On Authentication in Web Applications

So you are writing a web application. Maybe it’s “2.0”, maybe it’s “1.0”. Maybe it’s 3.0? I am not sure if that’s a thing. Anyway, the important thing is that you want to know that people are who they say they are (I guess not if you’re reimplementing 4Chan or other anonymous-only applications). So you have some buttons that say “Log in” and “Sign up”. In the “Sign Up” page, you have the user enter in their e-mail address (twice, of course, because otherwise they’ll misspell it) and the password (twice, same reason), and possibly a username. You check the password is “strong enough”, and you have a little widget that rates it “weak”, “fair”, “strong” or whatever descriptive words you feel like today. Of course, being a civilized person, you store the passwords on the backend salted and hashed. You make sure that the password comparison is resistant to side-channel attacks. You add a CAPTCHA for the “forgot password” page to prevent mass-attacking it. Since you know your users are almost certainly using the same password on other sites, that do not do all of that, you also offer a 2-factor authentication scheme using Google Authenticator and falling back to SMS codes. Of course, before you store an SMS number as the fallback, you send it a trial code to make sure it is correct (right, WordPress.com?)

And, of course, no users use your 2-factor scheme, one day they get fished, and all their accounts are compromised.

Please note that the above paragraph is the absolute minimum you should do to be a responsible thing that says “sign up with your e-mail and password”. Also highly recommended is participating in a white-hat bug bounty, hiring dedicated pen-testers and having a lot of server-side heuristics to detect a brute-force attack and shut it down immediately.

Do you know who has the resources to do all of that correctly? I can think of two companies that get it all correct. Their names start with consecutive letters of the alphabet… 🙂

Yep, Facebook and Google actually have the security teams and expertise to check every single one of those boxes (with the exception of the silly little widget that rates your password strength which never in the history of mankind has ever caused a user to choose a different password, because they only remember one password for all the sites they use and it doesn’t change.) Please, for the love of kittens, puppies and hedgehogs, put a little “Sign-up with Facebook” and “Sign-up with Google+” widgets on your web-site. If you are worried about Facebook and Google “capturing” your users, just make sure to grab their (verified!) e-mail addresses when they sign up through OAuth, so that if you ever want to authenticate yourself, all you need to do is just have a “Forgot/recover password” widget, and you are on your way. You can even e-mail your users to tell them “Hey, FB/GOOG screwed us over, so start logging in with your password, and here is how you can recover the password”.

There really is no excuse not to offer this, in 2015. Unless you think your security team is roughly as good as Facebook’s.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: