2

I didn't find any good reference where the steps for authentication are defined (at least steps order).

To be more specific I am interested what sequence of steps should be:

  1. UserName verification (whether user name is found);
  2. Password verification;
  3. Credentials expired or not expired.
  4. Credentails temporary or not temporary
  5. Captcha verification.

I understand that in particular case the order of these steps are not so important but generally it will be good to know about such recommendations. Even in order to create appropriate use cases for the system.

As example it can be designed in different ways:

  1. System can provide only general message that user name or password is not correct. In case of incorrect captcha message will be the same.

  2. System can provide more different messages. As example incorrect captcha will provide message similar to "Incorrect captcha is entered"; Incorrect username or password message will be "user name or password is not correct". (I am not sure whether form security perspective it's ok)

And the question is what use case is better? (it will be good to provide some proof that this is better with appropriate arguments).

user1459144
  • 4,439
  • 5
  • 28
  • 35

1 Answers1

1

It depends on a lot of cause. But I would do it like this:

Clientside

  1. If you want, check general requirements e.g username and password lengths and prompt the user, this can be done in javascript.

Do not forget that this code will be public, meaning a hacker will see this requirements and take them in to account while preforming an attack.

Serverside

  1. Captcha verification. Do this first because if this fails there is no need to use your database for lookups.(Probably your using some kind of third party service here I assume)

  2. Username and password check, because this would be the second most common failure.

  3. Credentials expired or not expired and Credentails temporary or not temporary, any order.

Good to know:

2 and 3 could also, probably(depending on your architecture), be done in one single database lookup. If you use an SQL-database do not forget to use prepared statements.

You could also do a lot server side to detect attack attempts and restrict permissions if something is fishy. E.g temporary ban users accounts after X failed login attempts. Store ip addresses and match them to locations. E.g an American user login in from china 10 minutes later is suspicious behaviour(Facebook and others do this).

Make sure you know exactly what you do client side and server side and the execution order. A good idea can be to draw a information flow diagram. And to use a interception proxy to see what is sent. Are the passwords sent in clear?(use ssl and hash them clientside, not said you do not hash them again(and salt) serverside so that the method can be as secret as possible)

Community
  • 1
  • 1
The D Merged
  • 680
  • 9
  • 17
  • Is it valid scenario (from security perspective) to show message that captcha is wrong (or there is some recommendation to show only one message) ? Because in case of credentials expired it's recommended to not display message that credentials are expired. – user1459144 Jan 08 '14 at 17:37
  • I would not show a client side triggered warning about wrong captcha, smart bots can adapt to this easily. Let the request be sent to the server so it can be logged. Also if you check captcha client side, the code is fully visible to any malicious user. It could be obfuscated, but its still there for them to reverse engineer. – The D Merged Jan 08 '14 at 17:40
  • And one more question about preferences :). In case captcha should be displayed after 10 failed attempts for specific user will you change the proposed sequence of steps? Because in this case you also need to do DB look up (and this operation will be more expensive than credentials check) ? – user1459144 Jan 08 '14 at 17:49
  • Can you provide some link than displaying message about incorrect captcha is undesirable (because as for me it doesn't provide hacker [bot] much more value) ? – user1459144 Jan 08 '14 at 17:51
  • I would not do this because then you would have to do a special feature database saving login attempts and user names, at least. This database would then always have to be checked against before other lookups. I would first check captcha then get all information coupled to the user in one select operation and then systematically check for the cases: temp banned? Valid usn and pass? – The D Merged Jan 08 '14 at 17:55
  • "If you print captcha is wrong" you see it. A bot can also see this and then just try another captcha without you dont even knowing about it. And then, what decides if the captcha is right or wrong? The answer must be saved in the javascript code and it can be read by an attacker. A server request is hence needed. After a server request you shall, ofcause print in clear "captcha is wrong" or something similar. Again a bot can see this but then you already logged it as a failed login attempt, right?:) – The D Merged Jan 08 '14 at 18:00