I’ve said this part before, so if you read the previous article, skip to “How to Implement Passwordless Authentication”, below. I’m posting the introduction again for those of us who are too lazy to click a link.

我之前已经说过这一部分 ，因此，如果您阅读上一篇文章，请跳到下面的“如何实现无密码身份验证”。 我将再次为那些懒于单击链接的人发布介绍。

Managing user authentication and authorization is a very serious responsibility, and getting it wrong can cost a lot more than unauthorized access to your app. It can also compromise user privacy or lead to financial damage or identity theft for your users. Unless you are a huge company with a huge security team, you don’t want that kind of responsibility or liability for your app.

管理用户身份验证和授权是一项非常严重的责任，而错误地进行操作要比未经授权访问您的应用程序花费更多。 它还可能损害用户隐私或导致用户经济损失或身份盗用。 除非您是拥有庞大安全团队的大型公司，否则您不希望对您的应用程序承担那样的责任。

Most apps today are built with username and password authentication, and once a user is signed in, that user session can do anything it wants to do, without revalidating the user’s intention.

如今，大多数应用程序都是使用用户名和密码身份验证构建的，一旦用户登录，该用户会话就可以执行其想做的任何事情，而无需重新验证用户的意图。

That security model is broken for a number of reasons:

该安全模型被破坏的原因有很多：

Passwords are obsolete. If you have any doubt about that, head over to HaveIBeenPwned and plunk in your email address. Sensitive data has been stolen in many high profile data breaches impacting companies like Dropbox, Adobe, Disqus, Kickstarter, LinkedIn, Tumblr, and many, many more. If there’s a database with passwords in it, it’s only a matter of time before it gets stolen.

密码已过时。 如果对此有任何疑问，请转到HaveIBeenPwned，然后在您的电子邮件地址中插入 。 敏感数据已在许多知名数据泄露中被盗，这些数据泄露影响了Dropbox，Adobe，Disqus，Kickstarter，LinkedIn，Tumblr等公司。 如果数据库中有密码，那么它被盗只是时间问题。

Hashing passwords won’t save you or your users. Once a database of passwords has been stolen, hackers aim immense distributed computing power at those password databases. They use parallel GPUs or giant botnets with hundreds of thousands of nodes to try hundreds of billions of password combinations per second in hopes of recovering plaintext username/password pairs.

散列密码不会挽救您或您的用户。 一旦密码数据库被盗，黑客就将巨大的分布式计算能力瞄准这些密码数据库。 他们使用并行GPU或巨型 具有数十万个节点的僵尸网络 尝试 每秒数千亿个密码组合 希望恢复纯文本的用户名/密码对。

If an attacker can discover a password that hashes to the same hash as the one stored in your database, they’ll take that combination and try it on things like bank account websites. In many cases, even a salted, hashed password database will leak another valid username/password pair every minute or so. That’s about half a million leaked passwords per year — and that rate is doubling every few years. I wrote about this topic in 2013. The bad guys are now hashing passwords more than 10 times faster than they were then.

如果攻击者可以发现一个哈希值与存储在数据库中的哈希值相同的哈希值的密码，则他们将采用这种组合并在银行帐户网站等网站上尝试使用。 在许多情况下，即使是加盐的哈希密码数据库也会每分钟左右泄漏另一个有效的用户名/密码对。 每年大约有一百五十万个密码泄露事件，而且每隔几年就会翻倍。 我在2013年撰写了有关此主题的文章。现在，坏蛋正在对密码进行哈希运算，其速度是当时的10倍以上。

User Sessions Get Hijacked. User sessions are commonly hijacked after authentication, allowing attackers to exploit that user’s application resources. To prevent that, you’d need to re-authenticate the user with every request, and in the land of usernames and passwords, that would create an awkward user experience.

用户会话被劫持。 用户会话通常在身份验证后被劫持 ，从而使攻击者可以利用该用户的应用程序资源。 为避免这种情况，您需要针对每个请求重新验证用户身份，并在用户名和密码的范围内创建尴尬的用户体验。

升级认证 (Upgrading Authentication)

One of the coolest features of decentralized applications is the decentralized security model. Using the Ethereum blockchain ecosystem, each user gets a public and private key pair. You can sign every request with the user’s private key and verify requests with the user’s public key. Each request is uniquely authenticated, which reduces the chance of hijacking to nearly zero.

分散式应用程序最酷的功能之一就是分散式安全模型。 使用以太坊区块链生态系统，每个用户都可以获得一个公钥和私钥对。 您可以使用用户的私钥对每个请求进行签名，并使用用户的公钥来验证请求。 每个请求都经过唯一身份验证，这将劫持的机会降低到几乎为零。

A hijacker would need the ability to sign on behalf of the user, but they can’t do that without access to the user’s private key, which is protected by hardware-level security. Using Hardware Security Modules (HSMs), we can protect private keys from exposure to the internet. Instead of sending the private key over the network, we send the messages which need signing to the private key in the HSM. The user authorizes the signature, and the signed request gets authenticated and processed. If the signature is invalid, the request gets rejected.

劫机者将需要具有代表用户签名的能力，但他们不能在没有访问用户私钥的情况下进行签名，私钥受硬件级安全性保护。 使用硬件安全模块(HSM) ，我们可以保护私钥不暴露于Internet。 我们无需通过网络发送私钥，而是将需要签名的消息发送到HSM中的私钥。 用户对签名进行授权，然后对签名的请求进行身份验证和处理。 如果签名无效，则请求被拒绝。

Additionally, those key pairs can encrypt and decrypt user data so that only the user who owns the data can read it. If an app developer chooses to let users encrypt their data, even the application can’t decrypt the data without the user’s permission. With this security model, we can put users in control of their private information.

此外，这些密钥对可以加密和解密用户数据，以便只有拥有数据的用户才能读取它。 如果应用程序开发人员选择让用户加密其数据，那么即使未经用户许可，应用程序也无法解密数据。 使用此安全模型，我们可以使用户控制其私人信息。

使用Magic Links进行无密码身份验证 (Passwordless Authentication with Magic Links)

An emerging way to bypass the need for passwords is to use magic links. A magic link is a temporary URL that expires after use, or after a specific interval of time. Magic links can be sent to your email address, an app, or a security device. Clicking the link authorizes you to sign in.

绕过密码需求的一种新兴方法是使用魔术链接。 魔术链接是一个临时URL，该URL在使用后或特定时间间隔后到期。 魔术链接可以发送到您的电子邮件地址，应用程序或安全设备。 单击该链接授权您登录。

Password-only security is obsolete and dangerously insecure. Magic links eliminate the headaches of lost or stolen passwords and protect app users.

仅密码的安全性已过时，并且非常不安全。 魔术链接消除了密码丢失或被盗的麻烦，并保护了应用程序用户。

But you don’t want to try to roll your own public/private key-based magic links, or you’ll move from the frying pan into the fire. If you think keeping passwords safe is hard, don’t even think of trying to manage private keys, which, if stolen, could potentially grant access to an Ethereum wallet loaded with valuable money, collectibles, memberships, etc.

但是，您不想尝试建立自己的基于公钥/私钥的魔术链接，否则，您将从煎锅转入火中。 如果您认为很难保证密码的安全性，甚至不要考虑尝试管理私钥，如果私钥被盗，则可能会授予对装有贵重货币，收藏品和会员身份的以太坊钱包的访问权限。

Lots of apps and wallets push that responsibility on end users. That’s like putting the key to a bank vault in somebody’s mobile phone. What if the phone gets lost, stolen, or upgraded?

许多应用程序和钱包将这种责任推给最终用户。 这就像将钥匙插入某人手机中的银行金库一样。 如果手机丢失，被盗或升级怎么办？

In my opinion, the best way forward is to delegate key management to people who specialize in key management. One such service has launched today. It’s called Magic. It’s made by Magic Labs, a cybersecurity company who have assembled experts from companies like Docker, Apple, Google, Amazon, Yelp, Uber, Accenture, and TD Bank.

我认为，最好的方法是将密钥管理委派给专门从事密钥管理的人员。 今天已经启动了一项这样的服务。 这就是魔术 。 它是由网络安全公司Magic Labs制造的，该公司汇集了Docker，Apple，Google，Amazon，Yelp，Uber，埃森哲和TD Bank等公司的专家。

Their security model stores your user’s private keys in HSMs. An HSM is a bit like a hardware locker for private keys. The keys are protected by hardware and never leave the hardware. Keys are never exposed to the internet. Instead, messages that need to be signed by those keys are delivered to and signed on the dedicated hardware.

他们的安全模型将用户的私钥存储在HSM中。 HSM有点像私钥的硬件储物柜。 密钥受硬件保护，永不离开硬件。 密钥永远不会暴露在互联网上。 而是将需要由这些密钥签名的消息传递到专用硬件并在专用硬件上签名。

Imagine a bank safety deposit box. What’s inside the box is a key that can be used to authorize signatures and transactions. When you rent a safety deposit box from a bank, the contents of the box belong to you. The bank just keeps it safe for you. Using Magic is a bit like giving each of your users a dedicated safety deposit box for their key. Magic can’t access the keys, and neither can you. Keys are always in the user’s control but hosted in the cloud, so users don’t have to worry about losing them.

想象一下一个银行保险箱。 盒子内部是一个密钥，可用于授权签名和交易。 当您从银行租用保险箱时，保险箱中的物品属于您。 银行只是为您保管。 使用Magic有点像为您的每个用户提供专用的保险箱以存放其钥匙。 魔术无法访问密钥，您也无法访问。 密钥始终由用户控制，但托管在云中，因此用户不必担心丢失密钥。

In other words, Magic is a non-custodial, hardware-secured key management system. It features best-in-class security and SOC 2 compliance. But the best part is that your users don’t need to know what any of that means. All they need to know how to do is enter their email and click a button.

换句话说，Magic是一个非托管的，硬件保护的密钥管理系统。 它具有一流的安全性和SOC 2合规性。 但是最好的部分是您的用户不需要知道这意味着什么。 他们所需要做的就是输入电子邮件并单击一个按钮。

为您的应用添加魔力 (Adding Magic to Your App)

Magic has a great getting started guide and documentation to help you get set up fast and understand the basics, but we’re going to take a deeper dive and dissect the actual useMagicLink React hook that we developed for our integration with EricElliottJS.com. If you read the previous article on Fortmatic, this is going to look very similar to the useFortmatic hook we developed before, but it has a few slight changes.

Magic有很好的入门指南和文档，可帮助您快速设置并了解基础知识，但我们将进行更深入的研究，并剖析为与EricElliottJS.com集成而开发的实际使用的useMagicLink React钩子。 如果您阅读了有关Fortmatic的上一篇文章，它将看起来与我们之前开发的useFortmatic钩子非常相似，但是有一些细微的变化。

Before you dive into the source code, you’ll need to understand some foundational concepts:

在深入研究源代码之前，您需要了解一些基本概念：

• React basics

  React基础

• JavaScript arrow functions and basic syntax

  JavaScript箭头功能和基本语法

• Curried functions

  咖喱函数

• Promises

  承诺

• React hooks

  React钩子

• useEffect, useState, and useRef

  useEffect ， useState和useRef

• localStorage

  本地存储

• Higher Order Components (HOCs)

  高阶成分(HOC)

This file requires a few helpers. The first is a usePromise hook that holds onto a persistent reference to the magicReady promise. I promise, you want your magic to be ready before you try to use it, or your spell will backfire.

该文件需要一些帮助器。 第一个是usePromise挂钩，该挂钩保留对magicReady的持久引用。 我保证，您希望在尝试使用魔术之前做好准备，否则您的咒语会适得其反。

And the localStorage drop-in replacement for useState:

和localStorage的替代品useState ：

Last, some miscellaneous tools:

最后，一些其他工具：

With the hook finished, our next step was to integrate the hook with our existing app. We use Redux and try to isolate logic, I/O, and state process as much as we can from our presentation components. This Higher Order Component (HOC) lets us compose our magic link logic into every page in our app in one place.

在完成钩子之后，我们的下一步是将钩子与我们现有的应用程序集成。 我们使用Redux并尝试将逻辑，I / O和状态过程尽可能地与表示组件隔离。 此高阶组件(HOC)使我们可以将魔术链接逻辑组合到应用程序中的每一页中。

Here’s the HOC we use to compose cross-cutting concerns into every page that needs them:

这是我们用来将横切关注点组合到需要它们的每个页面中的HOC：

Since these HOCs are so easy to create and maintain, you can create custom HOCs that omit features that aren’t needed for a particular page or add features that aren’t needed for every page. Now we can sign in or out anywhere on our site!

由于这些HOC易于创建和维护，因此您可以创建自定义HOC，以省略特定页面不需要的功能或添加每个页面不需要的功能。 现在，我们可以在我们网站的任何位置登录或注销！

结论 (Conclusion)

Here are my current recommendations for user authentication security:

这是我当前对用户身份验证安全性的建议：

• Password-only security is obsolete and dangerously insecure. Don’t use it.

  仅密码的安全性已过时，并且非常不安全。 不要使用它。

• Public key cryptography gives us public/private key pairs we can use to enhance user safety significantly.

  公钥加密为我们提供了公钥/私钥对 ，可用于显着增强用户安全性。

• Key management is hard, both for app developers and end users.

  对于应用程序开发人员和最终用户而言，密钥管理都很困难 。

• App developers should delegate key management to security specialists.

  应用程序开发人员应将密钥管理委托给安全专家。

• Hardware Security Modules (HSMs) can securely store user keys in the cloud, without forcing users to know what any of this means.

  硬件安全模块(HSM)可以将用户密钥安全地存储在云中，而不必强迫用户知道这意味着什么。

• Magic links eliminate the headaches of lost or stolen passwords and protect app users.

  魔术链接消除了密码丢失或被盗的麻烦，并保护了应用程序用户。

• Magic provides best-in-class, non-custodial, delegated key management for your users. They’re paving the way for a more secure future for apps and users. They have set a new bar for user authentication security and user experience, and they’re currently the only authentication solution I recommend for developers of new applications.

  Magic为您的用户提供了一流的，非托管的，委托的密钥管理 。 他们为应用程序和用户的更安全的未来铺平了道路。 他们为用户身份验证安全性和用户体验树立了新的标准，并且它们是目前我向新应用程序开发人员推荐的唯一身份验证解决方案。

• Magic unlocks Ethereum. With Magic’s Ethereum-based public/private key pairs, we can use them to transact with Ethereum and EVM-compatible protocols and tokens, unlocking lots of capabilities that were never possible before blockchain technology was invented.

  魔术解锁以太坊。 借助基于基于以太坊的Magic的公钥/私钥对，我们可以使用它们与以太坊和与EVM兼容的协议和令牌进行交易，从而解锁许多在发明区块链技术之前无法实现的功能。

Note: You don’t have to build an Ethereum dapp to benefit from Magic’s passwordless authentication and improved user security. You can improve any app with Magic.

注意：您无需构建以太坊dapp即可受益于Magic的无密码身份验证和改进的用户安全性。 您可以使用Magic改善任何应用程序 。

下一步 (Next Steps)

Magic is launching on Product Hunt right now. Pop over and comment, ask questions, and engage with the makers.

Magic即将在Product Hunt上启动 。 弹出并发表评论，提出问题并与制造商互动。

Take a test drive of the authentication flow on EricElliottJS.com. Our existing users have GitHub authenticated accounts that need to be linked the first time you sign in, but once you’ve linked your GitHub account once, you won’t need to do it again. Sign out and sign back in to see the Magic-only flow.

在EricElliottJS.com上测试身份验证流程。 我们现有的用户拥有GitHub身份验证帐户，该帐户在您首次登录时就需要链接，但是一旦您链接了GitHub帐户，就无需再次执行此操作。 注销并重新登录以查看“仅魔术”流程。

The GitHub flow requires shields to be down in Brave because of how the authentication flow is delegated. The new Magic authentication flow works like a charm with shields up. Magic’s simplified flow has lots of hidden benefits.

GitHub流要求在Brave中屏蔽掉，因为身份验证流是如何委派的。 新的Magic身份验证流程就像带有盾牌的护身符一样工作。 Magic的简化流程具有许多隐藏的好处。

While you’re checking out EricElliottJS.com, browse the premium content, and explore some of our online JavaScript lessons.

在您查看EricElliottJS.com时，浏览高级内容 ，并探索我们的一些在线JavaScript课程。

Make some magic.

做一些魔术。

Eric Elliott is the author of the books, “Composing Software” and “Programming JavaScript Applications”. As co-founder of EricElliottJS.com and DevAnywhere.io, he teaches developers essential software development skills. He builds and advises development teams for crypto projects, and has contributed to software experiences for Adobe Systems, Zumba Fitness, The Wall Street Journal, ESPN, BBC, and top recording artists including Usher, Frank Ocean, Metallica, and many more.

埃里克·埃利奥特 ( Eric Elliott) 是 《撰写软件》 和 《编程JavaScript应用程序》 这两 本书的作者 。 作为 EricElliottJS.com 和 DevAnywhere.io的 共同创始人 ，他教开发人员基本的软件开发技能。 他为加密项目建立了开发团队并提供建议，并为 Adobe Systems，Zumba Fitness， 华尔街日报， ESPN， 英国广播公司(BBC) 和顶级唱片艺术家，包括 厄舍尔(Usher)，弗兰克·海洋(Frank Ocean)，金属乐队(Metallica) 等。

He enjoys a remote lifestyle with the most beautiful woman in the world.

他与世界上最美丽的女人一起过着偏僻的生活方式。