An Introduction to Website Authentication – by Wayne Lee

Over the last several years, website login security has been one of the fiercest frontline battlegrounds between hackers and InfoSec professionals. Wayne Lee, who is at the forefront of Web Application Security, has years of experience defending large companies from hackers, ensuring a safe browsing experience for users. He brings his thoughts and expertise about the current state of authentication as well as a look into what will be coming in the near future.

Fun Fact: A six letter password (with no numbers) takes an average hacker less than 10 minutes to compromise.

Every time we log into our workstations, they perform several logical security checks around our authentication attempts, which is quite often comprised of one attempt per authenticated session (we’re good at remembering our work passwords). Several times per week (if not more) we gain access to applications and data critical to our work. We might even have to pass by guarded front desks and swipe our badges through elevators and secured access doors to get to our workstations. Physical security is obviously more than about limiting access to workstations, but it does provide another level of access restriction. In contrast, there are virtually no hurdles between users and a web application hosting their sensitive data. All you need is access to a browser sending data over HTTP. Except in the cases where multi-factor authentication is utilized, the only thing a user needs to do is enter their credentials into the web application. The security posture of the application can often be realized in the care an application takes in ensuring that the user’s credentials are safe guarded. That is, does the web application require a similar level of effort in the authentication checks used by the Windows workstation used by the developer to log him/her in? Does it require more?

As it happens, I ran into a popular web site a few weeks ago that allowed me to enter an incorrect password more than30 times. The application was vulnerable to a brute force attack to compromise users’ credentials. A popular mitigation strategy is to deploy CAPTCHAs to throttle down these attempts. CAPTCHAs also have their own security concerns that developers need to be aware of in that they can be broken through Optical Character Resolution (OCR) attacks. Using Account Lockout strategies or Multi-Factor Authentication can further mitigate these security concerns. Without such security controls to protect users’ credentials, an attacker can compromise an account in a matter of seconds.

In the last few years, popular sites have taken greater leaps in protecting user account data and credentials, particularly as authentication has become geo-location sensitive. Applications track the locations where the user is authenticated and reasonable deviations from authentication allow additional logic checks to verify the user. The strategy not only reduces account take-over from brute force attempts, but to some extent also mitigates Phishing activities. As the threat landscape continues to grow and evolve, popular web sites will continue to employ practices to mitigate risks with the net effect of changing what users expect as “normal” authentication processes. At a bare minimum, CAPTCHAs and timed Account Lockout strategies can greatly increase the barrier of attack on accounts. Gathering metrics on the number of user accounts compromised (hacked or phished) can also lead to having creative discussions on reducing the acceptable risks to a site’s users. For more information, Wayne can be reached at [email protected] or on LinkedIn.