Hackers are putting more effort than ever into breaking into user accounts. By some measures, hackers account for more than 90 percent of login attempts at online retailers. This means that you need to ask for more than just a username and password if you want to be sure that every user is who they claim to be. To start, you’ll need to implement some advanced user authentication practices.
Here is everything you need to know about user authentication and how the right practices can keep accounts secure.
The Importance of User Authentication Best Practices
Basic user authentication typically has two components — an identity and a password. This method can prevent users from logging into each other’s accounts, but is defenceless against a wide array of attacks — like brute-force strikes — and situations where a hacker already has a user’s password.
Advanced authentication in cyber security provides another layer of defence that helps ensure that when a user is accessing your network, they are that person. These practices can defend against some of the most common attacks and help protect users.
Discover five of the best practices to implement when it comes to user authentication.
1. Limit Login Attempts
This practice is a standard network authentication technique that not everyone implements. When you limit login attempts, it shouldn’t be possible to brute-force an account through your web user-interface.
You can find a few different ways to limit login attempts. You can block users who perform too many incorrect logins by IP address. You can also lock down accounts that receive a lot of false login requests and notify the account holder in question. You can also do both.
Limiting logins doesn’t have to mean preventing a user from trying again, either. You can instead serve a CAPTCHA to users who have tried to connect a certain number of times, inconveniencing legitimate users and preventing bots from attempting again.
As with other user authentication practices, you’ll need to keep user experience in mind when adding in limits. Telling a user to fill out a CAPTCHA because they mistyped their password once or locking them out because of one or two failed attempts is going to be upsetting.
2. Offer Two-Factor Authentication
You’re probably familiar with two-factor authentication (2FA). This method requires users to input a code sent to one of their devices — usually a smartphone — before they can sign in. This authentication technique, while not totally unbeatable, can add an extra layer of security to sensitive accounts. It will, however, make the process a bit more tedious.
Why should large enterprises move to a cloud phone system?
3. Use Context-Based Authentication
Context-based authentication uses as much available information as possible to determine whether or not a user is who they claim to be.
This form of authentication often relies on information about the device and user location. If you’ve ever had to verify a login attempt because you were signing in from a new location or device, that was a form of context-based authentication.
As a result, context-based authentication can be a way to catch fraud attempts, as hackers aren’t usually accessing an account from the same device and location as the hacked party. Of course, fraudsters can hack this info — however, this authentication type can add a valuable layer of defence against cyber criminals.
4. Consider Third-Party Authentication
In some cases, you can implement services that allow users to log in to their accounts using a third-party — like their phone, email or a social media account. Typically, this means using OAuth to let users log in to your website using something like Google, Facebook, Twitter or a related site.
This practice also shifts some of the pressure off of users — there’s no need for them to maintain a collection of highly-secure passwords, so long as their primary account password is reasonably secure.
However, you will still need to manage a few different aspects of the user authentication process — including cookies and logging users out.
5. Hash Your Passwords
People tend to use the same passwords on multiple websites. If your network is compromised, those users can easily be at risk.
Stolen passwords, if properly salted and hashed with a non-deprecated hash algorithm, should be unusable by hackers.
Salting and hashing passwords won’t make it any harder for hackers to access user accounts if they already have passwords. However, it will ensure that, in the case of a data breach that puts stored user passwords in the wrong hands, you probably won’t be compromising any user accounts.
Identity and access management –– mitigating password-related cyber security risks
Keeping Accounts Secure With User Authentication
User accounts are at significant risk from hackers and cyber criminals — a problem that’s likely to become more prevalent as users rely on the internet to access sensitive and valuable information.
Basic user authentication techniques aren’t strong enough to defend against a dedicated attacker. For this reason, it’s a good idea to implement advanced user practices — like context-based, 2FA and third-party authentication. These techniques won’t prevent hackers from breaking into user accounts, but they will provide a valuable layer of defence.