Recommendations For Strong Authentication
Make sure the basics are covered
Since most websites and applications will likely choose to continue using a password as the first layer of authentication, make sure these basic security measures covered:- Enforce a dictionary check to ensure that users cannot choose common words for their password.
- Require a strong username that includes a numeric character. Often the username is the easiest portion of the login credentials for a hacker to guess. Do not use the user’s email address as their username.
- Limit the number of failed login attempts to three and temporarily suspend account access unless the user can authenticate through other means.
- If the login fails, don’t identify which portion of the credentials was incorrect. Stating that the ‘password is incorrect’ or the ‘username doesn’t exist’ enables hackers to harvest account information. A general statement such as “Incorrect login, please try again” helps prevent account harvesting.
- Use SSL to create an encrypted link between your server and the user’s web browser during account enrolment, the login process and the password reset process.
- Provide users with advice on how to choose a strong username and password. Research shows that users do choose better passwords when given advice on how to do so. One option is to have a password strength meter built into the page.
- Hash user passwords using bcrypt, scrypt, or other hash algorithms specifically designed to store passwords. Do not use SHA1, MD5 or other algorithms that were not designed for hashing passwords, as they are not secure.
- Use Salt. Use a unique salt for each user account/password and store that salt with the password. An additional layer of system wide salt that is not stored with the password can also add extra strength if the database is stolen because it is not stored with the passwords but is known to you.
SaaS solutions for generating one-time passwords
With the growth of Software-as-a-Service (SaaS) providers, it’s easier than ever to adopt authentication solutions that generate one-time passwords for users without any hardware investment or significant integration efforts. While one-time passwords will not stop a sophisticated man-in-the-middle threat, they do protect against the most common security threats: users choosing weak passwords, reusing the same password or having their passwords stolen using keystroke-logging malware. By generating one-time passwords for users each time authentication is needed, organizations can ensure strong passwords are used and that previously stolen or leaked passwords cannot be used to access accounts. The growing number of user devices with touchscreens enables new approaches to SaaS authentication schemes, including image-based and graphical approaches. Increasingly users are asked to draw a pattern, touch points on a picture or identify a series of secret images to authenticate. When evaluating such approaches, it’s important to make sure the solution generates one-time passwords and is not simply a static pattern or image. User’s fingerprints and smudges on the touchscreen can reveal their secret pattern or touch points if it is a static approach. One way to generate one-time passwords using an image-based approach is to have the user choose a few secret categories of things – such as dogs, flowers and cars. Each time authentication is needed the user is presented with a series of pictures on the touchscreen and must tap the ones that fit his previously chosen categories. The specific images are different every time and displayed in a different location on the screen every time, but the user will always look for his same categories. As the user clicks or taps on the pictures that fit his categories, a one-time password is generated behind the scenes and submitted to the server for verification. Graphical authentication approaches are easier for users to remember than complex passwords and they are faster for users to perform on smartphones and tablets than typing an alphanumeric password. For this reason, they are a good method for adding a layer of security or a one-time password without inconveniencing users.Risk-based authentication
Organizations requiring even stronger security should consider integrating a risk engine with their authentication solutions. Using behavioral and contextual risk profiling, risk engines can dynamically trigger additional layers of authentication only when needed. This increases security without inconveniencing users because users will rarely encounter the additional steps. Risk-based authentication solutions should identify device reputation, and evaluate the geolocation of the user’s IP address and time of day they are accessing the site. Also examine the frequency of the login attempts, which could indicate a brute force attack. If a high-risk or suspicious situation is identified, require an additional authentication step from the user. The additional authentication step could simply be second layer of authentication, or it could be a second factor of authentication.Multifactor Authentication
Organizations whose websites or applications could be a high-profile target for hackers should adopt out-of-band, multifactor authentication. Multifactor authentication involves at least two of the following authentication factors:- Something you know (i.e. a password, secret image categories or other shared secret)
- Something you have (i.e. a mobile phone or authentication token)
- Something you are (i.e. biometrics such as a fingerprint)
Conclusion
Authentication standards on most websites and applications are woefully lacking. Relying solely on passwords puts the organization, its users and its data at risk. Not every website needs multifactor authentication, but most can benefit from using multiple layers of authentication or one-time passwords. User education is also critical for improving authentication. Unless the user clearly understands the reasons for additional authentication requirements, they will find ways to circumvent the policies. Finally, it’s important to remember that ‘security’ is a process–organizations must continually re-evaluate security needs, identify areas for improvement and make a security roadmap for future improvements. A website or application can never be completely secure, but developers and security professionals should aim to strengthen security to the point where it will deter most attackers while maintaining ease of use for end-users.Frequently Asked Questions on User Authentication and User Experience
What is the importance of user authentication in cybersecurity?
User authentication is a critical component of cybersecurity. It verifies the identity of users before granting them access to a system or application. This process helps to prevent unauthorized access, thereby protecting sensitive data and resources from potential threats. User authentication can be achieved through various methods such as passwords, biometric data, or multi-factor authentication. It is a fundamental aspect of access control and is essential in maintaining the integrity and confidentiality of data.
How does user authentication impact user experience?
User authentication can significantly impact user experience. While it is crucial for security, it can also be a source of frustration for users if it is too complex or time-consuming. Therefore, it’s important to strike a balance between security and usability. Implementing user-friendly authentication methods, such as biometric authentication or single sign-on, can enhance the user experience while maintaining a high level of security.
What are some common user authentication methods?
Common user authentication methods include password-based authentication, biometric authentication, and multi-factor authentication. Password-based authentication is the most traditional method, but it can be vulnerable to attacks. Biometric authentication uses unique physical characteristics, such as fingerprints or facial recognition, to verify identity. Multi-factor authentication combines two or more methods for added security.
What is multi-factor authentication and why is it important?
Multi-factor authentication (MFA) is a security measure that requires users to provide two or more verification factors to gain access to a resource. MFA adds an additional layer of security, making it harder for unauthorized users to gain access. Even if one factor is compromised, the attacker still has at least one more barrier to breach.
How can user authentication be strengthened without compromising user experience?
User authentication can be strengthened without compromising user experience by implementing user-friendly authentication methods. Single sign-on (SSO) allows users to log in once to access multiple applications, reducing the need for multiple passwords. Biometric authentication provides a seamless user experience while offering a high level of security. Additionally, adaptive authentication, which adjusts authentication requirements based on the user’s behavior and risk profile, can also enhance both security and user experience.
What is the role of encryption in user authentication?
Encryption plays a crucial role in user authentication. It ensures that user credentials are securely transmitted over networks and stored safely. Without encryption, sensitive data such as passwords could be intercepted and exploited by attackers.
What are the potential risks of weak user authentication?
Weak user authentication can lead to unauthorized access, data breaches, and identity theft. If an attacker gains access to a system or application, they can steal sensitive data, disrupt operations, and even cause significant financial and reputational damage.
How does user authentication contribute to regulatory compliance?
Many regulations and standards, such as GDPR and HIPAA, require businesses to implement strong user authentication measures to protect sensitive data. By ensuring only authorized users can access certain data, businesses can demonstrate compliance with these regulations.
What is the future of user authentication?
The future of user authentication lies in more advanced and user-friendly methods. Biometric authentication is becoming increasingly popular, and we can expect to see more use of behavioral biometrics, which analyze user behavior to verify identity. Additionally, the use of artificial intelligence and machine learning in user authentication is likely to increase.
How can businesses implement strong user authentication?
Businesses can implement strong user authentication by adopting a multi-layered approach. This could include using multi-factor authentication, biometric authentication, and encryption. Additionally, businesses should regularly update and patch their systems, educate employees about security best practices, and monitor their systems for any unusual activity.
Roman Yudkin is Chief Technology Officer at Confident Technologies, responsible for Research & Development, Engineering and general oversight of all corporate technical functions. Yudkin has more than 25 years of hands-on leadership experience in the high technology sector - architecting, building, and bringing to market complex enterprise software systems and professional services across multiple industries and international settings.