|
| 1 | +<!-- |
1 | 2 | # Authentication Cheat Sheet |
2 | 3 |
|
3 | 4 | ## Introduction |
@@ -83,6 +84,93 @@ In order to mitigate CSRF and session hijacking, it's important to require the c |
83 | 84 |
|
84 | 85 | Some applications should use a second factor to check whether a user may perform sensitive operations. For more information, see the [Transaction Authorization Cheat Sheet](Transaction_Authorization_Cheat_Sheet.md). |
85 | 86 |
|
| 87 | +--> |
| 88 | + |
| 89 | +# Authentication Cheat Sheet |
| 90 | + |
| 91 | +## Introduction |
| 92 | + |
| 93 | +**Authentication** (**AuthN**) is the process of verifying that an individual, entity, or website is who or what it claims to be by determining the validity of one or more authenticators (like passwords, fingerprints, or security tokens) that are used to back up this claim. |
| 94 | + |
| 95 | +**Digital Identity** is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service but does not necessarily need to be traceable back to a specific real-life subject. |
| 96 | + |
| 97 | +**Identity Proofing** establishes that a subject is actually who they claim to be. This concept is related to KYC concepts and it aims to bind a digital identity with a real person. |
| 98 | + |
| 99 | +**Session Management** is a process by which a server maintains the state of an entity interacting with it. This is required for a server to remember how to react to subsequent requests throughout a transaction. Sessions are maintained on the server by a session identifier which can be passed back and forth between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict. The [Session Management Cheat Sheet](Session_Management_Cheat_Sheet.md) contains further guidance on the best practices in this area. |
| 100 | + |
| 101 | +## Authentication General Guidelines |
| 102 | + |
| 103 | +### User IDs |
| 104 | + |
| 105 | +The primary function of a User ID is to uniquely identify a user within a system. Ideally, User IDs should be randomly generated to prevent the creation of predictable or sequential IDs, which could pose a security risk, especially in systems where User IDs might be exposed or inferred from external sources. |
| 106 | + |
| 107 | +### Usernames |
| 108 | + |
| 109 | +Usernames are easy-to-remember identifiers chosen by the user and used for identifying themselves when logging into a system or service. The terms User ID and username might be used interchangeably if the username chosen by the user also serves as their unique identifier within the system. |
| 110 | + |
| 111 | +Users should be permitted to use their email address as a username, provided the email is verified during signup. Additionally, they should have the option to choose a username other than an email address. For information on validating email addresses, please visit the [input validation cheatsheet email discussion](Input_Validation_Cheat_Sheet.md#email-address-validation). |
| 112 | + |
| 113 | +### Authentication Solution and Sensitive Accounts |
| 114 | + |
| 115 | +- Do **NOT** allow login with sensitive accounts (i.e. accounts that can be used internally within the solution such as to a back-end / middle-ware / DB) to any front-end user interface |
| 116 | +- Do **NOT** use the same authentication solution (e.g. IDP / AD) used internally for unsecured access (e.g. public access / DMZ) |
| 117 | + |
| 118 | +### Implement Proper Password Strength Controls |
| 119 | + |
| 120 | +A key concern when using passwords for authentication is password strength. A "strong" password policy makes it difficult or even improbable for one to guess the password through either manual or automated means. The following characteristics define a strong password: |
| 121 | + |
| 122 | +- Password Length |
| 123 | + - **Minimum** length of the passwords should be **enforced** by the application. Passwords **shorter than 8 characters** are considered to be weak ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). |
| 124 | + - **Maximum** password length should be **at least 64 characters** to allow passphrases ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). Note that certain implementations of hashing algorithms may cause [long password denial of service](https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/). |
| 125 | +- Do not silently truncate passwords. The [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md#maximum-password-lengths) provides further guidance on how to handle passwords that are longer than the maximum length. |
| 126 | +- Allow usage of **all** characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. |
| 127 | +- Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable Multi-Factor Authentication (MFA). Consider password rotation only in case of compromise or when authenticator technology is changed. |
| 128 | +- Include a password strength meter to help users create a more complex password and block common and previously breached passwords |
| 129 | + - [zxcvbn-ts library](https://github.com/zxcvbn-ts/zxcvbn) can be used for this purpose. |
| 130 | + - [Pwned Passwords](https://haveibeenpwned.com/Passwords) is a service where passwords can be checked against previously breached passwords. You can host it yourself or use the [API](https://haveibeenpwned.com/API/v3#PwnedPasswords). |
| 131 | + |
| 132 | +#### For more detailed information check |
| 133 | + |
| 134 | +- [ASVS v4.0 Password Security Requirements](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-security-requirements) |
| 135 | +- [Passwords Evolved: Authentication Guidance for the Modern Era](https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/) |
| 136 | + |
| 137 | +### Implement Secure Password Recovery Mechanism |
| 138 | + |
| 139 | +It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Please see [Forgot Password Cheat Sheet](Forgot_Password_Cheat_Sheet.md) for details on this feature. |
| 140 | + |
| 141 | +### Store Passwords in a Secure Fashion |
| 142 | + |
| 143 | +It is critical for an application to store a password using the right cryptographic technique. Please see [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md) for details on this feature. |
| 144 | + |
| 145 | +### Compare Password Hashes Using Safe Functions |
| 146 | + |
| 147 | +Where possible, the user-supplied password should be compared to the stored password hash using a secure password comparison function provided by the language or framework, such as the [password_verify()](https://www.php.net/manual/en/function.password-verify.php) function in PHP. Where this is not possible, ensure that the comparison function: |
| 148 | + |
| 149 | +- Has a maximum input length, to protect against denial of service attacks with very long inputs. |
| 150 | +- Explicitly sets the type of both variables, to protect against type confusion attacks such as [Magic Hashes](https://www.whitehatsec.com/blog/magic-hashes/) in PHP. |
| 151 | +- Returns in constant time, to protect against timing attacks. |
| 152 | + |
| 153 | +### Change Password Feature |
| 154 | + |
| 155 | +When developing a change password feature, ensure to have: |
| 156 | + |
| 157 | +- User is authenticated with active session. |
| 158 | +- Current password verification. This is to ensure that it's the legitimate user who is changing the password. The abuse case is this: a legitimate user is using a public computer to log in. This user forgets to log out. Then another person is using this public computer. If we don't verify the current password, this other person may be able to change the password. |
| 159 | + |
| 160 | +### Transmit Passwords Only Over TLS or Other Strong Transport |
| 161 | + |
| 162 | +See: [Transport Layer Security Cheat Sheet](Transport_Layer_Security_Cheat_Sheet.md) |
| 163 | + |
| 164 | +The login page and all subsequent authenticated pages must be exclusively accessed over TLS or other strong transport. Failure to utilize TLS or other strong transport for the login page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location. Failure to utilize TLS or other strong transport for authenticated pages after login enables an attacker to view the unencrypted session ID and compromise the user's authenticated session. |
| 165 | + |
| 166 | +### Require Re-authentication for Sensitive Features |
| 167 | + |
| 168 | +In order to mitigate CSRF and session hijacking, it's important to require the current credentials for an account before updating sensitive account information such as the user's password or email address -- or before sensitive transactions, such as shipping a purchase to a new address. Without this countermeasure, an attacker may be able to execute sensitive transactions through a CSRF or XSS attack without needing to know the user's current credentials. Additionally, an attacker may get temporary physical access to a user's browser or steal their session ID to take over the user's session. |
| 169 | + |
| 170 | +### Consider Strong Transaction Authentication |
| 171 | + |
| 172 | +Some applications should use a second factor to check whether a user may perform sensitive operations. For more information, see the [Transaction Authorization Cheat Sheet](Transaction_Authorization_Cheat_Sheet.md). |
| 173 | + |
86 | 174 | #### TLS Client Authentication |
87 | 175 |
|
88 | 176 | TLS Client Authentication, also known as two-way TLS authentication, consists of both, browser and server, sending their respective TLS certificates during the TLS handshake process. Just as you can validate the authenticity of a server by using the certificate and asking a verifiably-valid Certificate Authority (CA) if the certificate is valid, the server can authenticate the user by receiving a certificate from the client and validating against a third-party CA or its own CA. To do this, the server must provide the user with a certificate generated specifically for him, assigning values to the subject so that these can be used to determine what user the certificate should validate. The user installs the certificate on a browser and now uses it for the website. |
|
0 commit comments