Intro

Notes And Tips

Authentication - is a process which confirms a user's identity. We make sure that they are authentic, that they are who they say they are.

Credentials are the thing that you use to prove that you are who you say you are.
Authentication factors:
- Knowledge - something the user knows (eg. password, pin, mother’s maiden name)
- Ownership - something the user has (a key, badge, ticket, credit card)
- Inherence - something the user is (inherit an attribute). Examples: fingerprint, voice, the way you look
Usernames should be unique to your website. Email is a way to guarantee that.
When getting a user’s password use an input form of the type “password” so it can use dots instead of showing the password’s characters
- <input type=”password” name=”user_password” />
Avoid putting background images on username and password fields, and don't prevent the user or JavaScript from pasting values into those fields.
- Password managers will add background images on those fields, and then user can click on them in order to activate the password manager and access their passwords via paste.
Prevent enumeration - testing for valid user names by trial and error
- Don't return different messages when an incorrect username or password is provided

Multi-factor or 2-factor authentication - use 2+ of the 3 factors. Each must be from different factors (listed above). Can’t be from the same factor (knowledge only)
- ATM cards use 2 factor authentication - the card and the pin.
- Typical ways to verify a factor: SMS Text, software authenticator, hardware authenticator
- Popular services for doing MFA - Twilio, Nexmo, TeleSign
- SW Authenticators: Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Authy
- HW Authenticators: insert HW (usually a USB device) which generates unique code: YubiKey, Google Titan, Thetis
One great resource for finding all of the websites that implement some form of multi-factor authentication is twofactorauth.org.
This service helps users to implement multi-factor authentication for themselves: lockdownyourlogin.com or https://stopthinkconnect.org/campaigns/lock-down-your-login

Never store passwords in plaintext. Use one-way hashing. Store the hashed password in the DB
Hashing algorithms for passwords:
- MD5, SHA-1 used to be used but it is now considered unsafe
- SHA-2 which can be known as SHA-256 or 512.
- Blowfish, sometimes called bcrypt. Blowfish/bcrypt:
  - it's free.
  - it is a one-way algorithm.
  - it can be upgraded strengthened while still using Blowfish.
Implement timing and throttling: slow down login pages and wait some time before next attempt is allowed.
Deny certain IP addresses.
Rainbow tables: precomputed tables of password hashes for each of the hashing algorithms.
Salted passwords: Salt is additional data that's added to the password before encryption. So instead of just encrypting the password, you put a string in front of it.
- Make salts unique by adding something like the $username
- Could be a random string.
- Store the salt strings in a database.
- Use bcrypt which has embedded passwords

NIST Digital Identity Guidelines has great info on password requirements
Check for your accounts breached via https://haveibeenpwned.com/
- Provides an API to verify if a password has been previously compromised.