I’ll introduce the content of my research and considerations regarding the security of limited access URLs and Basic authentication for general users.
First, the background requirement is to provide URLs that only specific users can access.
The following approaches can be considered to meet this requirement:
This is explained in detail in “Web Authentication Without Authentication: Considering the Security of Limited Access URLs - Public Version - Google Slides”.
Setting up Basic authentication only for staging environments is something that’s commonly done.
On the other hand, I consider it challenging to have general users use Basic authentication for the following reasons:
I’m concerned about the security of limited access URLs and the usability of Basic authentication. That’s all from the Gemba.