27 lines
999 B
Markdown
27 lines
999 B
Markdown
|
|
||
|
|
## Secure Authentication Mechanisms
|
||
|
|
|
||
|
|
- Take Care with User Credentials
|
||
|
|
Never send login data over unencrypted connections
|
||
|
|
Redirect HTTP requests to HTTPS
|
||
|
|
Audit website to make sure no username or emails are disclosed through HTTP responses
|
||
|
|
|
||
|
|
- Don't Count on Users for Security
|
||
|
|
Implement an effective password policy
|
||
|
|
Provide real-time feedback on user's password strength
|
||
|
|
|
||
|
|
- Prevent Username Enumeration
|
||
|
|
Use identical/generic error messages on all authentication pages
|
||
|
|
Return the same HTTP status code with each login request
|
||
|
|
Make response times indistinguishable
|
||
|
|
|
||
|
|
- Implement Robust Brute-Force Protection
|
||
|
|
Implement strict, IP-based user rate limiting
|
||
|
|
Require a user to complete a CAPTCHA test with every login attempt after a limit is reached
|
||
|
|
|
||
|
|
- Check Verification Logic
|
||
|
|
Audit all verification and validation logic to eliminate flaws
|
||
|
|
|
||
|
|
- Implement Proper MFA
|
||
|
|
Use a device or app that generates the code directly (not SMS or email)
|
||
|
|
Make sure MFA logic is sound
|