I have recently finished watching the Pluralsight course on Using MongoDB with ASP.NET MVC. I have been intending to look more into NoSQL for months now but have not got around to it. This course was the perfect excuse to do so!
The course starts by briefly introducing you to MongoDB and then swiftly shows you how to integrate it into an MVC application. It takes you through CRUD operations using Mongo as the data store then shows you GridFS (the file store for MongoDB) and the new aggregation pipeline model.
I was really impressed with the course (to the extent I decided to blog about it!). In the space of a few hours I went from knowing very little about a technology to being confident about how to utilize it in a project. Wes McClure is a first rate presenter who keeps you engaged through the course, supplying clear explanations and useful information for future proofing your Mongo projects. He also has a very interesting blog which is worth looking at. It's full of good advice and issues he has encountered in the real world.
This was one of my favourite Pluralsight course formats where you are able to code along to the course and end up with the same end product. Granted you will need to code some of the razor views yourself but the important C# code for interacting with the Mongo driver is all on show.
Wes finishes the course with some great advice: Build something! I already have a couple of projects in mind to use with MongoDB.
Where to go from here... I will start watching Nuri Halperin course Introduction to MongoDB which Wes recommends as this will get you more familiar with the MongoDB server itself. I have also spied Seven Databases in Seven Weeks which looks like a great read to getting familiar with a wide variety of NoSQL databases. But most importantly, I will be developing something.
If you want a practical introduction to MongoDB from a Web Development perspective, this is the course for you.
The days of polygot persistence are upon us.
Saturday, June 28, 2014
Monday, June 2, 2014
Looking at the Microsoft Store's Authentication
A few days ago I called the Microsoft Store about an order I had placed online. After discussing what I wanted to change, the operator explained that before she could make any updates to my account she needed to check my email address (up until this point, I had only told her my name and my order number) and that she would be sending a code to that address. After confirming my email address, I quickly signed in to my account, read the code back to her and from that moment on I was verified--it was as simple as that. Let’s break this down from a security perspective.
The traditional route of authentication during a telephone call is to ask a series of questions that only you “should” know the answers to. The problem is that this isn’t always the case and these answers are generally easily discoverable: Google can help with answering what year someone got married in or what their maiden name was; if you’re OK with a little more work, you could examine the public records or even just ask the individual—I doubt most people will have a problem telling you the name of their first pet if brought up unsuspiciously in conversation.
Using a verification code bypasses all of this and places the burden of authentication solely on you having access to the email account that is registered with the Microsoft Store. The assumption is that you know the password to access your email account / that you have access to your email account. Reading the verification code back is evidence of this and satisfies that you are who you claim to be.
This becomes really interesting if the operator has no access to the code and cannot proceed without it as it presents the situation, that as well as providing authentication of you, can also provide authorization for the operator. Without the code, they would be considered unauthorized and would not be able to update an account unless they were supplied the code. This works great in preventing the operator from being coerced into updating the account, as without the code, they really have no way to do this.
I’m impressed with the ease of using a verification code sent by email and the potential it has for offering both authentication and authorization. Of course, if I was unable to access my email account at the time I called, I might have a less favorable opinion; however, an easy alternative would have been to send the code to the mobile phone that was on my account.
The traditional route of authentication during a telephone call is to ask a series of questions that only you “should” know the answers to. The problem is that this isn’t always the case and these answers are generally easily discoverable: Google can help with answering what year someone got married in or what their maiden name was; if you’re OK with a little more work, you could examine the public records or even just ask the individual—I doubt most people will have a problem telling you the name of their first pet if brought up unsuspiciously in conversation.
Using a verification code bypasses all of this and places the burden of authentication solely on you having access to the email account that is registered with the Microsoft Store. The assumption is that you know the password to access your email account / that you have access to your email account. Reading the verification code back is evidence of this and satisfies that you are who you claim to be.
This becomes really interesting if the operator has no access to the code and cannot proceed without it as it presents the situation, that as well as providing authentication of you, can also provide authorization for the operator. Without the code, they would be considered unauthorized and would not be able to update an account unless they were supplied the code. This works great in preventing the operator from being coerced into updating the account, as without the code, they really have no way to do this.
I’m impressed with the ease of using a verification code sent by email and the potential it has for offering both authentication and authorization. Of course, if I was unable to access my email account at the time I called, I might have a less favorable opinion; however, an easy alternative would have been to send the code to the mobile phone that was on my account.
Labels:
2FA,
Authentication,
Authorization
Subscribe to:
Posts (Atom)