999 B
Secure Authentication Mechanisms
-
Take Care with User Credentials Never send login data over unencrypted connections Redirect HTTP requests to HTTPS Audit website to make sure no username or emails are disclosed through HTTP responses
-
Don't Count on Users for Security Implement an effective password policy Provide real-time feedback on user's password strength
-
Prevent Username Enumeration Use identical/generic error messages on all authentication pages Return the same HTTP status code with each login request Make response times indistinguishable
-
Implement Robust Brute-Force Protection Implement strict, IP-based user rate limiting Require a user to complete a CAPTCHA test with every login attempt after a limit is reached
-
Check Verification Logic Audit all verification and validation logic to eliminate flaws
-
Implement Proper MFA Use a device or app that generates the code directly (not SMS or email) Make sure MFA logic is sound