First of all, in light of the different leaks of user profiles and passwords happening all over the world, it seems like authentication in the web is broken. And nothing is seriously done to prevent user accounts from being hacked. Historically, it is not new to get hacked and it is connected to our authentication method.
Since the avent of internet, users have always been required a username and password in order to get authenticated by a web application. With our lousy memory, we tend to use the same password several times or change only a letter to uppercase when needed by the password validation. In most cases, we use extremely simple passwords, and it result on our account being hacked. It is even easier now that the past leaks have created a huge database of logins available to anyone.
As a developer, passwords should be handle with uttermost care. Although, some careless developer still keep those passwords as plain text in their databases. Consequently providing easy data for future leaks.
For the sake of security, around 2015 started a new trend in authentication, "Two Factor Authentication" or 2FA. This method of authentication is mainly based on a username and password in addition of a code sent one way or another to a user's owned device. It has been confirmed that 2FA could prevent 95% of attacks on a web application. Still, in 2020 it is not commonly used, Why ?
Their is several causes:
- Users tend to get bothered by multi steps authentications.
- Security is not a first priority for Management or developers, even if it can damage the company's reputation.
- Including 2FA is time consuming.
- Entrusting another company with its users database is tough.
Nowadays "Multi Factor Authentication" or MFA is becoming a buzzword when we talk about authentication. But we are still years behind when it comes to securing user accounts. Nevertheless their is options to remedy to the situation.
MFA is a standard today, used by most of the tech giants and it should be democratized. It can be added to your software by open source libraries or third party services. Although it can be sensitive to entrust another company to handle your user database, even so, they put their reputation on the line by providing this sort of service.
With the avent of MFA, a new trend is now emerging. Passwordless authentication. The goal is to replace the username/password step commonly used on the web, by a link sent to your e-mail address, only or combined with other authentication steps. This prevent the user from typing its password and thus remove the human issue from the equation.
It is a duty to secure our user accounts. If it is not for the company reputation, it should be for our self-esteem as a developer, architect or manager. Delivering a secure web application to our users should be a goal in 2020. So which decisions are you going to take to secure your users ?
Microsoft Passwordless white paper -> https://www.microsoft.com/en-us/security/business/identity/passwordless
Initially posted on my blog
Level up every day