[Owasp-leaders] Comparing login security features
tobias.gondrom at owasp.org
Fri Jun 8 08:46:51 UTC 2012
sounds like a good idea..
Btw. if you look at examples, you possibly also want to take a look at
To enhance your point #1, they (among others) also deploy HSTS (HTTP
Strict Transport Security, a new browser feature, which allows _only_
SSL to the server, i.e. browser will fail on non-SSL-connection attempts).
Best regards, Tobias
On 08/06/12 00:32, Gaurav Kumar wrote:
> I am thinking of blogging about security features provided by
> popular/widely-used online services like Google, Yahoo, Hotmail
> (Live), Facebook, Twitter & LinkedIn. Note that focus is on features
> available to end users, not things like salting+hashing password.
> So far below are the criteria I'm thinking of using. Can you suggest
> more? (any other comments are welcome too)
> 1. End-to-end SSL. Not just during authentication, service should
> provide option to use SSL for the whole session.
> 2. Two-factor authentication. Bonus points if service provides
> HOTP/TOTP type 2nd factor. Sending SMS (text) is nice too but then
> you've to trust the phone company.
> 3. View active and recent sessions. Ability to see which all sessions
> are active (and view associated IP addresses) and kill them (in case
> unrecognized session is found).
> 4. Phishing protection. Verify pre-selected image after entering
> username (few banks and Yahoo (they call it login seal) use this)
> 5. Remind users of their password age. If the password has not been
> changes in last X time, post authentication users should be given
> 6. OpenID. Service should support OpenID authentication so that other
> services can authenticate and authorize without needing to obtain
> actual password
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders