Skip to content

⚑ ThunderOTP βš™οΈ β€” A cloud-native microservices architecture for lightning-fast and reliable OTP authentication service. πŸ”’πŸ’¨

License

Notifications You must be signed in to change notification settings

sergio11/passwordless_authentication_architecture

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

⚑ ThunderOTP πŸ” - Revolutionizing authentication with a cutting-edge passwordless architecture based on One-time codes approach! πŸ’«

Passwordless authentication is poised to redefine the future of online security! πŸš€

In an era where password security is increasingly compromised, and user experience is paramount, ThunderOTP emerges as the solution. Traditional passwords are susceptible to theft and reuse, jeopardizing user data and online safety. Moreover, the demand for complex passwords burdens users with a frustrating login process.

πŸ›‘οΈ Uniting Security and User Experience Enter ThunderOTP, a game-changer in the realm of authentication. This innovative approach not only enhances security but also elevates the user experience. Say goodbye to the age-old trade-off between security and convenience, as ThunderOTP paves the way for a safer, smoother online journey.

Please, give a star to this repository in order to redefine online security with ThunderOTP! βš‘πŸ”’


Also you can read more detail information about this project in this Medium article.

What is passwordless authentication?

In online authentication, a passwordless authentication system is any process that authenticates the user without using a password, more specifically is the verification of a user's identity by a method that does not require a password. It is important to make a clear distinction between the different methods used to deliver passwordless authentication. Some are more secure and some provide a better user experience. This architecture has been implemented using the one-time passwords (OTPs) solution. They are best known for multi-factor authentication processes, but one-time passwords or one-time codes can also be used as a standalone authentication method.

How do OTPs work in passwordless authentication?

One-time passwords (or OTPs) are numeric codes linked to a reference. These codes are sent to the user, so only the server and the user can know this code. When the user enters the code in the platform, they are granted with access and hence they are authenticated.

These codes will be sent to the user's phone via SMS, Push Notification or e-mail.

Furthermore, one-time passwords are always linked to a unique reference, so there aren't any chances that the code is overtaken by different uses. OTPs can be limited in time too, which limits the time of validity of the code.

Architecture Overview

This architecture can be used as a stand-alone authentication service or as part of a more complex MFA solution. Clients will request a one-time code or password in order to verify their identity, they will indicate the delivery service by which they wish to receive the token (Email, SMS, push notification are the options currently available). The system will generate an OTP token applying rules linked to the specified delivery service, the generated token will persist in the redis cluster with the TTL associated with the type of service and will return to the client a unique operation identifier that can be used for subsequent validation operationsΒ , cancel or resend. The system allows up to a total of 3 resubmissions for an operation identifier, if the client provides an incorrect OTP at the time of validation, it will be eliminated and a new OTP will have to be requested. The system carries out various checks to prevent misuse of the service.

Powered by lightweight cloud-native microservices implemented by Ktor Graalvm native images.

Using GraalVM Native Image technology we can compile the services to native code ahead of time in a way in which the resulting binary does not depend on the JVM for the execution. This executable can be placed as a standalone application in a container and started really, really fast.

  • Faster startup time: Building Ahead-of-time compiled microservices that start in milliseconds and deliver peak performance with no warmup.
  • Low resource usage: Building Ahead-of-time compiled microservices that use only a fraction of the resources required by the JVM which means they cost less to run and improve utilization.
  • Small container image: Trying to compact native executables in lightweight container images for more secure, faster, and efficient deployments.
  • Minimize vulnerability: Trying to reduce the attack surface area using Native image by removing all unused classes, method, and fields from your application and libraries while making reverse engineering difficult by converting Java bytecode into native machine code.

Used technology.

  • Redis Cluster Architecture ( rejson module enabled).
  • HAProxy Load Balancer.
  • Ktor Framework.
  • Netty Server.
  • Graalvm high-performance JDK distribution.
  • Twilio Java Helper Library.
  • Sendgrid Java Helper Library.
  • Firebase Cloud Messaging.
  • Jedis ( A redis Java client designed for performance and ease of use ).
  • Hoplite ( A boilerplate-free Kotlin config library for loading configuration files as data classes ).

Running Applications as Docker containers.

Rake Tasks

The available tasks are detailed below (rake --task)

Task Description
thunderotp:check_docker_task Check Docker and Docker Compose Task
thunderotp:cleaning_environment_task Cleaning Evironment Task
thunderotp:deploy Deploys Platform Containers and launches all services and daemons needed to properly work
thunderotp:login Authenticating with existing credentials
thunderotp:platform:build_hotspot_image Build Docker Image based on Hotspot JVM
thunderotp:platform:build_native_image Build Docker Image based on Graavlm
thunderotp:platform:check_deployment_file Check Platform Deployment File
thunderotp:platform:start Start Platform Graalvm Containers
thunderotp:platform:start_hotspot Start Platform Hotspot JVM Containers
thunderotp:platform:stop Stop Platform Graalvm Containers
thunderotp:platform:stop_hotspot Stop Platform Hotspot JVM Containers
thunderotp:redis:check_deployment_file Check Redis Cluster Deployment File
thunderotp:redis:start Start and configure Cluster Containers
thunderotp:redis:stop Stop Cluster Containers
thunderotp:status Status Containers
thunderotp:undeploy Undeploy Platform Containers

To start the platform make sure you have Ruby installed, go to the root directory of the project and run the rake deploy task, this task will carry out a series of preliminary checks, discard images and volumes that are no longer necessary and also proceed to download all the images and the initialization of the containers.

Containers Ports

In this table you can view the ports assigned to each service to access to the Web tools or something else you can use to monitoring the flow.

Container Port
Redis Insight localhost:8001
HAProxy Load Balancer localhost:9090
HAProxy Stats localhost:8404

Some screenshots

As follow, I include some images that help us to understand the performance of each part of system

HAProxy offers a website to monitor the operation of the load balancer, we can view statistics and metrics related to requests related to microservices.

The Redis Insight tool allows us to visualize the distribution of our Redis cluster configuration, more specifically, we can visualize which are the master and slave nodes, the total memory consumed by each node, the number of keys that each node hosts...

With the Redis Insight Browser tool we can manage and view the hosted keys and view their content.

OTP token information is stored as JSON templates using the Redis ReJSON module. It used the Jedis library to store and retrieve the models using GSON as a data serialization library, apart from that, it took advantage of the intrinsic mechanism of TTLs that can be applied to the keys, as a way to configure the validity time of the generated codes, as you can see below.

The Redis cluster configuration is made up of 8 Redis nodes, 4 nodes act as master nodes and the other 4 are slave nodes. Apart from that, we have the official Redis Insight container that allows us to operate with the configuration.

Microservices deployment based on OpenJDK 11 HotSpot provide by AdoptOpenJDK

You can execute the task thunderotp:platform:start_hotspot in order to deploy a microservice platform based on OpenJDK Hotspot images if you want.

HotSpot is one implementation of JIT technology that starts by running interpreted, and watches the actual performance of the app. Parts of the app are then selected to be fully-compiled as native code and cached, for much faster execution. HotSpot was developed at Sun as a commercial product. After acquiring Sun, Oracle further evolved HotSpot by combining important parts of their competing product, JRockit. HotSpot is now open-sourced through the OpenJDK project, available free-of-charge.

Microservices based on this JDK distribution take more memory than the GraalVM alternatives.

You can execute the task thunderotp:platform:start in order to deploy a microservice platform based on GraalVM native images.

Using GraalVM Native Image technology we can compile the services to native code ahead of time in a way in which the resulting binary does not depend on the JVM for the execution. This executable can be placed as a standalone application in a container and started really, really fast.

In this way we will have microservices with a Faster startup time and a Low resource usage as you can see in the picture below.

The platform uses several senders to deliver the OTP codes below you can see examples of deliveries using the SendGrid and Twilio SMS service.

Visitors Count

Please Share & Star the repository to keep me motivated.