API security without a username and pasword

markamind · August 5, 2023, 1:01am

Checking on the best practices to implement API security.

One view I have is that we can eliminate the need for a username and password by implementing it as a ziti service… I like this because it improves the user experience… instead.

I was thinking … but hey…how do you know who they are…and what level of access they are allowed to have?

Well… we can then implement 2FA at the Ziti Desktop… which is pretty cool… and there are ways to push the identity back through the connection… especially if you are using ZTNA.

So… I thought to make a post about this… is there anything else to consider?

Is it really possible to implement API’s with no passwords… without compromising security?

One thing I have tried in the past is a Ziti Reverse Proxy… which allows you to implement ZTNA. The downside is that it needs to run as a localhost.

Are there other ways to implement the same functionality?

TheLumberjack · August 6, 2023, 10:11pm

Enrolling an identity with tunnelers, imo, is pretty user friendly. If you're developing a client side application, I'd replicate that experience and then the client has a strong identity and "implicit" (from the naive end user experience) authentication.

Technically oauth is not generally passwordless but with idps moving towards /supporting biometric auth, that can be passwordless so maybe an IdP based auth flow (not currently supported in tunnelers yet but will be eventually)

Hth

Topic		Replies	Views
Condensing Ziti into a nutshelll Ziti Overlay	7	158	September 10, 2023
How does OpenZiti protect against token theft Ziti Overlay	4	268	November 21, 2022
Zitified app vs ziti-edge-tunnel SDK Questions	3	136	July 26, 2023
OpenZiti allows end-users to control identities, is there a way for admins to prevent this? General Questions	4	172	January 19, 2023
Source IP / Network segmention feature Ziti Edge Tunnel	12	248	September 16, 2023

API security without a username and pasword

Related Topics