Document use of Native authenticator #1398
Description
Document use of Native authenticator
@leportella have made the Native authenticator as described in her blog post about it.
I think this is a very useful authenticator that is far easier to get started with in some scenarios. For example, consider a class instructor that wants to provide access specifically for their students but not all of the university or similar. In my case I wanted to provide access for my school but not all of the 100+ schools at one time during a school event.
Document use of Native authenticator
PR Work to be done
- Document how to configure the use of the nativeauthenticator
- Document that it could be a bit complicated to transition to a new authenticator without loosing previous user storage etc.
- If using this at first means you get a lot of users, they will get storage related to their username, if later you switch to another authenticator you will get a new username so new storage. There is no easy fix to migrate this.
- Warn about the need for HTTPS
- Setting this up without HTTPS would expose passwords to be communicated in the air over the internet, using a public WIFI and someone sniffing has the password for example. While you may say "well their work won't be sensitive" or so, it can be the same credential/password used for other services so it is actually a big deal to leak passwords even though it is for a dummy service.
- Warn about being responsible for a database containing hashed passwords
- If a list of hashed passwords are exposed, you can figure out what password that led to the hash by brute force if you try to hash enough passwords to find a match. So, this is also a way for passwords to leak, mainly if they are short such as only 8-10 symbols or easy to guess by trying all words in a dictionary etc.
- Disclaimer that its recommended to use a external identity provider to not be responsible for these matters.