Best practices in online user authentication: an analysis and survey
Date
2015
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
As the growth of technology has tremendously increased in recent decade, especially in the area of internet technology, majority of services used by the people in their day to day activities has now become automatic and therefore pushed to the internet to be more conveniently accessible to the users, anytime anywhere. However every innovation comes with its side effects, therefore talking about innovations in the area of internet technology, they also come with a price. Since now majority of services are offered online, they have become more vulnerable to the cyber-attacks. The number of online services offered has direct impact on internet cyber-attacks, i.e. more and more information/services go online, they become more prone to the Internet cyber-attacks.
This research was initially focused on a study of the encryption methods, such as public and symmetric key encryption, used by a new category of online service providers (e.g. Mega, Tresorit, Wuala, and SpiderOak) to offer end customer secure encrypted cloud data storage to end customers. To keep a users' data secure requires maintaining confidentiality of the data is both at rest and in transit. Some of these providers provided client-side encryption where the encryption is done in the end users machine, but most of them used server-side encryption to allow for faster, but less secure encryption.
The direction of this research changed due to two factors. First, as some of the providers security mechanisms were being investigated, it became clear that some of the basic account establishment and authentication schemes were quite weak and thus even the best data confidentiality mechanisms (e.g. encryption) would not ultimately have much effect securing the users' data. Second, a series of high profile public breaches of other service providers' authentication and password recovery mechanisms were also found to be quite weak and subject to brute force and other types of attacks. Examples include breaches of celebrity Twitter and YouTube accounts. An expanded review of authentication mechanisms of other online service provides beyond secure cloud storage found a wide range of practices, from very secure to insecure. Hence, the target of this research was re-focused on better understanding the common user authentication processes of online service providers in order to better clarify which mechanisms might be considered best practice.
Many current online user authentication practices and mechanisms used by online service providers were surveyed. Providers included a wide range of services including social networking, email, and e-commerce sites. The research shows that even though it is obvious that some of the best practices should be incorporated in the user authentication process to shield the service from major cyber-attacks like brute force and Denial of Service (DOS), there are many online services which don't implement those, making their users more vulnerable to cyber-attacks. This research highlights precisely the best practices that should be used by online services to best secure their online user authentication. Additionally, several suggested new best practices are suggested which can provide additional security for users' accounts.