In yesterday’s article I wrote about how authentication can be vulnerable by various techniques, today, this article is focused on security measures that are appropriate in order to secure the authentication to the site or a service on-line.
Ways to SECURE the AUTHENTICATION
- Encrypted Channel — This a very basic, but still a very serious concern to keep in mind i.e. always send your credentials over HTTPS rather than an unencrypted channel HTTP.
- Users are vulnerable — If the server is yours, then it is your responsibility to implement a strong password policy for the users while they create their account. If you are the user, it is your responsibility to keep a strong password including upper case and lower case characters, symbol, numbers, optionally, avoid using words inside your password.
- Preventing the Username Enumeration — At servers, the admin should avoid returning different HTTP status codes for different invalid logins. An attacker can fairly get an idea that he is getting close to what he wants. In lay man’s language with each incorrect response the server should return a same kind of HTTP STATUS CODE/response from the server, making the attacker clue-less, of what is going behind the server.
- Brute-force protection — We all know a brute-force can be a fairly easy task to initiate for even a script kiddie, so implementing protection against brute-force is must. Well what really an administrator could do is, he/she can limit the no. of logins from a particular IP or should require to complete a CAPTCHA test before logging again. Now this will prevent authenticating with brute-force attacks for a good no. of times. But for those who know, these can be bypassed using proxies and editing the captchas using scripts at the browser level easily. Still to maximize security we can use them on the site.
- Double-checking the authenticating logic — Now as discussed in the previous article that there can be chances of broken authentication, due to poorly written web-apps and flaws inside the logic, so it is a good practice to dual check your logic too.
- Implementing multi-factor authentication — This type of security may not be practical for all the websites but if it is properly implemented it is much stronger than password-based logins.
Is 2FA really unhackable?
My answer would be a no. This is because of an attack called Signaling System 7. What’s that? Let’s get some insights here.
2FA — 2-factor-authentication is technically verifying 2 factors. This is generally termed with OTP received on your mobile device to give you a second layer of protection before you finally authenticate as the real user.
The thing with 2FA is it can be bypassed even with sim swapping, and ss7 attack. SS7 attack is a satellite based attack where one can tap into your phone’s network and manipulate your sim signals. With this attack, attacker can get access your phone calls, text messages, and everything in your sim network. None-the-less this is a satellite based attack so not in common hands. But still there are many ways one can initiate an ss7 attack at home with some really good computer specs. So this kind of authentication is somewhere unreliable.
Ideally, 2FA should be implemented using a dedicated device or app that generates the verification code directly. As they are purpose-built to provide security, these are typically more secure.