Authentication is quite often misunderstood. Many believe authentication practices are purely for identification — but that is simply not the case. Authentication processes are put in user management systems to verify the identity of a user so that the system is sure that the user logging in will have access to the data that concerns them only.
Authentication is the boundary between the user & data, it needs to be as secure and strong as possible. This is especially true in industries like finance or health; it is crucial to make sure nobody can accidentally (or purposely) log into a different person’s account.
This is exactly why many platforms implement rigorous authentication processes.
Unfortunately, that doesn’t mean authentication attacks are rare… Many systems are still at risk of falling prey to various kinds of attacks. Therefore, to spread awareness about this, we’ve created this list of top security measures you can implement in your user management systems to protect yourself & your users against authentication attacks.
2FA or MFA?
In user authentication, using more than one authentication mode can provide better security.
Two-factor authentication gives developers the freedom to implement a variety of options to act as a second layer of security. Most commonly you will receive a one-time password (OTP) for additional verification.
While registering for a new account on a website, users are prompted to add and verify their email address or mobile number. So, when there is a login attempt to that account, the backend will send an OTP to the registered mobile number or email address, and it will grant access only if both password and OTP are entered correctly.
At times, some extremely secure websites and services will enact multi-factor authentication where the user must provide more than just a password and an OTP. The more factors you add to the system, the safer it can be.
The biggest challenge when implementing the two-factor authentication is making sure users register their email address / mobile number to sign up for the two-factor authentication.
While many websites provide two-factor authentication, most users are not aware that it exists or just choose not to opt for the additional hassle while logging into the website.
Passwords Strength Validation
Developers face many challenges while implementing a secure and user-friendly authentication system. One that comes to mind right off the bat is the dreaded weak password. While passwords provide a reasonable amount of security, they are only as good as their complexity, which depends on the user. If a password is not complex enough, attackers can simply perform a brute-force attack to try and guess the password.
Even in 2021, users tend to select weak passwords, which end up with users getting their sensitive data and access compromised. In 2020, some of the most common weak passwords were abc123, 123456, and 1234567890, which is equivalent to writing the password on a post-it note and leaving it on the office desk.
One solution to this problem could be implementing a policy to check whether the user’s password is strong enough. Many services, especially those to do with finances or deeply personal data, impose checks on your password to ensure that it is secure. Using special characters and avoiding common patterns while formulating passwords is highly recommended.
Secure Password Storing
Another big mistake while implementing user authentication is storing and working on the users’ plaintext passwords. Most websites take the user’s password and store them directly into their database to compare when they log in next.
One big drawback to this is that if the website suffers a data breach, all users can have their passwords leaked to the attackers. Additionally, most users reuse the passwords, so it is likely a user with the leaked password would have used the same password on other websites as well.
A solution to this problem is to store hashed versions of the passwords, instead of keeping the password as a whole. When a user enters the password on login, the backend should calculate the hash of the entered password and compare it with the stored version of the hash, then grant the access if both are equal.
Due to the one-way property of a secure hash, if the hash were to be stolen, it would take years for an attacker to find a password from the hash because they don’t have the decryption key.
Compromised Attack Detection
Suspicious and abnormal behavior controls
In the past decade, machine learning apps & artificial intelligence have increased ten-fold. Artificial Intelligence models can be used to build applications that can detect if an authenticated resource is being used differently than normal.
Anomaly detection techniques are already implemented in the banking industry. An anomaly detection algorithm learns from a user’s purchase pattern. If someday abnormal purchases are made, the bank can flag the transaction as possible fraud and stop that transaction resulting in the detection of a compromise at an early stage. This saves both the user and the bank from the implications of credit card theft.
Most websites maintain a database of user IP addresses and locations. This data is generally used to deliver targeted advertisements to the user. Still, you can also use this to provide a secure and safer experience for the website members.
Websites can keep track of an IP range from which a user logs into the account. If a drastic change is detected, the account may be compromised. Most authentication systems serving internal organization applications can specify in the authentication scheme to allow only the corporation IP range attempts. Authentication systems can also log geographic details of the IP address, such as longitude, latitude which can help if any breach happens.
It is common for a user to access the same account from the exact location often. So, websites can store the location from which the user generally accesses the account. If someday, all of a sudden, the user account is accessed from a location that they could not have possibly traveled to in the given time, then there are high chances that the user account has been compromised.
Roles and Permissions Handling
Roles & permissions-based authentication is essential in any organization that has many users requesting an array of permissions.
In a typical scenario, users are given various permissions.
Role-based permissions are a burden for system administrators, managing permissions from user to user.
There are usually various teams within a company that need various permissions. Software developers often require access from multiple sources like the Internet, Cloud storage, cloud instances, firewall, Microsoft Office, etc. While our lovely developers may need all this access, other teams do not. For instance, the accounting team needs access to the accounting software — not the marketing software.
By implementing proper role-based permissions, system administrators can divide the users into two categories. The enterprise will make each user a member of one of two roles, either software developer or accounting. So, if a user is a member of an accounting role, he would have permission to access only the accounting software. In contrast, a member of the software development team would have access to a variety of permissions. This way, the principle of least privilege is implemented where only the needed permissions are provided. So, if a compromise occurs, it would be easier to triangulate and pinpoint a specific role as a possible entry point.
Device Policy Enforcement
In many applications where security is of the highest importance, a user must be logged into the account from only one device at a time. If multiple logins are detected, it should not be allowed. This strict device policy enforcement deems useful when even after credentials for an account are compromised; attackers still need to get the device authorized to get into the account. This provides a second layer of security from a possible breach. Even if attackers manage to get their device authorized, app developers can take several pieces of information such as IP address, device location, etc., to make it easier to take possible actions in the case of actual compromise.
In most computer systems, authentication is the primary line of defense against cyber attacks.
User authentication, if properly implemented, can be the basis for most types of access control and user accountability. While it may be time-consuming to ask users to verify their identity through various authentication layers, these security measures ensure a secure user experience, which is crucial for a successful product or platform.