How to evaluate the performance of a technology leader? Each company or individual has its own answer with engineering rubrics. And those rubrics usually focus on a specific role - IC (Software Engineer, Product Manager, Designer) or Engineering Manager. Is there a grand unified framework to evaluate the potential business impact that a technology leader could make? Here are the requirements:

1. full coverage
2. actionable
3. referenceable to building a formidable team

Answers from myself and my Friends

• Decisiveness: strategy, tactics, and making fact-based decisions faster. Play progressively from small wins to more significant wins for the individuals and organizations. Gathering information, diagnosing to gain insights, making guiding policies, and taking coherent actions. Differentiating facts from opinions and making sure that options are believability-weighted. Exploring innovations in the entire process, and innovation means making changes to do things 10x better. Making initial decisions fast within the time window, reflecting on results, and then iterating through the hierarchy of lifetime/years/quarters/weeks.

• Execution Engine: Building the system to deliver more and then in higher quality, instead of being proud of a few deliverables. Attention to detail. Nudging the cross-functional teams to your unique vision. Balancing speed, quality, and scope according to the customer’s requirements.

• Domain Expertise: pursuing un-teachable special know-how. been there/done that. The market rewards uniqueness.

• Product-sense: developing the intuition on what a great product is. Perceiving the market and industry with data. Building and operating the product with proper processes. Synthesize with other elements in the big picture. Invent and simplify. Plan and manage change. Customer-obsession.

• People and Culture: Work with others: shaping the world together with people. Lead by example. Teamwork. Making people happy and then productive. Sort people and projects often / be professionally judgemental. Incentivize people with intrinsic and then extrinsic motivations. Orgnization = People + Culture. Being both capable and warm. Telling a story that inspires your own passion first. Empowering people to achieve more. Self-driven. Listen to people and inspire people to share. hiring and coaching team. humility, low ego. best idea wins. growth mindset.

• Resourcefulness: aligning or connecting resources. optimizing the web of customers, distribution channels, products, people, technology, and capitals. playing the reputation game in a long term. turning more people into stake owners and aligning to shared goals.

Requirements

• design an auth solution that starts simple but could scale with the business
• consider both security and user experiences
• talk about the future trends in this area

Big Picture: AuthN, AuthZ, and Identity Management

First-things-first, let’s get back to basics

• Authentication: figure out who you are
• Authorization: figure out what you can do

In the beginning… Let there be a simple service…

Then, as the business grows, we scale the system with AKF scale cube:

• X-axis: Horizontal clone
• Y-axis: Functional decomposition
• Z-axis: Sharding

Plus Conway’s law: organization designs the systems mirroring its communication structure. We usually evolve the architecture to micro-services (see why microservices? for more)

• Btw, “microservices vs. monolith” and “multi-repo vs. mono-repo” are different things.
• For the enterprise, there are employee auth and customer auth. We focus more on the customer auth.

In the microservice world, let’s take a functional slice of the authn and authz services, and there is an Identity and Access Management (IAM) team working on it.

• Identity-aware proxy is a reverse proxy that allows either public endpoints or checks credentials for protected endpoints. If the credential is not presented but required, redirect the user to an identity provider. e.g. k8s ingress controller, nginx, envoy, Pomerium, ory.sh/oathkeeper, etc.
• Identity provider and manager is one or a few services that manage the user identity through certain workflows like sign in, forgot password, etc. e.g. ory.sh/kratos, keycloak
• OAuth2 and OpenID Connect provider enables 3rd-party developers to integrate with your service.
• Authorization service controls who can do what.

Authentication

Identity Provider

• The simplest solution is to submit the user’s proof of identity and issue service credentials.
  • bcrypt, scrypt for password hash
• However, modern apps often deal with complex workflows like conditional sign up, multi-step login, forgot password, etc. Those workflows are essentially state transition graphs in the state machine.

Workflow: User Settings and Profile Updates

Ory.sh/Kratos as an Example Architecture

2. Third-party OAuth2

OAuth2 let the user or client go through four major workflows (not sure which one to use? see this) like

1. Authorization Code Grant for web
2. Implicit Grant for mobile
3. Resource Owner Password Credentials Grant for legacy app
4. Client Credentials Grant for backend application flow

And then finally get the access token and refresh token

1. access token is short-lived, and hence the attacking window is short if it is compromised
2. refresh token works only when combined with client id and secret

The assumption is that there are so many entities involved in this workflow - client, resource owner, authorization server, resource server, network, etc. More entities introduce more exposure to attack. A comprehensive protocol should consider all kinds of edge cases. For example, what if the network is not HTTPs / cannot be fully trusted?

OpenID connect is the identity protocol based on OAuth2, and it defines customizable RESTful API for products to implement Single Sign-On (SSO).

There are a lot of tricky details in those workflows and token handling processes. Don’t reinvent the wheel.

3. Multi-factor authentication

Problem: Credential stuffing attack

Users tend to reuse the same username and password across multiple sites. When one of those sites suffers from a data breach, hackers brute-force attack other sites with those leaked credentials.

• Multi-factor authentication: SMS, Email, Phone Voice OTP, Authenticator TOTP
• Rate limiter, fail to ban, and anomaly detection

Challenge: Bad deliverability of Email or SMS

• Do not share marketing email channels with transactional ones.
• Voice OTP usually has better deliverability.

5. Passwordless

1. biometric: Fingerprints, facial ID, voice ID

• still having trade-offs

2. QR code

• SQRL standard
• Another way to implement:

3. Push Notification

How could clients subscribe to the server’s state? Short polling, long polling, web socket, or server-sent events.

4. Vendors on the market

Don’t reinvent the wheel.

• Managed solutions. Two years ago, I compared Auth0, Okta, Amazon Cognito, onelogin, Firebase Authentication. And quite recently, Okta acquired Auth0. In summary, I would recommend Okta and Auth0 if I am running a new startup and do not want to build my own auth systems.
• On-premise / self-host solutions. ory.sh.

6. Optimization

Challenge 1: Web login is super slow or cannot submit login form at all.

• JS bundle is too large for mobile web
  • Build a lite PWA version of your SPA (single-page web app). whatever makes the bundle small - e.g. preact or inferno
  • Or do not use SPA at all. Simple MPA (multi-page web app) works well with a raw HTML form submission
• Browser compatibility
  • Use BrowserStack or other tools to test on different browsers
• Data centers are too far away
  • Put static resources to the edge / CDN and relay API requests through Google backbone network
  • Build a local DC 😄

See Web App Delivery Optimization for more info

Challenge 2: Account taking-over

• Fraud Detection with Semi-supervised Learning
• Unsupervised learning by datavisor

Challenge 3: Account creation takes too long

When the backend system gets too large, a user creation may fan out to many services and create a lot of entries in different data sources. It feels bad to wait for 15 seconds at the end of sign up, right?

1. collect and sign up incrementally
2. async

Authorization

isAuthorized(subject, action, resource)

1. Role-based Access Control (RBAC)

2. Policy-base Access Control (PBAC)

{
  "subjects": ["alice"],
  "resources": ["blog_posts:my-first-blog-post"],
  "actions": ["delete"],
  "effect": "allow"
}

Challenge: single point of failure and cascading failures

• preprocess and cache permissions
• leverage request contexts
  • assumptions: requests inside of a datacenter are trusted vs. not trusted
• fail open vs. fail closed

Privacy

1. PII, PHI, PCI

Western culture has a tradition to respect privacy, especially after the Nazis murdered millions of people. Here are some typical sensitive data types: Personally Identifiable Information (PII), Protected Health Information (PHI, regulated by HIPAA), and Credit Card or Payment Card Industry (PCI) Information.

2. Differential Privacy

Redacting sensitive information alone may not be good enough to prevent data associated with other datasets.

Differential privacy helps analysts extract data from the databases containing personal information but still protects individuals’ privacy.

3. Decentralized Identity

To decouple id from a centralized identity provider and its associated sensitive data, we can use decentralized id (DID) instead.

• it is essentially in the format of URN: did:example:123456789abcdefghijk
• it could be derived from asymmetric keys and its target business domain.
  • it does not involve your personal info, unlike the traditional way
  • See DID method for how it is working with blockchains.
• it preserves privacy by
  • use different DIDs for different purposes
  • selective disclosure / verifiable claims

Imagine that Alice has a state-issued DID and wants to buy some alcohol without disclosing her real name and precise age.

A DID solution:

• Alice has an identity profile having did:ebfeb1f712ebc6f1c276e12ec21, name, avatar url, birthday and other sensitive data.
• Create a claim that did:ebfeb1f712ebc6f1c276e12ec21 is over the age 21
• A trusted third-party signs the claim and make it a verifiable claim
• Use the verifiable claim as the proof of age

Summary

This article is an overview of authn and authz in microservices, and you don’t have to memorize everything to be an expert. Here are some takeaways:

1. follow standard protocols and don’t reinvent the wheel
2. do not under-estimate the power of the security researchers/hackers
3. it is hard to be perfect, and it does not have to be perfect. Prioritize your development comprehensively

Architects model the world in system thinking to optimize everything. As an engineer and businessman, I am continually working on the orchestration of work and life and maintain a high personal growth rate. Lessons learned are generalized to the BOZ growth loops.

BOZ is the acronym for a big loop that engages three small loops:

• Build and Sell Loop. Build products and sell them. Solve problems and get paid.
• Outlook and Invest Loop. Be radically curious to seek truth from facts. And optimize the web of customers, channels, people, tech, and capital.
• Zen MSEP Loop. Being present and do everything with mindfulness. Fuel the mind and body by moving, sleeping, eating, and playing well with people.

Two sources of distress

Stress is a good thing for people while the distress is not.

1. Stagnation: You are stuck in one step of the loops.
2. Frictions: Too many frictions prevent small wins.

When the organization grows too big, it becomes unclear that who should do what and who should decide what to do. RACI and DACI are here to clarify those responsibilities.

• RACI: figuring out who do what kinds of work
• DACI: figuring out who decides what to do

The assumption here is that too many projects happen in parallel, and it is easy to lose focus. We should rely more on the team member mutually driving each other than one person as the single point of failure.

RACI

RACI is an acronym for the model:

• Responsible: who are the ones responsible for certain kinds of tasks?
• Accountable: which single one is the owner of the work and is accountable for the success and failure.
• Consulted: who are the stakeholders that should be kept in the loop before completion.
• Informed: Who should be informed of the progress though they are not formally consulted or directed contributing to the project.

DACI

RACI is an acronym for the model:

• Driver: who is driving the decision-making process to a conclusion?
• Approver: people who are approving the decision.
• Contributor: who should contribute to the decision.
• Informed: who should be informed of the final decision?

Why are they helpful?

• they make responsibilities and accountabilities clear
• the earlier those models introduced, the longer they will help the project
• they balance resource allocations to avoid the single point of failures or burnouts

Dropbox’s design research team grew from 4 members to 30+ today. How do they scale the efforts healthily, even when the headcount for the team is limited? More researches usually mean more harm if they are done improperly.

And the major challenges for the scaling process are

1. Untrained researchers will ask bad questions, misinterpret data, and make bad decisions.
2. User researches happen anyway, with or without the research operation team.
3. What kind of user research should be done by non-professionals, and what should be done by professionals?

Dropbox’s Solution

1. Provide the right tool for unmoderated research. e.g. UserTesting, UserZoom, Lookback.
2. Real World Wednesday. Like research speed dating, 5 researchers meet 5 users for 15 mins for each.
3. Provide internal consultancy.

How to provide internal consultancy?

1. Documentation: logistics, templates, privacy and security, tips and best practices (a lot of how-tos).
2. On-on-one consulting

Result

• For professional research operation team
  • they get more time and energy to focus on bigger strategic projects
• For teams and products
  • they conduct more researches
  • they build better products
  • they are less blocked by the research operation team
  • they respect the research operation team more
• For users
  • they get more empathy

Risks

• Still, bad researches result in bad decisions.
• It’s hard to ensure the quality.