Our previous blog post on authentication security covered six most common authentication vulnerabilities. In this post, we will discuss a few best practices that help avoid authentication vulnerabilities and defeat specific attack vectors.
Below are the six best practices to secure the authentication process.
Passwords and password-based authentication processes are plagued with security threats such as phishing and password cracking. And the passwordless authentication approach is the way to eliminate these threats. But why is password-based authentication still widely implemented? The answer to this probably is that password-based authentication is easier to implement, and the solution “just works”.
Passwordless authentication often requires special devices, and if the software is published for a broader demographic, it can be challenging, if not impossible, to enforce passwordless authentication. But with the growth in the adoption of smartphones with Touch ID and Face ID features and the availability of easy-to-carry hardware security tokens such as U2F keys and specifications such as WebAuthn, now is the perfect time to prioritize passwordless authentication.
Single sign-on (SSO) allows users to login into multiple applications with a single set of credentials. And federated login allows users to authenticate with identities attested by 3rd party (e.g., log in with Google, log in with Facebook). Unless your software application is an identity provider, it makes little sense to implement an identity verification process. Authentication standards such as OAuth2, OpenID Connect and SAML make it much easier to implement a federated login and SSO.
An important caution when using federated authentication and SSO is correctly implementing the authenticity exchange process. Although these standards are secure by design, the security depends on implementation. As with any software, vulnerabilities in the protocol implementation are common. Learn more on best practices for SAML and OAuth2.
Hardening authentication functionality is an essential part of properly implementing your authentication flows. Below are six best practices that help avoid logical flaws and secure the authentication functionality.
An insecure account recovery process can be exploited to bypass the authentication process. Below are a few important functionalities to consider when developing an account recovery process:
Since sessions hold users’ authenticated state, compromising the session management process allows malicious users to bypass the authentication process or impersonate as other users. Below are a few important functionalities to consider when implementing the session management process.
The security of libraries that are used as a dependency to build authentication functionality is also an important factor to consider. For example, a vulnerability that allowed an attacker to completely bypass XML signature validation and pass off an altered file as a signed one with a carefully crafted XML file was discovered in the Go XML Digital Signature library. This library is used by many popular Go-based software programs for SAML authentication. Even Remoteler was affected by this, which we fixed in the 4.1.11 release.
Use dependency vulnerability scanners such as npm audit, follow CVE advisories related to a programming language (e.g. .net CVE, python CVE) and maintain proactive practices for continuous monitoring of dependency vulnerabilities.
Logical flaws can be hard to discover and may have a severe impact. A proper software design with a review from security engineers is the first step to avoid logical security flaws. Additionally, software developers must be educated on the common vulnerabilities related to authentication process and trained to prevent those vulnerabilities. The authentication cheat sheet series by OWASP is a great place to learn how to securely implement authentication functionality.
Two-factor authentication is probably the best way to improve the security of an authentication process. It is safe to say that a properly implemented 2FA method can help you prevent a severe vulnerability in the authentication process. But even the 2FA process can be vulnerable and can be bypassed if insecurely implemented. Below are a few ways to harden 2FA implementation.
2FA safeguards from compromised credentials and slows down or prevents automated attacks. So ensure that 2FA is enforced by default on every authentication process.
Mutual authentication involves authenticating both the connecting parties (client and server) and is best suited for API authentication and machine-to-machine authentication. Mutual authentication is also commonly used as an additional trust factor besides credentials such as passwords. Mutual authentication can be implemented with certificates and public-key infrastructure (PKI). Protocols such as SSH and TLS have built-in support for mutual authentication.
Implementing rate limiters help to stop brute force attacks. A simple rate limiter that counts for failed authentication attempts and blocks users for a certain period can greatly enhance security and stop brute-force attacks. For API-based services, which usually handle high volume authentication requests, token bucket and leaky bucket algorithms are popular algorithms to implement rate limiters.
CAPTCHAs are a great way to slow down automated attacks. Although it is often annoying for genuine users to solve CAPTCHAs, it can be used in conjunction with rate limiters so that CAPTCHAs are only challenged to the users or machines who violate rate limit rules.
Although the general advice is to favor a passwordless solution, it is not an easy migration in many cases. The following are a few recommendations for securing password-based authentication.
At Remoteler, we regularly emphasize the value of passwordless solutions. To understand why passwords are bad, listen to our recent session with security visionary Troy Hunt – Lessons From Billions of Breached Records by Troy Hunt of https://haveibeenpwned.com.
It’s easy to write authentication functionality but harder to implement correctly. Standard specification certified libraries (e.g. OpenID Connect certified) and security audited libraries are a safer choice. It can be tempting to invent custom authentication protocols and use custom cryptographic algorithms to secure the authentication process, but this can be very risky and is not recommended.
The best recommendations to secure the authentication process are prioritizing passwordless authentication and implementing federated login or SSO with a two-factor authentication. Security considerations must be taken early on in the design process to implement controls that prevent logical flaws. Regular security audits are also equally important to test for logical flaws, and careful consideration must be placed in selecting libraries and dependencies for the authentication process.
Remoteler is an open-source project and helps implement passwordless authentication for infrastructure access. Passwordless authentication is based on certificates and can be used to authenticate against SSH servers, RDP servers, databases, Kubernetes clusters, and web applications. Learn more about how Remoteler enables passwordless access to cloud infrastructure.