How to Reduce the Dangers of Broken Authentication on Your App

Authentication Versus Authorization

Although they sound similar and are often used together, authentication and authorization are two very different functions. Authentication refers to verifying someone’s identity–checking whether they actually are who they say they are. It’s why we have passwords, CAPTCHA tests, and two-factor authentication. Authorization, on the other hand, is identifying and limiting what information a verified person has access to. 

Both of these functions are important in controlling data access and security on your app.

Common Broken Authentication Attacks 

Let’s take a look at some common styles of attack that can threaten your app, and how properly managing both authentication and authorization can limit the danger. 

1: Session Hijacking/Session Fixation

Attackers use stolen session IDs to impersonate an authorized user. This can happen when…

• A user forgets to log out and leaves their device unattended.
• The session ID appears in the URL, making it easy to track and share.
• The attacker obtains extant session ID stored in application cookies and caches.

2: Credential Stuffing

Hackers use credentials (i.e. username or email address and password) leaked from other sites or programs. Since people often use the same information for multiple accounts, this technique, though time-intensive, is often effective. 

3: Password Spraying

The hacker uses a brute force attack by rapidly rolling through common passwords, including names, words, and dates. 

4: Phishing

Attackers obtain user login information by impersonating you or another legitimate provider. They may create an imitation email with slight, almost imperceptible changes to your name. 

• Consider controlling session lengths so that users have to re-authenticate after a certain amount of time. 
• Rotate and invalidate existing session IDs and authentication tokens to reduce the risk of those tokens being used by imposters. 
• Never put session IDs in the URL so that authentication information isn’t stored in a browser. 
• Implement multi-factor authentication so that users are verified by two sources. 
• Deny all non-public resources by default. 
• Log access control failures and set up alerts to flag suspicious activity. 
• Rate limit APIs to reduce the risk of bot attacks. 

These are just a few baseline ideas to improve security. An experienced developer can help you understand security risks and recommended protocols for your specific app or web tool. You will also want to utilize an access management tool that will implement and manage these and other safety measures.  (A rate limit is the maximum number of calls you allow in a particular time interval. Setting rate limits will manage network traffic for your APIs and for specific operations within your APIs).

Managing User Control Access (or Limiting Authorization) 

There’s a rule of thumb known in the development world as the principle of least privilege access. To increase your data security, give users the least access possible while still allowing them to do what they need to do. 

Each user accessing data on your app increases your security risk exponentially. Attacks can lead to unauthorized information disclosure, modification, or even destruction of data–both your own, and that of your users. However, as you limit user access to the bare bones, you reduce vulnerability. Even if credentials are stolen by a bad actor online, they’ll seldom have access to the entire database, or even to other users’ information. 

Controlling user access and limiting authorization is especially important when you store sensitive data such as Healthcare PII or credit card numbers. Healthcare and fintech software should have extra protocols in place to prevent broken access control, commensurate with local and federal guidelines. 

Don't Forget APIs 

In addition to user permissions for the people using your app, consider access control measures to limit vulnerabilities posed by APIs. An Application Programming Interface (API) is a communication channel between different software solutions. Because APIs need access to certain information from your app and your users, you need to consider how to monitor this communication securely, allowing the API to do its job without exposing more data than necessary. Encryption, rate limits, and API gateways are some best practices that can maintain your API security. 

Getting Help with an Access Management Plugin 

We often recommend an identity and access management platform to our clients. These programs let us set up an access control model on the app and automate much of the management. Some services that access management plugins offer may include: 

• Multi-factor authentication
• Single sign-on
• Consumer identity and access management
• Breached password notifications
• Access tokens for APIs
• Risk-based authentication
• And more…

Top Rated Access Management Tools

• Auth0
• Frontegg
• Okta
• Amazon Cognito
• FusionAuth
• Duo Security

Not all of the programs above provide every service listed, and not all of them will suit your unique tech stack. While we usually recommend Auth0 to our clients as it provides a robust but flexible suite of services, client needs may vary. An experienced development team can help you determine which service is right for your needs. 

With an add-on like Auth0 in place, developers have less to worry about as far as writing in custom security guardrails. Developers’ main jobs are risk assessment and mitigation to avoid anything that interrupts your authorization software protocol, and to ideate security workflows for effective authorization management without creating friction for you and your users. 

Educating Users and Preventing Bad Practices 

Beyond implementing additional authentication tools and controlling authorization and user access, one of the best things you can do to prevent broken authentication is to encourage users to take their own security seriously. 

Effective authorization starts with the user, whether that user is a client or someone within your own organization. In fact, those within your team should be especially aware of security protocol, as their higher-level access is more likely to pose a risk to all users if their credentials are stolen. Educating them on the potential dangers of stolen identity helps everyone share in the responsibility of online safety. 

Encourage users to safeguard their identity by:

• Setting unique parameters for passwords so that they must use one distinct from their user accounts on other platforms
• Only accepting passwords that are difficult to guess by including numbers, letters, and symbols
• Reminding users to change their password regularly
• Forbidding credential sharing
• Setting up alerts when a new device is used

Consult with an Experience Development Team  

These tips can help you reduce the risk of broken authentication attacks on your app’s data. However, cybersecurity is a fast-moving world of one-upmanship. Yesterday’s security measures won’t survive tomorrow’s attacks. Furthermore, generic recommendations won’t anticipate the unique risks of your app. The best way to keep your app and your users’ data safe is to consult with a reputable development team and learn about the best practices for your unique situation. 

Call us today to see how we can help you build a better, safer app.