It is surprising how many mistakes programmers do when it comes to a subject so simple like managing user accounts. Programming requires logic; if you don't have logic don't even try programming. Even though the latest IT movement is toward a more secure environment, I can see a lot of childish mistake in a topic that should be the foundation of security. I am not trying here to cover all the options for securing the user account but rather the basic of this topic. History of user account securityThe most basic authentication started with a username and a password. It is the same principle used for example to secure a Debit Card with a PIN code. Unless you know the combination of the two (username / account number and password / PIN) you are not allowed to enter a system or application / perform a transaction. Even though this an efficient method to secure an account there are some disadvantages:
1) Weak and common passwords may be easily guessed by an attacker that knows little about the user like information available on Google for example. Date of birth, City of birth or residence, Address, Family and friends are sometimes easily available on user's profiles. Also if the password is too easy, it can be guessed using brute-force attack. 2) Reusing the password If an attacker finds user's Facebook password for example, he might try the same password on the email accounts linked to the Facebook account or trying the same username on other major email provider. From here is just a little step to find and reset users passwords on the bank or school website and the damages may be major. I would say it is okay to reuse a password to multiple non critical websites like free news letters, but keep in mind: your email password should not be used on websites you register using that email. Now how can a programmer improve security further? To prevent users from using too weak passwords, the programmers have increased the min length and complexity of the passwords. To combat brute force attack the programmers are locking the account after a certain number of invalid username / password combination. Now sometime the legit user might do at least 3 mistakes so don't lock the account until the users has tried at least 5 times the combination. To combat users from opening multiple accounts many programmers are now requiring email verification. This will prevent users from using fictitious email addresses. This also increases security since the identity of the user is somewhat known so user is less tempted to do stupid things on the platform. One of the method introduced recently to prevent unauthorized user access is Two Factor Authentication. This method (2FA) requires an additional verification besides username and password. Some examples include:
Simplify the authentication processIncreasing passwords complexity requirements and enforcing frequent password change makes it more difficult for the users to remember their passwords. Now what can the programmed do to simplify the login process but in the same time to keep the security high? One of the most common practice used to help user not remember so many passwords was to use a Third Party Authentication (TPA) method. We talked earlier about the email verification process that gives the programmer confidence that the identity of the user is known. The same thing can be achieved by using the email provider as the TPA. Who can confirm better than Google the identity of a Gmail user? Using Google authenticator the programmer can now have user login into their platform without remembering an additional password. How about the 2FA? you might ask. I am glad to tell you that many email providers this days are enforcing 2FA on their users (including Google) so that is covered also. Common mistakesThe most common mistake I found is related to TPA. Some programmers are creating separate accounts for the users logged via TPA and the ones logged via username / password even though they share the same email address. Now let me ask this question: if your platform obtained an email verification and a TPA obtained the same email verification aren't we talking about the same user? Another mistake is related to 2FA: After enforcing 2FA on their web platform or application some programmers are offering simplified login with one time code. Keep in mind that this means going back to One Factor Authentication since you only check my phone or my email this way. Final notesUsername and password combination are a very good defense line. Now when we combine this with additional authentication factors (2FA) try not to be to brutal with passwords complexity.
It is preferred to use a username different than the email address. This will offer higher protection in case an attacker finds out the username.
0 Comments
|