Authentication Best Practices for Cybersecurity

Authentication verifies user identities and blocks unauthorized login requests. Robust authentication systems make access easy for legitimate users, while securing credentials from external attackers.

This blog will introduce authentication best practices to secure your login process. We will cover every aspect of authentication, from username and password choices to encrypted hashes and session timeouts.

Common login security vulnerabilities

Login portals and processes are a critical network security weak point. Compromised entrance points allow easy access for unauthorized users, increasing the risk of data breaches and ransomware attacks. Alternatively, using an enterprise browser can help reduce these risks by enforcing secure access policies, isolating web sessions, and preventing browser-based exploits.

Securing login points is never simple. But the financial and reputational consequences of attacks make it a cybersecurity priority. Security starts with understanding the threat landscape. Here are some common vulnerabilities to help you plan:

• Weak user credentials: Leaving users to create their credentials is a recipe for security problems. Individuals often use easily-guessed username and password combinations. They re-use credentials on many accounts, leave written copies in public, or share credentials with others. When bad actors get hold of passwords, it's easy to masquerade as legitimate users.
• Password brute-forcing: Brute-forcing is an attack variety where hackers try many password variations. This sounds time-consuming (and it is) but attackers can target their efforts using contextual information. If they obtain credentials from other services, access is often a matter of time.
• Simple passwords: User passwords must be complex and unique. Ideally, even the account holder should struggle to remember their current password. Password managers can take up the slack, protecting and rotating unique passwords. Yet many companies leave password hygiene to users, who may backslide and rely on simple, insecure credentials.
• Unpatched tools: Attackers can exploit out of date software, using flaws in the code to gain network access. This can happen when companies fail to update firmware, but it's often caused by individuals clicking-through "update now" notifications. Either way, unpatched software opens the door to attacks.
• Phishing: Cyberattackers often research their targets and buy information to mount social engineering attacks. These attacks use emails or fake websites to persuade users to take risky actions. If they work, phishing attacks extract credentials: allowing attackers to assume legitimate user identities.
• Lack of multi-stage authentication: Companies that rely on username and password portals are asking for trouble. Single factor security allows access with a lucky guess or relatively simple brute-forcing exercise. Multi-factor authentication process or biometrics make this far harder.
• Hacked password storage: Where you store passwords matters as much as the strength of passwords themselves. If you don't store passwords securely in encrypted locations, attackers can harvest credentials from an entire workforce. When that happens, all of your systems become vulnerable.
• Session hijacking: Poor cookie security and not enforcing session time limits can create space for hijacking attacks. Attackers use session vulnerabilities to take over a user identity while they are connected. This creates a window for data extraction and other nasty surprises.

What are authentication best practices for businesses?

Poor login security exposes critical network assets. Network exposure is not just bad because it raises cybersecurity risks. Most login security problems are also easily avoidable. There's no excuse for leaving data undefended.

We can mitigate many login risks by implementing a robust authentication process. The best way to achieve this is following the authentication best practices outlined below.

Password hashing

Password hashing converts text and number-based passwords into an unreadable hash of symbols, numbers, and letters. Algorithms create fixed-length hashes that are only decipherable with a private encryption key.

Every user password is encrypted and stored securely. When users enter their password, the hashing algorithm gets to work. If this new hash matches the one stored in the password database, authentication systems allow access.

Organizations must hash passwords to keep them safe from external agents. Storing credentials in plain text format makes them easy to read, share, and use. Hashed credentials are only usable with the correct cipher: a much more secure situation.

Note: password hashing is not always secure. Older algorithms based on SHA-1 or MD5 are less secure than alternatives like Bcrypt, Scrypt, or PBKDF2. Modern hashing tools salt encrypted credentials, adding another layer of protection. Without this, brute-forcing remains possible.

Biometric authentication

Biometric authentication factors verify users based on unique physical signatures. Factors include fingerprints, iris or retina scans, voice recognition, and facial recognition.

An advanced biometric authentication process could also use behavioral analysis, analyzing key presses or mouse movements to identify a user. However, even simple biometrics provide more security than password authentication.

Obtaining physical data or access to an individual's body is very difficult, if not impossible. However, organizations must store biometric data securely. Hashed biometric templates make data harder to decode and use.

Implement multi-factor authentication (MFA)

Multi-factor authentication methods ask users to supply additional credentials beyond username and password combinations. Examples include one-time passcodes (OTPs) sent to mobile devices or hardware tokens.

The idea behind MFA is that if one authentication method fails, another will succeed. Adding barriers between cyber attackers and sensitive data makes malicious login attempts far harder.

Effective multi-factor authentication systems send codes to separate devices. In the language of authentication, it combines a knowledge factor (a password) with a possession factor (a cellphone or token). Hackers would need access to the phone to obtain the OTP.

Password hygiene

Good password hygiene requires passwords that are unique, hard to guess, and securely stored. Using strong passwords is the first step in securing login portals. We can break down the task into several easily digestible actions:

• Rotate passwords regularly. If hackers steal user credentials, they may already be out of date when attackers make login attempts.
• Be clear about what not to include in passwords. For instance, outlaw the use of names, birthdays, places of birth, colleges, and loved ones. Many companies choose to prohibit all nouns, regardless of relevance.
• Define what a strong password is. Ideally, complex passwords should be between 12-16 characters long. A strong password should mix symbols, numbers, and both lower and upper case letters.
• Prevent password reuse. Using the same login credentials again and again makes accounts far easier to hack. Require different passwords for every service or device.
• Use password managers. Password management tools store passwords securely, notify users about changing passwords, and ensure all passwords on the network are unique. Don't leave home without one.
• Enforce password storage policies. The best policy is storing credentials in hashed format via centrally stored password managers. Prohibit paper copies of passwords or using text files on remote devices. An encryption layer is non-negotiable.
• Require a unique username. Every user should have a unique ID. Automate detection systems and ensure every user is easily identifiable.

Remember to document password hygiene practices in a formal policy. Password policies define how users should create, use, and store passwords. They also outline penalties for poor password security: discouraging laziness.

Password recovery

Attackers may obtain credentials by spoofing password requests. Avoid this situation by only sending password reset emails to registered user addresses. Secure responses with time-limited and encrypted tokens, forcing users to supply fresh credentials promptly.

Limiting login attempts

Hackers often mount multiple login attempts during credential stuffing attacks. If they are free to enter credentials all day long, they will eventually succeed. The only solution is limiting logins and password reset requests.

Provide users with some leeway. Users forget or mis-type credentials, and forced lockouts are never helpful. A limit of three to five login attempts is a sensible compromise.

Admins can also set temporary account locks to accommodate failed logins by legitimate users. A 15 minute delay should prevent brute-force attacks while not inconveniencing users too much.

Session management

Given the risks of session hijacking, every company must employ secure session management.

Session management limits the length of sessions. This cuts the risk of attackers gaining control of accounts and accessing sensitive user information.

Set maximum session limits, including timeouts after periods of inactivity. 15-30 minutes without inactivity should trigger session termination. Absolute session limits depend on user activity. Some workloads require length access to sensitive data. Other times, 60-90 minute sessions will be sufficient.

Whatever limit you set, request users to re-enter their credentials when the time limit expires. Regenerate session IDs when user resubmit login credentials. This helps avoid session fixation attacks, which exploit re-used session tokens.

Secure authentication protocols

Secure authentication protocols are vital. Protocols manage credentials and verify user identities during the authentication process. Weak protocols fail to secure user data, putting credentials at risk.

Secure protocols use encryption to lock down user credentials at every stage. Examples include:

• Security Assertion Markup Language (SAML): Generally used to secure Single Sign-On authentication portals.
• OAuth 2.0: A token-based open source standard used in web and mobile apps. Does not expose text passwords at any point. Suitable for securing API access.
• OpenID Connect (OIDC): A version of OAuth designed to use with trusted identity providers.
• Kerberos: A highly-secure protocol based on public key encryption.
• Lightweight Directory Access Protocol (LDAP): Manages user directories on large networks, using encryption to shield credential transmission.

Audit your login security

Regular security audits are another must-have when securing login processes.

Start by tracking failed logins and password resets. Monitor user behavior for suspicious activities, and keep a register of security alerts with investigation outcomes.

Audits use this information to assess login security. Test access points to ensure your authentication process works as designed. Systematically analyze known login vulnerabilities (refer to the list above for some common examples).

Finally, fix security gaps, documenting mitigation action in an audit report. No login system is perfect, and every network is vulnerable. Assume gaps exist. Complacency guarantees security problems in the future.

Featured Image by Pixabay.