[Owasp-leaders] Comparing login security features

Gaurav Kumar gk at pivotalsecurity.com
Thu Jun 7 23:32:38 UTC 2012

I am thinking of blogging about security features provided by
popular/widely-used online services like Google, Yahoo, Hotmail (Live),
Facebook, Twitter & LinkedIn. Note that focus is on features available to
end users, not things like salting+hashing password.

So far below are the criteria I'm thinking of using. Can you suggest more?
(any other comments are welcome too)

1. End-to-end SSL. Not just during authentication, service should provide
option to use SSL for the whole session.

2. Two-factor authentication. Bonus points if service provides HOTP/TOTP
type 2nd factor. Sending SMS (text) is nice too but then you've to trust
the phone company.

3. View active and recent sessions. Ability to see which all sessions are
active (and view associated IP addresses) and kill them (in case
unrecognized session is found).

4. Phishing protection. Verify pre-selected image after entering username
(few banks and Yahoo (they call it login seal) use this)

5. Remind users of their password age. If the password has not been changes
in last X time, post authentication users should be given warning.

6. OpenID. Service should support OpenID authentication so that other
services can authenticate and authorize without needing to obtain actual
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120607/f9664486/attachment.html>

More information about the OWASP-Leaders mailing list