OWASP has identified authentication and poor session management as a critical issue as far back as 2004. To this day, it is still a major issue and looks to continue to be for the foreseeable future. The main benefactor of this, are data breaches, as attackers have a growing pool of possible username password combinations to use in brute force type attacks against user accounts.
Data breaches happen all the time, in fact, roughly 19,280 records are stolen every hour, and they should be considered the new normal. It is now a matter of when your company will be hit by a breach, rather than if at all. This past week, for example, Air Canada was breached for twenty thousand user records, containing sensitive information. The need for proper authentication controls and protocols has never been more important. What follows are some trends that we at Software Secured have noticed in the industry over the past decade or so.
records are stolen every hour.
As more and more data breaches occur, we find that companies are still not implementing passwords in a secure manner. Insecure storage can be caused by a number of reasons including:
- Plain-text passwords.
- Storing passwords using reversible encryption.
- Using weak hashing algorithms like MD5, ROT13 or SHA1.
- Lack of unique salt per user password.
These, coupled with poor password policies, leads to user accounts being taken over by malicious users. A poor password policy would allow passwords to be less than 8 characters, have no symbols, numbers or special characters.
Should include more than 8 upper and lowercase characters.
Should include numbers.
Should include symbols.
Companies have been adopting two factor authentication or 2FA as it provides another level of protection for users in the case of a user’s password being leaked via a data breach. 2FA is a piece of knowledge that the user has which they can use to authenticate to a service with. It consists of a one time code which is transmitted to the user via SMS, email, or by a piece of hardware or software. A list of websites providing second factor authentication can be found here. Problems occur when the one time tokens are transmitted over insecure channels, like email and SMS.
SMS as a Channel
SMS messages are sent in clear text and attackers at times are able to recover a users text message, either by intercepting the message or gaining access to the information through a different channel.
There are a number of ways an attacker can gain access to the users phone number:
- Someone can walk into any retail cellular store and ask an employee to move your number to a new SIM. The employee will verify the person using some form of government ID, but won’t necessarily verify that they own the rights to that phone number.
- The attacker can call a phone company and ask to move your number to another carrier.
- An attacker can gain access to your email, where you forward your SMS messages to. Once they see the SMS code, they can reset your password, use the password reset token and stolen SMS code to set a password they know.
Companies are adding the ability for users to use their Google or Facebook accounts to authenticate to their service. This helps users in that they can remember one less username and password combination. This is a move in the right direction, but comes with some problems. It’s hard to implement these federated identity protocols in a secure manner.
OAuth2 is probably the most popular protocol in use to provide federated authentication services. The protocol is securely designed, but is often implemented poorly. For example, Facebook has fallen prone to poor implementation as an attacker was able to steal a users authorization tokens by breaking out of the Oauth2 redirect_uri parameter, thereby sending the users authorization token to a server they controlled. This authorization token is equivalent to having the users username and password.
Some common flaws in the protocol implementation include, allowing attackers to set any redirect_uri, improper error handling and problems with the state parameter. The redirect_uri parameter can be used by attackers to redirect users on authorization success or failure.
A SAML exploit was released earlier this year which allowed malicious users to bypass the authentication process completely. This happened as a result of XML libraries incorrectly parsing XML comments, allowing attackers to inject valid usernames into a SAML assertion, thereby bypassing authenticating themselves.
If you choose to manage the identity of your users, it’s imperative that you implement proper password storage procedures in case your data is ever leaked to the public. This means using a key stretching hashing algorithm, like PKDBF2, bcrypt or argon2, with a unique long salt per user and a strong password policy. A strong password policy enforces a password length greater than 8 characters and ideally has a requirement for different casing, inclusion of numbers and special characters.
New services have appeared that will notify a user when their email has appeared in a breach, like haveibeenpwned. This helps ease the impact of a users credentials being leaked, as the user is able to quickly update their password to something more secure.
If you are able to manage your application without using usernames and passwords by implementing authentication using third party identity providers like Facebook or Google, it’s highly recommended to go this route.
Do not use SMS as an out of band mechanism to transport one time tokens. Use a hardware token like a Yubikey or software based token applications like Duo, Authy or Google Authenticator. Phone numbers are far too easy for attackers to gain access too.