In internet hacking is now becoming a day-to-day issue to deal with for websites. Some of the public facing websites I worked on had dedicated team to monitor the traffic real time and take action against the suspected sessions and users. Developers should also take the security of the websites seriously and have more security features on their website. The first place to start that is in authentication and authorization provider of the websites.
Most of the websites have simple username and password to login. This is not enough. Even if the password is encrypted and stored in database, a simple username and password combination is very vulnerable. It is important that sites implement multi-factor authentication. Here are few of the practices I have followed over the years.
The ultimate goal of authentication and authorization is to establish and confirm the identity of the user.
Geo IP tracking
Track the IP address of the user sessions. Store a history of the IP address from which the users browse your website. Use a Geo IP database to decode the approximate geographical location of user and set a radius for login. Whenever the users login check against the history and find out if they are logging in from the same geo location or within the radius set by the website. Keep updating the Geo IP database frequently as ISP tend to change the range of IPs to cities very frequently. Sometimes the user may be connected to a different network like company VPN and this case the IP address may be totally different from their usual login. Ask the user to validate their identity and track the new network IPs.
Now-a-days websites are increasingly using Single Sign-On from popular websites like Facebook, LinkedIn, Google, Yahoo etc. When you integrate such SSO logins read about the multi-factor authentication implemented by these providers to avoid any liability to your website when their website gets hacked. Facebook has good multi-factor authentication, Google is best-in-class. If you are using Azure it has multi-factor authentication in its Active Directory service and you can leverage that.
Most of the applications I have worked on had two basic limitations when it comes to authorization. One is that most of them granted their users access at screen level and the other limitation is that most of them had predefined roles and permissions and some of the usage of the application was based on trust. I think it is time to change that.The beauty of MVC framework is that it helps developers to think of action centric development rather than content centric development that happens in most of the non-MVC applications. Break your actions to atomic level in MVC framework and provide the flexibility of granting permission at this atomic level to any roles or specific users in the application. This solves both of the problems. For example one of the requirements that are being asked by site admins is that they want to have different types of admins like one role to create new users, one role to deactivate users, one role to just do password reset or unlocking accounts.
With more and more organization allowing BYOD it is time to enforce authentication and authorization at device level. Mobile applications should require its own authentication and authorization using native feature like face recognition or voice recognition. The admin should have ability to even erase the data in the app when the device is lost of the user leaves the company. Registering new devices and authorizing them should be done properly and enforce Geo IP tracking even for mobile devices too.
Middle Tier Authentication and Authorization
Enterprises now have a set of Enterprise Services that acts as a middleware to most of the applications. It is very important to enforce multi-factor authentication and authorization in this layer too. In the beginning most of the Enterprise Services were accessed by applications using same username and password for all users just like database connection string. This is not secure. It is important to track usage of Enterprise Services at App level as well as User level.
Hope this article sows some seeds of thoughts to implement multi-factor authentication and authorization. Please post your tips about this topic on twitter. You can find me on twitter @hthirukkumaran.