Strong Authentication

The type and complexity of the authentication mechanisms used should be relative to the risk and value of the assets, information, or functionality that the authentication mechanism is protecting.

This may mean that basic or digest authentication techniques transmitted over HTTPS may be sufficient for low-value web applications, such as web forums, where the assets within the application may be negligible. For sites containing high-value assets, such as Internet banking web applications or SSL VPNs, more complex authentication mechanisms and policies need to be implemented.

One solution may be to use token or SMS-based one-time passwords (OTPs) to reduce the risk of authentication credentials being stolen and used over and over again to gain access to a web application. These methods, however, are not foolproof, and these OTPs can still be stolen through various methods including spoofed websites, which we have discussed throughout this chapter. Digital certificates can also be used for authentication, which are considered much harder to steal than usernames and passwords, but also leave your applications vulnerable if users' machines are compromised.

Web applications may also wish to reauthenticate a user when performing high-value transactions. This strengthens the OTP authentication method since the attacker now needs to obtain multiple OTPs at varying times.

If OTP authentication mechanisms are not an option, then strong passwords should be enforced and changed at regular intervals, depending upon the business requirements. Users should be educated as to why strong passwords are required and how to construct a strong password. Passphrases may also be an option to ensure that passwords are long enough that password cracking techniques, such as rainbow tables, are unfeasible and that passwords are easily remembered by users. It should be noted that no matter how strong your password is, if a user types it on a spoofed website, then the account will be compromised.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment