 Management API), developers can test their actions using dummy payloads. This feature simulates real-world usage without the need to deploy the action to a live environment.
The Auth0 platform also lets developers test the more granular elements of their application. Developers can run unit tests using the framework of their choice. Our documentation primarily focuses on Jest, the most popular JavaScript unit testing tool. This makes it easy to verify the bits of your code that don't primarily interact with the Auth0 platform, like custom logic that posts a Slack notification when a user fails to authenticate.
Once an action is live, administrators and developers have access to tenant logs, allowing them to easily identify and debug failed interactions. Logs are hugely valuable from a security perspective. They act as the canary in the coal mine, warning when a third party is attempting to gain unauthorized access and providing valuable intelligence when investigating a security incident.
But logs can also provide useful clues with respect to your application's usability and stability. We record failed sign-ups and machine-to-machine messages, along with the other typical user interactions, to provide engineers with vital diagnostic information.
The Rules for Writing Actions
In short, Actions are a really powerful way to introduce custom business logic to your identity. That said, to make sure everyone can take advantage of them, we have a few basic rules.
We limit Actions to ten external dependencies, and each action should be no more than 100kb in size. This size limit excludes any external NPM modules. Additionally, each flow cannot exceed more than 20 attached actions.
These rules are intended to ensure your users have a smooth experience. That's because larger, more complicated scripts add latency to your application. We, therefore, require every flow to complete in under ten seconds. Flows that exceed this limit are executed and will return an error.
Additionally, each Auth0 tenant is limited to a maximum of 100 actions. This number includes both deployed and undeployed actions. We also limit the number of versions to 50 per action. Should you exceed this figure, Auth0 will automatically delete the oldest available version. For more information, check out our guidelines.
Remember: Actions are designed to be small, purpose-built scripts. As any software engineer can (and will) tell you, simplicity is always better than complexity.
A Look at Integrations
We've already introduced Actions. They're great for adding custom business logic to identity workflows. But what if you don't want to reinvent the wheel? Fortunately, Auth0 has a solution for that, allowing you to incorporate third-party services while limiting the need for custom code.
Integrations are ready-to-use extensions that allow you to integrate third-party applications and services into your identity workflows.
Let's put it another way. As a developer, you use libraries to work more effectively. These pre-written packages of code allow you to focus on building value. Libraries solve problems that millions of programmers face — like interfacing with databases, generating data visualizations, or sending emails and texts to customers.
Integrations work the same way. They solve problems that you, and countless other engineers, face. Problems like how to share access logs with Splunk or Sumo Logic or how to verify identity documents and passwords. Like a programming library, Integrations are ready to use and, in many cases, can be implemented with just a click.
You can find and install integrations from the Auth0 Marketplace. Each comes with helpful guidance on how to activate them within your tenant and the best practices for use. If you get stuck, you can find more information on our documentation page.
Building a Layered Defense Strategy with Actions
Okay, so we've explained what a Layered Defense strategy means and learned how to customize identity workflows within Auth0. Now let's look at some scenarios for how this could work in practice.
The stock Auth0 experience comes with several security features by default. It automatically blocks suspected brute force attacks, as well as suspected bot activity. It warns users when their passwords appear on the dark web. It makes it easy to add features like multi-factor authentication (MFA), including biometric-based MFA.
Like the house in the earlier metaphor, Auth0 offers strong foundations to build upon. But what if you wanted to expand further?
A good start would be to require MFA for all users accessing your application beyond the confines of the company network. You also decide to block login attempts from specific countries where your business doesn't have a presence and are often the source of attempted attacks. After writing a few lines of code, you have an action that's ready and waiting to be attached to the login flow.
You also decide to limit the potential window when a successful attack could occur by blocking authentication attempts that take place overnight. Again, this can be accomplished with just a few lines of code.
Context matters. It's the thing that lets you distinguish between legitimate and malicious activity. It's the tool that lets you evaluate risk. Just like a bank may temporarily block your debit card if you withdraw cash from a country you've never visited before, a layered defense strategy allows you to add friction based on the criteria that you define.
And because Auth0 Actions are JavaScript applications, you have the flexibility to define the circumstances where you may wish to add friction or even deny access.
Bringing Integrations Into the Mix
Auth0 is one of many security tools your business relies on. You use a SIEM platform to manage, retain, and analyze logs. As your application is built with a microservices architecture, you rely upon a gateway to manage API requests and identify malicious activity. You use a mobile device management (MDM) system to keep track of company-issued laptops and smartphones.
Naturally, you want to integrate these tools into your identity platform. And so, you head to the Auth0 marketplace. With just a few clicks, the security tools you use are working together in harmony.
And, because Auth0 allows you to customize most parts of the identity lifecycle, from registration to authentication, developers quickly add additional functionality and quickly onboard new third-party products and services. For example, they could implement sophisticated behaviors that minimize the risk of fraudulent or malicious account creation.
We make it easy to integrate your application with tools like Deduce, a behavioral intelligence platform that detects suspicious user activity in real-time. And, with a few lines of code, developers can redirect flagged accounts to services like ID DataWeb, where users are asked to prove their identity with their passport or driving license.
With each step, you add another layer to your defensive posture. You become stronger. More resilient. Better able to withstand threats. Less attractive to a would-be attacker.
You Know Your Risk Best
Don't get us wrong — Auth0 is designed to deliver the best security outcomes from Day One. Its out-of-the-box security features can protect against brute force and credential stuffing attacks, and we actively monitor for suspicious or anomalous behaviors.
But we also know that every company is different, with different risks and compliance requirements. And so, we make it easy to customize the included security features and add new functionality and friction beyond that. Flexibility goes hand-in-hand with security. Only you know the risks you face and the measures you need to take in order to protect your application, your data, and your users.
Want to keep the conversation going? Reach out to our team to learn more about how Actions and our network of integrations can help secure your business while delivering an unbeatable user experience for your customers and employees.
