Summary of "Web Security - Lecture 13 - Authentication"

Summary of “Web Security - Lecture 13 - Authentication”

This lecture covers the fundamentals and best practices of authentication in web security, focusing on how to build secure systems even if attackers obtain user passwords. It discusses common mistakes, modern guidelines, attack types, defenses, and multi-factor authentication (MFA) implementations.

---

Main Ideas and Concepts

1. Authentication Basics

Authentication verifies that a user is who they claim to be. It relies on three main factors:

• Something you know: Passwords or PINs.
• Something you have: Physical tokens, phones, cryptographic keys.
• Something you are: Biometrics like fingerprints, retina scans, gait analysis.

Biometric data cannot be changed if compromised, so it is typically stored and processed locally on devices. Using multiple factors increases confidence in user identity (multi-factor authentication).

2. Authentication vs Authorization

• Authentication: Confirming user identity.
• Authorization: Determining what actions the authenticated user is allowed to perform.

Authorization is typically managed via Access Control Lists (ACLs) or capability URLs. These two concepts should be kept conceptually and technically separate.

3. Common Implementation Mistakes

• Store usernames case-insensitively but preserve preferred casing for display.
• Enforce uniqueness of usernames.
• Avoid poor password requirements such as:
  • Mandatory frequent password changes (e.g., every 3 months).
  • Forcing complex character combinations (uppercase, symbols, numbers).
  • Maximum password length limits or truncation.
  • Disabling cut-and-paste (breaks password managers).
  • Weak password hints or security questions with low entropy.
  • On-screen keyboards to defeat keyloggers (can be bypassed by screen capture).
• ID shields (security images to prevent phishing) are ineffective and often ignored by users.

4. Password Requirements and Strength

• Complex character requirements do not necessarily lead to stronger passwords.
• A better approach is to use multiple common dictionary words (e.g., four random words) for high entropy and memorability.
• Check chosen passwords against known breached password databases (e.g., “Have I Been Pwned”).
• Minimum password length should be at least 8 characters; longer is better (up to ~64).
• Avoid unlimited password length to prevent denial-of-service via expensive hashing.
• Use Unicode support to allow any characters, including emojis.
• Rate limit login attempts to prevent brute force and credential stuffing attacks.

5. Network-Based Attacks and Defenses

Types of attacks:

• Brute force: Trying many password guesses on a single account.
• Credential stuffing: Using breached username/password pairs from other sites.
• Password spraying: Trying a common password across many accounts.

Defenses:

• Rate limiting by username and IP address.
• CAPTCHA challenges to distinguish humans from bots.
• Using modern interactive CAPTCHAs or invisible CAPTCHA systems (e.g., reCAPTCHA v3).
• Requiring re-authentication (password prompt) before sensitive actions.
• Avoid response discrepancy that leaks information about user existence or account state.
• Use consistent generic error messages to prevent user enumeration.
• Mitigate timing attacks by ensuring code paths take similar time regardless of user existence.

6. Password Storage

• Never store passwords in plaintext.
• Store only cryptographic hashes of passwords.
• Simple hashing (e.g., SHA-256) is insufficient because:
  • Identical passwords produce identical hashes.
  • Vulnerable to precomputed lookup (rainbow table) attacks.
• Use salts — random values concatenated with passwords before hashing — to:
  • Prevent detection of identical passwords.
  • Defeat precomputed attacks.
• Use specialized password hashing algorithms like bcrypt:
  • Incorporates salting automatically.
  • Designed to be computationally expensive (slow hashing) to slow attackers.
  • Has a maximum input length (72 bytes); workaround is to pre-hash long inputs.
  • Stores salt and cost factor within the hash string.

7. Data Breaches and Their Impact

• Large-scale breaches (Equifax, Yahoo, Dropbox, Facebook) expose user credentials.
• Users are likely to have appeared in breaches.
• Services like “Have I Been Pwned” help users and developers check for breached credentials.
• Breaches highlight the importance of:
  • Checking passwords against breach databases.
  • Using MFA to protect accounts even if passwords are compromised.

8. Multi-Factor Authentication (MFA)

• MFA adds an additional layer of security beyond passwords.
• Common second factors:
  • Time-based One-Time Passwords (TOTP) generated by apps like Google Authenticator.
  • Physical tokens or biometrics.
• TOTP works by sharing a secret key between server and client app.
• Both server and client use the current time (divided into 30-second intervals) to generate synchronized codes.
• MFA can be required always or conditionally (e.g., on new devices, suspicious IPs).
• MFA greatly reduces risk of account compromise, even if password is leaked.

---

Detailed Methodologies and Recommendations

Username Handling

• Store usernames case-insensitively.
• Enforce uniqueness.
• Optionally store preferred casing for display.

Password Policy

• Minimum length: ≥ 8 characters.
• Allow long passwords (up to 64 characters).
• Support Unicode characters.
• Do not force complexity requirements (uppercase, symbols).
• Do not require periodic password changes unless breach suspected.
• Check passwords against breach databases.
• Avoid disabling paste or other usability features.

Password Storage

• Use bcrypt or similar slow hash function.
• Generate a unique salt per user.
• Store salt and hash together.
• Hash passwords before storing; never store plaintext.

Authentication Rate Limiting

• Limit attempts per username and IP address.
• Use middleware like Express Rate Limiter in Node.js.
• On exceeding limits, delay or reject requests.

CAPTCHA Usage

• Use modern CAPTCHA solutions (e.g., reCAPTCHA v3).
• Avoid text-based CAPTCHAs that are easily broken.
• Consider invisible CAPTCHAs that analyze user behavior.

Preventing User Enumeration

• Use generic error messages for login, password reset, and account creation.
• Ensure consistent HTTP status codes.
• Mitigate timing differences in authentication code.

Sensitive Actions

• Require password re-entry for sensitive operations (change password, add collaborator).
• Helps defend against XSS, CSRF, session fixation attacks.

Multi-Factor Authentication Implementation

• Generate a random secret key per user.
• Share secret via QR code.
• Use TOTP algorithm:
  • Calculate counter = current Unix time / 30 seconds.
  • Generate HMAC of secret key and counter.
  • Extract digits to form 6-digit code.
• Server verifies code by performing the same calculation.

---

Speakers / Sources Featured

• Primary Lecturer: Unnamed professor/instructor (likely the course professor).
• Esther: Teaching assistant holding office hours and potentially leading CSP review sessions.
• Lucas Guerin: Guest lecturer, former Google engineer responsible for maintaining HSTS preload list.
• Emily: Mentioned in context of prior talks and the HSTS preload list.
• Ellie: Former TA, now Google employee involved in privacy and safety research.
• Niels Provos and David Mazieres: Creators of bcrypt password hashing algorithm.
• Microsoft: Cited for research on password cracking capabilities and MFA effectiveness.

---

This lecture provides a comprehensive overview of authentication security in web applications, highlighting practical advice for developers to implement robust authentication systems that defend against common attacks and protect user data even in the event of breaches.

Category

Educational

---

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

---

Is the summary off?

If you think the summary is inaccurate, you can reprocess it with the latest model.

Reprocess summary

Video