Authentication
Intro
Notes And Tips
Notes mostly from: Web Security: User Authentication and Access Control
Authentication - is a process which confirms a user's identity. We make sure that they are authentic, that they are who they say they are.
Credentials are the thing that you use to prove that you are who you say you are.
Authentication factors:
Knowledge - something the user knows (eg. password, pin, mother’s maiden name)
Ownership - something the user has (a key, badge, ticket, credit card)
Inherence - something the user is (inherit an attribute). Examples: fingerprint, voice, the way you look
Usernames should be unique to your website. Email is a way to guarantee that.
When getting a user’s password use an input form of the type “password” so it can use dots instead of showing the password’s characters
<input type=”password” name=”user_password” />
Avoid putting background images on username and password fields, and don't prevent the user or JavaScript from pasting values into those fields.
Password managers will add background images on those fields, and then user can click on them in order to activate the password manager and access their passwords via paste.
Prevent enumeration - testing for valid user names by trial and error
Don't return different messages when an incorrect username or password is provided
MFA - Multi Factor Authentication
Multi-factor or 2-factor authentication - use 2+ of the 3 factors. Each must be from different factors (listed above). Can’t be from the same factor (knowledge only)
ATM cards use 2 factor authentication - the card and the pin.
Typical ways to verify a factor: SMS Text, software authenticator, hardware authenticator
Popular services for doing MFA - Twilio, Nexmo, TeleSign
SW Authenticators: Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Authy
HW Authenticators: insert HW (usually a USB device) which generates unique code: YubiKey, Google Titan, Thetis
One great resource for finding all of the websites that implement some form of multi-factor authentication is twofactorauth.org.
This service helps users to implement multi-factor authentication for themselves: lockdownyourlogin.com or https://stopthinkconnect.org/campaigns/lock-down-your-login
MFA Pitfalls:
Users are not familiar with it.
May not be willing to share other info, such as cell phones
Instructions are not clear.
Unreliable service.. what happens if they dont get the SMS text?
Handling errors in your app
Customer issues
Biometric Authentication
Fingerprints - Apple’s Touch ID
Pros: Difficult to forge
Cons: Difficult to change if database with fingerprints is leaked.
Passwords
Never store passwords in plaintext. Use one-way hashing. Store the hashed password in the DB
Hashing algorithms for passwords:
MD5, SHA-1 used to be used but it is now considered unsafe
SHA-2 which can be known as SHA-256 or 512.
Blowfish, sometimes called bcrypt. Blowfish/bcrypt:
it's free.
it is a one-way algorithm.
it can be upgraded strengthened while still using Blowfish.
Implement timing and throttling: slow down login pages and wait some time before next attempt is allowed.
Deny certain IP addresses.
Rainbow tables: precomputed tables of password hashes for each of the hashing algorithms.
Salted passwords: Salt is additional data that's added to the password before encryption. So instead of just encrypting the password, you put a string in front of it.
Make salts unique by adding something like the $username
Could be a random string.
Store the salt strings in a database.
Use bcrypt which has embedded passwords
NIST Digital Identity Guidelines has great info on password requirements
Check for your accounts breached via https://haveibeenpwned.com/
Provides an API to verify if a password has been previously compromised.
Resetting passwords requires:
Privileged info
Security challenge questions
Previously established codes
Access to phone/email
Generate a random reset token, with valid short time. Email has URL with the reset token.
Account must still work during the reset. Don’t block the account while reset is in place.
Password Managers
LastPass
1Password
KeePass
DashLane