Just a simple talk today for the Login security.
It is actually the easiest thing of an Application, right? To be able to register and login into the system.
But yeah, securities matter. You need to implement a bunch of things to ensure your customers/clients won't lose their accounts easily.
But there are always pros and cons. The more secure, the less UX and vice versa.
Let's talk about Login Form first
Do you know what the differences are between these 2 login forms?
The first login form looks cool and drives users to multiple pages, awesome right?
But it's having the worst security.
The second one - on the other hand - is simple yet powerful.
For the first one, you will check the email existence first then the password after.
- So, if the hacker guessed the email correctly, they have a 50% chance to take over the account of the client.
But, for the second one, you will show up an error "email or password does not correct"
- So they don't even know which is the wrong one, or both wrong.
Simple yet powerful 😉.
Additionally, for "Forgot Password", when submitting, you should show something like:
- "We received your request and will send out the recovery steps to your email if it exists in our database"
Then who knows if the email is in our system or not hehe.
Stop Brute force
Brute force is a simple technique to write a simple bot to log in and guess the email & password, regardless of the form type.
The bot can be in single or distributed machines or servers (VPS is quite cheap these days).
From customers-side, to avoid being hacked this way, is really simple: use a strong password (12+ chars, including uppercases, numbers and symbols).
- But it is also a pain in the ass to remember the password, isn't it?
For your applications, you need to apply:
Rate-limiting (eg: 10 login requests per min).
Captcha (yes, simple but powerful against bot)
Re-captcha of Google
That's how we protect our login against brute force strategy.
Additionally, you can let your customers set up the 2-factor auth too. Via:
Email OTP (💰)
SMS OTP (💰)
Time-based OTP (Google Auth or Authy,...) (Free)
And, remember the rate-limiting. Since OTP usually comes in 6-number digits. 000000 - 999999 = logN(1 million of requests) to N to get the access.
When registering, you can ask customers to add 2 or 3 security questions (for recovery and access purposes), some questions like:
What is your first pet's name?
What is your mother's maiden name?
The biggest city you've visited?
This provides a secure way to protect customers' accounts. But, the memory of human issues here 😜, let's talk about UX later.
The Combination and UX comparison.
So, if you applied all the suggested options, your login page would have the worst experience for any human being. It is too much .
Let's point out what are the musts and what are the nice-to-have.
Log in with email & password on the same screen. Lower the chance.
- Remember the "Forgot Password" too.
Rate-limiting on login requests.
- 5~10 requests/min should cool.
This would protect your app ~85% from attackers.
With the captcha, you don't have to add the rate-limiting. But add it with high UX:
- Login failed around 3 times => required captcha for the next 30 mins.
Temporarily lock the login for an account of N wrong attempts.
- Remember to send an email to the owner of the account, so they can know and unlock it on their behalf (if it was their fault)
Don't put it as mandatory. Let customers set up themselves.
- Only mandatory when the user's password is weak (less than 8 chars, missing symbols,...)
SMS is the coolest one without any dependencies, but, costs $$$...
And yeah, I'm not a fan of Security Questions, it is basically never in my mind haha 😆.
Yeah, a simple knowledge for newbies, juniors and middle out there.
Keep rocking and thanks for reading!