Authenticating users Flashcards
Authentication
It is the process of determining whether someone (or something) is, in fact, who or what it declares itself to be.
Authentication factor
a category of evidence that a person has to present to prove they are who they say they are.
what are the 3 authentication factors
- Knowledge Factor –something you know, e.g., password
- Possession Factor –something you have, e.g., smart card
- Inherence Factor –something you are, e.g., fingerprint
Authentication vs authorisation
- Authentication is the process of validating the identity of a registered user before allowing access to
protected resources. - Authorisation is the process of validating that the authenticated user has been granted permission to
access the requested resources.
User authentication process
- Create and render a user login form.
- Retrieve the login credentials (e.g., username & password) from the submitted user login form.
- Query database for an existing user with the submitted username (Assume usernames are unique).
- Ask user to enter login credentials again or register for an account if:
a. no existing user with submitted username exists.
OR
b. user with submitted username does exist, but submitted password does not match existing password. - When login credentials match those of an existing user:
a. Log user into application (we will look at this later).
b. Redirect user to protected area (landing page).
Authentication vulnerabilities
authentication vulnerabilities occur when an attacker is successful
This can happen for instance:
* When the attacker can guess the credentials, or brute force them.
* When the credentials are leaked, and the attacker gets access to them.
* We have seen how to hash and encrypt data.
Brute force attack
*A Brute Force search (or exhaustive search) is a problem-solving technique that consists of trying all possible solutions to a problem until a correct solution (if it exists) is found.
*A Brute Force Attack primarily consists in an attacker configuring predetermined values (username/password combinations), making requests to a server using those values, and then analysing the response for success or failure.
how to prevent brute force attacks
- A strong password policy
- Biometrics
- Notification of unrecognised login
unrecognised device, location or IP address. - Comprehensive login process
- Limiting login attempts
Strong Secondary Authentication Factors
- One-time password (OTP) –A unique password which can only be used once.
- Time-based PIN –A sequence of digits which have to be entered within a short window, typically 30 to 60 seconds.
- Digital (PKI) certificates –A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser.
CAPTCHA
*CAPTCHA stands for the Completely Automated Public Turing test to tell Computers and Humans Apart.
*It is an automated tool used to differentiate between real users and automated users, such as bots.
*CAPTCHAs provide challenges that are difficult for computers to perform but relatively easy for humans.
- Three main categories: text- based, image-based, and audio
reCAPTCHA
- Free CAPTCHA software by google
Drawbacks of CAPTCHA
- Disruptive and frustrating for users.
- May be difficult to understand or use for some audiences.
- Some CAPTCHA types do not support all browsers.
- Some CAPTCHA types are not accessible to users who view a website using screen readers or assistive devices.
- There is a range of automated technologies, including APIs, browser plug-ins and extensions that enable attackers to
bypass or solve CAPTCHA challenges.
Limiting authentication attempts
*One way to block brute force attacks is to lock out accounts after a defined number of incorrect authentication
attempts.
*Note however, account lockout is not always the best solution, because someone could easily abuse the
security measure and lock out hundreds of user accounts.
sessions
- A session is an object that allows you to store information specific to a user (browser) from one request to the next.
- A session persists state across requests.
- A session may take the form of a client side cookie or a server side token
authentication vs login
*Users are only being authenticated at this point.
*Our applications so far cannot distinguish between different multiple users.
* Need to create an identifiable web session for each user so their requests can be distinguished from other users.
Web sessions
A web session is a series of adjoining or connected actions by a user on an individual web application within a given time frame.
What are the factors for password management
- Automatically create secure passwords.
- Secure password recovery.
- Change password.
- Password expiration.
- Re-authenticate in sensitive areas.
Authorisation issues
- Authorisation protocols are difficult to implement and no matter how secure it might be there could be a way to exploit the system.
path traversal
•The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory.
Automatically creates secure passwords
*Browser offers an automatically generated password.
*Can be bypassed with user’s own password choice.
*Generated passwords are hard to remember.
*Generated passwords are easily forgotten.
*User ends up with multiple passwords.
Secure password recovery
*Web applications typically include a ‘forgotten password’ link.
*Instructions usually sent to the user’s email account.
*Users may not be allowed to reuse a previous password.
*App needs to store previous passwords.
*User ends up with multiple passwords.
Change password
*Web applications typically allow users to change their existing password.
*Users may not be allowed to reuse a previous password.
*App needs to store previous passwords.
*User ends up with multiple passwords.
Password Expiration
*Web applications dealing with sensitive data may force users to change their password at set intervals.
*Users may not be allowed to reuse a previous password.
*App needs to store previous passwords.
*User ends up with multiple passwords.
*Web applications dealing with sensitive data may force users to reauthenticate.
Authorisation Basics
*Authorisation is a security mechanism to determine access levels or user privileges related to system
resources
*Authorisation includes the process of granting or denying access to a system resource based on users’
identities.
2 step access control process
- Authentication -verifies the user identity.
- Authorisation -allows the user to access the various resources based on the user’s identity.
2 phases of authentication processes
- Policy definition phase where access is authorised.
- Policy enforcement phase where access requests are permitted or not permitted.
Policy enforcement phase
*Policy enforcement is usually done by a reference monitor.
* Decides whether to grant or deny access
Why should a reference monitor be NEAT
*Non-bypassable.
*Evaluable.
*Always-invoked.
*Tamperproof.
*Authorisation issues can arise if the monitor is not NEAT.
* If the monitor can be bypassed, then the authorisation process might be ignored.
Web session steps
- Login
- Session Created. Return Session ID
- User (browser) sends session ID for all subsequent requests
- Send request with session ID
- Return response for a given session ID.
