It is surprising how many mistakes programmers do when it comes to a subject so simple like managing user accounts. Programming requires logic; if you don't have logic don't even try programming. Even though the latest IT movement is toward a more secure environment, I can see a lot of childish mistake in a topic that should be the foundation of security. I am not trying here to cover all the options for securing the user account but rather the basic of this topic. History of user account securityThe most basic authentication started with a username and a password. It is the same principle used for example to secure a Debit Card with a PIN code. Unless you know the combination of the two (username / account number and password / PIN) you are not allowed to enter a system or application / perform a transaction. Even though this an efficient method to secure an account there are some disadvantages:
1) Weak and common passwords may be easily guessed by an attacker that knows little about the user like information available on Google for example. Date of birth, City of birth or residence, Address, Family and friends are sometimes easily available on user's profiles. Also if the password is too easy, it can be guessed using brute-force attack. 2) Reusing the password If an attacker finds user's Facebook password for example, he might try the same password on the email accounts linked to the Facebook account or trying the same username on other major email provider. From here is just a little step to find and reset users passwords on the bank or school website and the damages may be major. I would say it is okay to reuse a password to multiple non critical websites like free news letters, but keep in mind: your email password should not be used on websites you register using that email. Now how can a programmer improve security further? To prevent users from using too weak passwords, the programmers have increased the min length and complexity of the passwords. To combat brute force attack the programmers are locking the account after a certain number of invalid username / password combination. Now sometime the legit user might do at least 3 mistakes so don't lock the account until the users has tried at least 5 times the combination. To combat users from opening multiple accounts many programmers are now requiring email verification. This will prevent users from using fictitious email addresses. This also increases security since the identity of the user is somewhat known so user is less tempted to do stupid things on the platform. One of the method introduced recently to prevent unauthorized user access is Two Factor Authentication. This method (2FA) requires an additional verification besides username and password. Some examples include:
Simplify the authentication processIncreasing passwords complexity requirements and enforcing frequent password change makes it more difficult for the users to remember their passwords. Now what can the programmed do to simplify the login process but in the same time to keep the security high? One of the most common practice used to help user not remember so many passwords was to use a Third Party Authentication (TPA) method. We talked earlier about the email verification process that gives the programmer confidence that the identity of the user is known. The same thing can be achieved by using the email provider as the TPA. Who can confirm better than Google the identity of a Gmail user? Using Google authenticator the programmer can now have user login into their platform without remembering an additional password. How about the 2FA? you might ask. I am glad to tell you that many email providers this days are enforcing 2FA on their users (including Google) so that is covered also. Common mistakesThe most common mistake I found is related to TPA. Some programmers are creating separate accounts for the users logged via TPA and the ones logged via username / password even though they share the same email address. Now let me ask this question: if your platform obtained an email verification and a TPA obtained the same email verification aren't we talking about the same user? Another mistake is related to 2FA: After enforcing 2FA on their web platform or application some programmers are offering simplified login with one time code. Keep in mind that this means going back to One Factor Authentication since you only check my phone or my email this way. Final notesUsername and password combination are a very good defense line. Now when we combine this with additional authentication factors (2FA) try not to be to brutal with passwords complexity.
It is preferred to use a username different than the email address. This will offer higher protection in case an attacker finds out the username.
0 Comments
Lately I found myself not being able to decide what my next phone should be. I owned many Samsung phones before and I liked Notes the best mostly for their big screens. I owned also some LG, Iphone, HTC that let me both good and bad impressions. I informed myself about Google phones, Gionee, Xiaomi, ZTE to see what others have to offer. But I couldn't find the perfect phone. Samsung launched recently the Note 8 but they changed the screen proportion and now is no longer offering enough width. Also the edge screen left me a bad impression since I had my Galaxy S6 edge plus. While holding the phone I was touching the edge screen and that interfered with my commands on the main screen. The edge screen is almost useless and is increasing the risk of cracking phone's screen even if you wear a phone case. Note 8 has a bigger screen but a smaller battery than the S8 plus and we all know bigger screens needs more power to lit all the pixels. I think these are enough reasons to move away from Note 8 How should a perfect phone look like? I will take some time in this article to put some ideas on"paper" and to present also the pros and cons on each of these. You can comment at the bottom of this article to validate or invalidate my ideas. I would be glad to see that some of these ideas were taken into consideration by any mobile phone manufacturer. Dimensions It seems there is a misconception that the phones should be very slim. The truth is that the most appreciated phones were the ones that offered a good grip, drop protection and good battery. Remember the Iphone 4S? It was 9.3mm thick and it felt nice in your hand. Why producing a slim phone when user will purchase a fat case for grip, for protection or for extra battery? A manufacturer can better optimize the size and weight of the overall phone so we can get smaller and lighter phones that offers a good battery life and protection than we can expect from adding a case.
The screen. A perfect phone will actually have 2 screens. One smaller always on display to handle the calls and music, plus a bigger screen to handle navigation, video playback, gaming, internet browsing, email and others. Yotaphone has a nice implementation of the always-on screen. Samsung and LG are both working on foldable displays that could make a phone fit nicely in your pocket but still offer you a bugger screen when needed. But even without dual screen the phone should at least have at least 80% screen-to-body ratio or else the phone is wasting space. The pixel density should be min 300 ppi but no more that 400 ppi to save energy. I like that LG phones comes with screen protector film and back film from factory, offering users additional protection. The battery Phone manufacturer's goal should be to offer phones that will last one week in normal use not one day or less as it happens today. Gionee launched a phone with 7000 mAh total battery, double than most flagship phones battery these days. To make the charging process faster, they integrated 2 parallel charging channels basically charging two 3500 mAh battery at once. This is the way to go.... Battery on the other hand is a consumable and consumers should be able to replace phone battery in the same way they replace a remote control battery. The manufacturer may jutify that Non removable battery exposes the Body With over 4 GB RAM, octa-core processors and advanced graphics that allow phone to be used in a VR headset, the phones these days are miniaturized computers and they cost like a computer. Being a big investment, require also better protection. Companies like Samsung and Apple already make their product water and dust resistant but they moved away from removable batteries. Phones with non-removable battery will add extra cost when consumer needs to replace battery and may affect product ability to resist water and dust because the seals needs to be broken and replaced. It's time to get back to the old time screws that will minimize battery replacement cost, maintaining the water and dust protection that phone had initially. Thicker phones will allow also bigger battery, better drop protection and better water and dust protection Buttons Physical buttons are always preferred to soft buttons. Apple offered successfully on Iphone and Ipad a physical button to turn the speaker On or Off but struggle to do all screen commands with only one button. Keeping only one button per row is also a waste of space that is very important for a miniaturized device. Some manufacturer arranged buttons in such a way that accidentally both power and volume buttons were pressed while grabbing the phone in the hand. Others were smart enough to place the buttons in such way that these will not be pressed accidentally. Don't place the buttons on the back of the phone. Many people are using their phones on a mount (in the car for example) and back buttons cannot be pressed.. Fingerprint scanner should remain at the front of the phone on the physical buttons row. |