Wednesday, 14 December 2011
We've recently been discussing a project where one of the concerns was to tighten up on user authentication. The customer raised the concern that by expecting the user to enter just a user name and password that the proposed web application wouldn't be secure enough for the confidential nature of their data, as such an alternative security technique was wanted.
This is a common problem and there are several established answers. One thing is generally true though, the common approach to making an application more secure usually involves making it less user friendly and can even be an annoyance, especially when extra steps are introduced which while being undoubtedly more secure also have the consequence of making access to the application far more long winded thus compromising the user experience. This means that a well implemented user authentication system must be a balance between good security and a good user experience, and how far that balance goes in one direction or the other is up to the customer.
Many solutions involve introducing a set of drop down lists after the user has entered his/her username and password, the user being asked to choose certain characters of an additional secret. The theory behind this is that it will foil keylogging malware present on the users computer and thus prevent criminals from gaining direct access to the account. It's a sound theory and I think it works in practice but it is also one of the more long winded approaches. Although it does have the advantage of being relatively inexpensive to implement.
Another technique is to provide the user with a key generator, which generates a new unique key, usually a number, each time the user presses a button. The user then provides their username together with the key to gain access to the site. This works well as the key is always different and so it would be pointless for a criminal to attempt to use it again. But it does rely on the user maintaining the physical security of the key generator which is normally a small dongle type or credit card sized device, the need to provide the device also introduces a potentially significant cost depending upon how many users need it. But having said that, it is my favourite technique as it is a good balance between security and user experience, and I wish that all banks would implement this.
There is another solution which I also like. The user enters his/her username and upon recognition the server sends an SMS text message to the users mobile phone with a unique number which must be entered within a certain time. This is similar to the former approach, but with cheaper implementation costs although it does rely on the user owning a mobile phone and maintaining its physical security.
Ultimately, we as users must take more responsibility for our security. We should ensure that we use unique strong passwords, which should include a random mixture of upper and lower case characters and numbers. But such a password can never be remembered so a password manager with strong encryption on the password store is a must (and make sure it's backed up). We must also make sure that our computers are secure by ensuring that there isn't any malware on them, that Windows (or OSX or Linux) is patched and up to date and that our anti-virus software is also up to date.