Authentication with login and password is known and common approach for user identification in the internet and accessing resources in the web. However, nowadays, with existing computing powers, cyber attackers have facilities for testing billions of password combinations in a second. More than that, statistics says that 65% of people use the same password, usually simple password, everywhere. This means that stealing your credentials or picking them up via brute-force attack is not a complicated task anymore.
Two-factor authentication (also known as 2FA) is a method of confirming a user’s identity in which user is granted access only after successfully presenting two pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know – login&password, PIN code, etc), and possession (something they and only they have). The possession factors may be – ID card, security token, smartphone, etc – something that is not a logical thing you know but a physical entity.
In this post I would like to show how to implement two-factor authentication for web application using Google Authenticator as a possession security factor.
Continue reading Two-factor authentication with Google Authenticator
When developing web applications, one of the first tasks that raise in a backlog is making this application secured. And this can be easily explained – web application exposes data to the whole world and everyone can access it within a moment via the Internet. There is nothing really to think about when the web application is a simple set of public static pages with static data which is available for everyone. But, when there comes a need to limit access to particular resources for some group of people, when the data exposed by web application is a highly sensitive private data, the security aspect of application implementation becomes a top priority.
The most famous and widely used approach to secure a web application is to have a so called “Login page” where the user can enter login and password to specify their identity. And then, basing on this identity the user may or may not be authorized to get access to certain resources or data. This security paradigm is straightforward, it has long history and there is a huge amount of frameworks implemented for different programming languages to easily add Login-Password authentication to web applications.
However, the web application security topic is far deeper than simple authentication. There are many aspects which should be considered when building really secured systems. And in this article I would like to highlight these aspects by reviewing OWASP – Open Web Application Security Project and TOP-10 most critical and wide-spread web application security vulnerabilities which are described by this project.
Continue reading Top 10 most critical Web Application Security risks