Authentication

avatar
Created by
RetailTortoise38285

Cards (52)

  • Authentication 
    • Is the process of verifying that an individual, entity, or website is who/what it claims to be. Authentication in the context of web applications is commonly performed by submitting a username or ID and one or more items of private information that only a given user should know.
  • Session Management 
    • Is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forth between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict.
  • User IDs
    • Make sure your usernames/user IDs are case-insensitive. User 'smith' and user 'Smith' should be the same user. Usernames should also be unique. For high-security applications, usernames could be assigned and secret instead of user-defined public data.
  • Authentication Solution and Sensitive Accounts
    • Do NOT allow login with sensitive accounts (i.e. accounts that can be used internally within the solution such as to a back-end / middle-ware / DB) to any front-end user-interface
    • Do NOT use the same authentication solution (e.g. IDP / AD) used internally for unsecured access (e.g. public access / DMZ)
  • Implement Proper Password Strength Controls
    • Password Length
    • Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B).
    • Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms, as discussed in the Password Storage Cheat Sheet. It is important to set a maximum password length to prevent long password Denial of Service attacks.
  • Implement Proper Password Strength Controls
    • Do not silently truncate passwords. 
    • Allow usage of all characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted.
    • Ensure credential rotation when a password leak occurs, or at the time of compromise identification.
    • Include a password strength meter to help users create a more complex password and block common and previously breached passwords
    • zxcvbn-ts library can be used for this purpose.
  • Implement Secure Password Recovery Mechanism
    • It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. 
    Store Passwords in a Secure Fashion:
    • It is critical for an application to store a password using the right cryptographic technique. 
  • Compare Password Hashes Using Safe Functions
    user-supplied password should be compared to the stored password hash using a secure password comparison function provided by the language or framework, such as the password_verify() function in PHP. Where this is not possible, ensure that the comparison function:
    • Has a maximum input length, to protect against denial of service attacks with very long inputs.
    • Explicitly sets the type of both variables, to protect against type confusion attacks such as Magic Hashes in PHP.
    • Returns in constant time, to protect against timing attacks.
  • Change Password Feature
    When developing a change password feature, ensure to have:
    • User is authenticated with active session.
    • Current password verification. This is to ensure that it's the legitimate user who is changing the password. The abuse case is this: a legitimate user is using a public computer to log in. This user forgets to log out. Then another person is using this public computer. If we don't verify the current password, this other person may be able to change the password.
  • Transmit Passwords Only Over TLS or Other Strong Transport
    • The login page and all subsequent authenticated pages must be exclusively accessed over TLS or other strong transport. Failure to utilize TLS or other strong transport for the login page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS or other strong transport for authenticated pages after login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session.
  • Require Re-authentication for Sensitive Features
    • In order to mitigate CSRF and session hijacking, it's important to require the current credentials for an account before updating sensitive account information such as the user's password or email address -- or before sensitive transactions, such as shipping a purchase to a new address. Without this countermeasure, an attacker may be able to execute sensitive transactions through a CSRF or XSS attack without needing to know the user's current credentials.
  • Consider Strong Transaction Authentication
    • Some applications should use a second factor to check whether a user may perform sensitive operations.
  • TLS Client Authentication
    • TLS Client Authentication, also known as two-way TLS authentication, consists of both, browser and server, sending their respective TLS certificates during the TLS handshake process. Just as you can validate the authenticity of a server by using the certificate and asking a verifiably-valid Certificate Authority (CA) if the certificate is valid, the server can authenticate the user by receiving a certificate from the client and validating against a third-party CA or its own CA.
  • TLS Client Authentication
    • To do this, the server must provide the user with a certificate generated specifically for him, assigning values to the subject so that these can be used to determine what user the certificate should validate. The user installs the certificate on a browser and now uses it for the website.
  • TLS Client Authentication:
    It is a good idea to do this when:
    • It is acceptable (or even preferred) that the user has access to the website only from a single computer/browser.
    • The user is not easily scared by the process of installing TLS certificates on his browser, or there will be someone, probably from IT support, who will do this for the user.
    • The website requires an extra step of security.
    • It is also a good thing to use when the website is for an intranet of a company or organization.
  • Authentication and Error Messages
    • Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.
  • Authentication Responses
    Using any of the authentication mechanisms (login, password reset, or password recovery), an application must respond with a generic error message regardless of whether:
    • The user ID or password was incorrect.
    • The account does not exist.
    • The account is locked or disabled.
    The account registration feature should also be taken into consideration, and the same approach of a generic error message can be applied regarding the case in which the user exists.
  • Authentication Responses:
    • It is interesting to note that the business logic itself can bring a discrepancy factor related to the processing time taken. Indeed, depending on the implementation, the processing time can be significantly different according to the case (success vs failure) allowing an attacker to mount a time-based attack (delta of some seconds for example).
  • The problem with returning a generic error message for the user is a User Experience (UX) matter. A legitimate user might feel confused with the generic messages, thus making it hard for them to use the application, and might after several retries, leave the application because of its complexity. The decision to return a generic error message can be determined based on the criticality of the application and its data.
  • Regarding the user enumeration itself, protection against brute-force attacks is also effective because it prevents an attacker from applying the enumeration at scale. Usage of CAPTCHA can be applied to a feature for which a generic error message cannot be returned because the user experience must be preserved.
  • Login Responses:
    Incorrect response examples:
    • "Login for User foo: invalid password."
    • "Login failed, invalid user ID."
    • "Login failed; account disabled."
    • "Login failed; this user is not active."
    Correct response example:
    • "Login failed; Invalid user ID or password."
  • Password recovery:
    Incorrect response examples:
    • "We just sent you a password reset link."
    • "This email address doesn't exist in our database."
    Correct response example:
    • "If that email address is in our database, we will send you an email to reset your password."
  • Account creation
    Incorrect response examples:
    • "This user ID is already in use."
    • "Welcome! You have signed up successfully."
    Correct response example:
    • "A link to activate your account has been emailed to the address provided."
  • ERROR CODES AND URLS
    • The application may return a different HTTP Error code depending on the authentication attempt response. It may respond with a 200 for a positive result and a 403 for a negative result. Even though a generic error page is shown to a user, the HTTP response code may differ which can leak information about whether the account is valid or not.
    • Error disclosure can also be used as a discrepancy factor.
  • There are a number of different types of automated attacks that attackers can use to try and compromise user accounts. The most common types are listed below
    • Brute Force: Testing multiple passwords from a dictionary or other source against a single account.
    • Credential Stuffing: Testing username/password pairs obtained from the breach of another site.
    • Password Spraying: Testing a single weak password against a large number of different accounts.
  • Multi-Factor Authentication
    • Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including brute-force attacks, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises. As such, it should be implemented wherever possible; however, depending on the audience of the application, it may not be practical or feasible to enforce the use of MFA
  • Login Throttling
    Login Throttling is a protocol used to prevent an attacker from making too many attempts at guessing a password through normal interactive means, it includes:
    • Maximum number of attempts.
  • ACCOUNT LOCKOUT
    • The most common protection against these attacks is to implement account lockout, which prevents any more login attempts for a period after a certain number of failed logins.
    • The counter of failed logins should be associated with the account itself, rather than the source IP address, in order to prevent an attacker from making login attempts from a large number of different IP addresses
  • ACCOUNT LOCKOUT
    There are a number of different factors that should be considered when implementing an account lockout policy in order to find a balance between security and usability:
    • The number of failed attempts before the account is locked out (lockout threshold).
    • The time period that these attempts must occur within (observation window).
    • How long the account is locked out for (lockout duration).
  • Rather than implementing a fixed lockout duration (e.g., ten minutes), some applications use an exponential lockout, where the lockout duration starts as a very short period (e.g., one second), but doubles after each failed login attempt.
    • Amount of time to delay after each account lockout (max 2-3, after that permanent account lockout).
  • CAPTCHA
    • The use of an effective CAPTCHA can help to prevent automated login attempts against accounts. However, many CAPTCHA implementations have weaknesses that allow them to be solved using automated techniques or can be outsourced to services that can solve them. As such, the use of CAPTCHA should be viewed as a defense-in-depth control to make brute-force attacks more time-consuming and expensive, rather than as a preventative.
  • Security Questions and Memorable Words
    • The addition of a security question or memorable word can also help protect against automated attacks, especially when the user is asked to enter a number of randomly chosen characters from the word. It should be noted that this does not constitute multi-factor authentication, as both factors are the same (something you know). Furthermore, security questions are often weak and have predictable answers, so they must be carefully chosen.
  • Logging and Monitoring:
    Enable logging and monitoring of authentication functions to detect attacks/failures on a real-time basis
    • Ensure that all failures are logged and reviewed
    • Ensure that all password failures are logged and reviewed
    • Ensure that all account lockouts are logged and reviewed
  • Use of authentication protocols that require no password
    • There are use cases where classic authentication isn't considered the best option or even safe. Examples of this are third-party applications that desire to connect to the web application, either from a mobile device, another website, desktop, or other situations. When this happens, it is NOT considered safe to allow the third-party application to store the user/password combo, since then it extends the attack surface into their hands, where it isn't in your control. 
  • OAuth
    • Open Authorization (OAuth) is a protocol that allows an application to authenticate against a server as a user, without requiring passwords or any third-party server that acts as an identity provider. It uses a token generated by the server and provides how the authorization flows most occur, so that a client, such as a mobile application, can tell the server what user is using the service.
  • The recommendation is to use and implement OAuth 1.0a or OAuth 2.0 since the very first version (OAuth1.0) has been found to be vulnerable to session fixation.
  • OAuth 2.0
    • Relies on HTTPS for security and is currently used and implemented by APIs from companies such as Facebook, Google, Twitter, and Microsoft. OAuth 1.0a is more difficult to use because it requires the use of cryptographic libraries for digital signatures. However, since OAuth 1.0a does not rely on HTTPS for security, it can be more suited for higher-risk transactions.
  • OpenId
    • OpenId is an HTTP-based protocol that uses identity providers to validate that a user is who they say they are. It is a very simple protocol that allows a service-provider-initiated way for single sign-on (SSO). This allows the user to re-use a single identity given to a trusted OpenId identity provider and be the same user on multiple websites, without the need to provide any website with the password, except for the OpenId identity provider.
  • OpenID:
    • Due to its simplicity and that it provides protection of passwords, OpenId has been well adopted. Some of the well-known identity providers for OpenId are Stack Exchange, Google, Facebook, and Yahoo!
    • For non-enterprise environments, OpenId is considered a secure and often better choice, as long as the identity provider is of trust.
  • SAML:
    • Security Assertion Markup Language (SAML) is often to compete with OpenId. Like OpenId, SAML uses identity providers, but unlike OpenId, it is XML-based and provides more flexibility.
    • SAML is based on browser redirects which send XML data. Furthermore, SAML isn't only initiated by a service provider; it can also be initiated from the identity provider. This allows the user to navigate through different portals while still being authenticated without having to do anything, making the process transparent.