[Owasp-leaders] Comparing login security features

Tobias tobias.gondrom at owasp.org
Fri Jun 8 08:46:51 UTC 2012


Hi Gaurav,
sounds like a good idea..
Btw. if you look at examples, you possibly also want to take a look at 
Paypal.
To enhance your point #1, they (among others) also deploy HSTS (HTTP 
Strict Transport Security, a new browser feature, which allows _only_ 
SSL to the server, i.e. browser will fail on non-SSL-connection attempts).
Best regards, Tobias


On 08/06/12 00:32, Gaurav Kumar wrote:
> I am thinking of blogging about security features provided by 
> popular/widely-used online services like Google, Yahoo, Hotmail 
> (Live), Facebook, Twitter & LinkedIn. Note that focus is on features 
> available to end users, not things like salting+hashing password.
>
> So far below are the criteria I'm thinking of using. Can you suggest 
> more? (any other comments are welcome too)
>
> 1. End-to-end SSL. Not just during authentication, service should 
> provide option to use SSL for the whole session.
>
> 2. Two-factor authentication. Bonus points if service provides 
> HOTP/TOTP type 2nd factor. Sending SMS (text) is nice too but then 
> you've to trust the phone company.
>
> 3. View active and recent sessions. Ability to see which all sessions 
> are active (and view associated IP addresses) and kill them (in case 
> unrecognized session is found).
>
> 4. Phishing protection. Verify pre-selected image after entering 
> username (few banks and Yahoo (they call it login seal) use this)
>
> 5. Remind users of their password age. If the password has not been 
> changes in last X time, post authentication users should be given 
> warning.
>
> 6. OpenID. Service should support OpenID authentication so that other 
> services can authenticate and authorize without needing to obtain 
> actual password
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120608/1631c698/attachment.html>


More information about the OWASP-Leaders mailing list