Passport is an Identity Management System. It is the repository of all users of the Motionite system. Before any user or service can communicate with an aspect of Motionite, that entity needs to prove their identity with Passport. It uses IdentityServer4 to ensure the highest level of security.

Traditional method of verification

Traditional systems, like a single secured website, typically have a login page. The website would collect the users credentials and verify them against a datastore. The website would then control access to it's resources based upon that user information.

Problems with this method

The traditional method will work for small deployments but it does not scale well.

  • Every service within the ecosystem needs to have direct access to the user datastore (insecure)
  • All code that implement security would need to be duplicated into evry service (redundant)
  • Third party access requires opening the user datastore to possible untrustworthy sources
  • Users cannot move from one service to another service without authenticating with the new service (inefficent)
OAuth/OpenID Connect to the rescue

Instead of each service managing it's own identity, a better approach is to have a centralised service. Then instead of passing user credentials between services, we can pass tokens. Tokens have the benefit of being only valid for a short period of time, and being transparent.

Authentication with Passport

For a website to authenticate a user with Passport, the website will redirect the browser to the Passport login page. Here the user can enter their credentials securely. Upon a successful login, the browser will redirect back to the original website and return the Token. The website will then use the Token to determine it's security needs. If the browser navigates to another website governed by Passport then the same Token will be used with that website.

Further information

Lots of articles have been written on OAuth and OpenID Connect. Here a re just a few if you are interested




Two-Factor Authentication (2FA)

The use of Two-Factor Authentication is available in Passport. It can be activated by the individual user throught the Passport Web Portal, or alternatively carried out by a MView Operator within MView. In either case an authenticator app is required. This will be configured with the secret key determined by Passport (by QR Code o manually entering a key). From then on the user will be required to enter their username and password credentials as well as the authentication code generated by the authenticator app whenever they sign in.

Examples of authenticator apps: