Evolution of Authentication in Web Applications

balaji
By balaji

October 29, 2011

Authentication is the process of verifying the identity or authenticity of a person or an entity. Let's go back to the time that the world was not yet introduced to computers and the internet. If a customer of a bank had to withdraw some money from the branch, how would it take place? The teller at the branch would ask the customer for a proof to confirm that he/she is the valid customer. The customer would then sign on a piece of paper, which would be compared with the signature provided by the customer at the time of opening the account. With the advent of computers, the signature was replaced by the password. The user would set a password value during registration and then provide it each time to access the account.

evolution-of-auth.jpg

Authentication is the process of verifying the identity or authenticity of a person or an entity. Let's go back to the time that the world was not yet introduced to computers and the internet. If a customer of a bank had to withdraw some money from the branch, how would it take place? The teller at the branch would ask the customer for a proof to confirm that he/she is the valid customer. The customer would then sign on a piece of paper, which would be compared with the signature provided by the customer at the time of opening the account. With the advent of computers, the signature was replaced by the password. The user would set a password value during registration and then provide it each time to access the account.

However, as the internet has been evolving, authentication schemes have also been evolving. Let's take a look at some of the authentication schemes starting from the simplest HTTP Basic authentication to more sophisticated schemes.

The Hypertext Transfer Protocol (HTTP) that is generally used for building web applications provides 2 forms of authentication – Basic and Digest.

HTTP Basic Authentication

HTTP Basic Authentication - If a browser or program sends a request for a web page that requires Basic authentication, the server responds with an error that contains a 'WWW-authenticate' attribute in the header. The user then enters a username and password, which is sent to the server in a Base64-encoded form.

Advantages

  • It's a very lightweight authentication mechanism.
  • It can be used effectively in combination with SSL.
  • Most web servers and platforms provide built-in support; thus making the implementation very simple.

Disadvantages

  • Base64 is not an encryption technique but just a simple form of encoding.
  • This can easily be intercepted and decoded; thus making it very insecure.
  • Basic authentication uses text files to store usernames and passwords.
  • It is inefficient as the request for each page needs to be sent twice. The server will reject it the first time and then ask for user credentials. The second request with the user credentials is accepted.
  • Individual user accounts need to be created in the OS.
  • There is no support for a Logout feature. The browser window has to be closed by the user to flush the password from the memory.
  • The server's identity cannot be authenticated.

HTTP Digest Authentication

HTTP Digest Authentication works similar to Basic but is stronger as it uses 'hashes' while sending the username and password to the server. When a request for the web page is sent, the server sends back a response with a 'WWW-authenticate' attribute in the header and a 'nonce'. A 'nonce' is a string, which differs for each request. The client uses a series of hashes that involve the username and password, the requested URL, the authentication realm name and nonce, and sends the request again. The server picks the password from its data source and again goes through the same process of hashing and compares the results. Authentication is a success if the values match.

Advantages

  • The password is hashed with the dynamic nonce value; thus protecting it in transmission and from replay attacks.
  • The password can be stored on the server as a hash instead of as clear text.
  • The server can also store the hash of the password along with the nonce; thus preventing rainbow-cracking attacks.
  • Most web servers and platforms provide built-in support; thus making the implementation very simple.

Disadvantages

  • Although stronger than Basic authentication, it is vulnerable to man-in-the-middle attacks. An MiTM attacker can trick clients to use Basic authentication or use Digest in a legacy-reduced security mode.
  • The password has to be stored in a text file.
  • Individual user accounts need to be created in the OS.
  • There is no straightforward way to log out a user.
  • Digest authentication also does not authenticate the server's identity.

Windows Integrated Authentication

Windows Integrated Authentication formerly known as NTLM authentication or NT LAN Manager is an authentication scheme from Microsoft for a Windows network. NTLM is a challenge–response scheme that uses a Cyclic Redundancy Check or message digest algorithms. The Windows Integrated scheme supports NTLM and Kerberos.

When a browser sends a request for a protected web page, the server sends two WWW-Authenticate headers i.e. Negotiate and NTLM. If the browser recognizes Negotiate, it'll send information to both NTLM and Kerberos. If the browser and the server are compatible and both belong to the same domain or trusted domains, the server will use Kerberos; otherwise, it will use NTLM. If the Negotiate attribute is not recognized by the browser, the default attribute is NTLM.

auth_fig1.png

It is best suited for a Windows intranet application that uses the Windows Domain Controller or Active Directory as well as IIS and IE browsers although other well known platforms and browsers too have support for NTLM.

Advantages

  • In a Windows environment, the password is not transmitted over the network.
  • NTLMv2 and Kerberos address the weaknesses in NTLMv1 and prevent rainbow-cracking attacks.
  • The server's identity is authenticated too.

Disadvantages

  • Integrated Windows authentication does not work over HTTP proxy connections.
  • NTLM is vulnerable to a number of attacks, some of which have been fixed by Microsoft.

Form-based Authentication

Form-based Authentication gives the developer freedom to build a more secure authentication scheme. This type evolved over time. Basically, form-based authentication refers to any mechanism that relies on factors external to the HTTP protocol for authenticating the user. The application is left to deal with taking the user credentials, verifying them and deciding their authenticity.

The simplest way to do so is to have a login form that asks the user for the username and password. These values are then compared with the username and the password already present in the database. The password is protected during transmission by either using an SSL connection or encrypting the password. SSL protects the password during transmission but it can still be stolen by a local adversary from the browser's memory. This problem can be fixed by using a salted hash technique to transmit the password.

Advantages

  • The developer is free to implement the Login page in a desired manner.
  • All development frameworks and languages support form authentication.

Disadvantages

  • Encryption or security is not enforced by default. The responsibility to implement a safe solution belongs to the developer.

CAPTCHAs and Key Loggers

As attackers became smarter, applications had to defend themselves against newer threats like automated password guessing and key loggers. Attackers made their job easy by writing scripts that would keep on trying passwords on the Login page till a match was found.

CAPTCHA is an effective method used to address the problem of automated password-guessing attacks. Generally, CAPTCHAs comprise randomly generated text that is displayed in a distorted manner. The text can be read by a human, but not an automated program. CAPTCHAs also prevent an automated script from flooding the web server with a large number of requests. CAPTCHAs are typically used in User Registration pages, Login pages and Forgot Password pages.

Advantages

  • They prevent automated password-guessing attacks.
  • They prevent automated DoS attacks.
  • They are simple and convenient for a user.

Disadvantages

  • A CAPTCHA that is not implemented properly can make the application vulnerable to attacks.
  • A visual CAPTCHA (distorted text) is not very user friendly for the visually weak.

The threat of key loggers was addressed by a number of sites using a virtual keyboard. Since key-logging programs would reside on the client machine and capture all the keystrokes and mail them to the attacker, virtual keyboards eliminate the need to key in the password. A graphical representation of the keyboard is displayed on the screen and the user uses the mouse to click on the respective characters.

Advantages

  • It is a simple method that can be implemented easily.
  • A virtual keyboard can also be used in pages with sensitive information like credit card details, etc.

Disadvantages

  • Shoulder surfing becomes a more plausible threat.
  • There are advanced malicious software that capture the mouse clicks and based on the pixels, compute the characters entered.

The next generation of authentication schemes involved 2 factors for authentication. The 2 factors in authentication are defined as something we know (i.e. password) and something we have (i.e. hardware token/card, etc.). The user is required to provide both to prove their identity.

One-Time Passwords (OTP)

One-time passwords are a form of two-factor authentication. They emulate the sharing of a secret on-the-fly between two digital entities using an out-of-band communication model (SMS, email or paper passwords).

The user provides his/her username and/or password during the authentication process. The server validates the username and generates the OTP, which is sent across to the out-of-band communication media (SMS, email, etc.). In certain cases, a pre-generated set of OTPs are generated on paper and physically delivered to the user by hand or through post. Any of these pre-generated OTPs can be used only once.

Advantages

  • Increased difficulty for the attacker – needs to compromise SMSs/emails apart from the application.
  • Authentication depends on secrets from two disparate systems (2 factors i.e. the human brain and the SMS).
  • The duration of the validity of the OTP limits the continued compromise of the user account.
  • Extended access for the attacker is limited since OTP can be used only once for the specific transaction.

Disadvantages

  • The scheme depends on the availability of the additional (server) and the external infrastructure (SMSs/emails).
  • There can be delays in the delivery of the password, which is outside the application’s control.
  • There can be geographical limitations for a person who is traveling.

A number of sensitive sites resorted to various 2nd factors in authentication like hardware tokens and passwords being sent via email.

Hardware Tokens

Certain banks and owners of other critical applications provide hardware tokens to their users.

There are a number of types of hardware tokens in use, but the most common is the disconnected token. The user has to enter the number displayed on the token along with the password in the application. If both the values entered are correct, the user gains access to the application. The token contains an algorithm, a clock and a seed or a unique number. Taking the time and the seed as the input, the algorithm generates the number displayed.

The application using 2-factor authentication is connected to the server dealing with the tokens. The server would have the seed and using the current time and the same algorithm computes the same number as the token at any point in time. Therefore, the server is able to authenticate with the user. To accommodate for any mismatch in the number entered due to any delay in the clock, the server allows the token to be valid for a time window.

Advantages

  • Very secure as you need the number generated by the token to log in.
  • The token is easy to use.

Disadvantages

  • A chance of mismatch in the time leading to authentication failure is possible.
  • The token is a small physical entity and can be easily lost.
  • The infrastructure required is a cost overhead.
  • The distribution and maintenance of the tokens is an overhead.

Looking ahead...

To stay ahead of the attackers, we have to keep improving our authentication schemes. A large number of websites might start using biometrics like fingerprint scanning or retina/iris scanning to log in. Although biometric methods are quite prevalent in non-web authentication spaces, they are not as prevalent for web applications considering the infrastructure and cost overhead.


Tags: Best Practices

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset