Beyond Passwords

Josh Hickling

Managing Consultant

Josh is one of Pentest Peoples managing consultants, coming from a university background,who's heavily interested in the ethical hacking world.

Beyond Passwords

Part two – Extra User Security Through the Use of Passwords

In our last blog we spoke about how using a simple passphrase is more secure than using any complex unfriendly passwords. This blog will expand on this concept and introduce a few more things we can do to make user accounts even more secure.

Two-Factor Authentication

Multi-factor authentication (typically implemented as two-factor Authentication) works on the bases of something the user knows (such as a passphrase). Something they have (such as a token device providing a one-time password), and potentially something they are (such as biometric data like a fingerprint). Everyone should enable 2FA on any service they use that supports it. Pentest People rank the lack of 2FA as a high severity vulnerability, especially if that service is public facing and provides access to sensitive information.

Location Changes And New Device Notifications

If a user is logged in from a coffee shop in London, then suddenly uses their account in Japan, a security incident may have occurred and should be acknowledged. Depending on the nature of your application, you might not need to lock the user’s account instantly. A simple notification to let the user know that suspicious behaviour has been identified is strongly recommended. The same applies if a user appears to be logging in from a different browser than normal. Let the user know. Finally, when notifying the customer there should be a ‘call to action’, allowing the customer to re-secure their account straight away.

Refresh Tokens

This special type of token is used to renew access to a protected resource. Every time access is required, the authentication server will return a new unique access token. As these tokens are short-lived, an attacker will have a very short period of time to use the token should they obtain it. Additionally, a refresh token will also prevent a user account from been logged in at two places at once. Which again is great for security.

Push Notifications

This one is slightly more advanced, but if you have a web application and a Mobile Application it is a great security feature and very user friendly.

When a user tries to carry out certain requests on the Web Application, for example setting up a new payee on their bank account, a push notification is sent to the mobile application asking the user to confirm this is correct.

Using a push notification rather than SMS is also more secure. As a push notification uses end to end encryption. Unlike using an SMS message. If an attacker is in the account they can simple change the SMS delivery number.

To Summarise

A passphrase (passwords if you’re still uncomfortable with that word) will never be enough to keep an account secure. However, by combining traditional user authentication with even one of the recommendations above (if you are only going to go with one then use 2FA) will dramatically increase your user security and protect user data.

If you would like to assess the robustness of the security measures you have implemented, then consider contacting Pentest People to arrange a Web Application Security Assessment.

Video/Audio Transcript