This article is about the different types of security standards used for logging into applications
Security Login Standards
The three main standards I will focus this article on are:
- HTTP Basic Auth - Least secure
- OAuth - More secure
- SAML - Most secure
Despite these security standards, a single method is 100% safe. All best practices must be followed to reduce your chances as much as possible in preventing any security breaches to your websites and applications
1. HTTP Basic Authentication
HTTP Basic Auth is open-source and fairly easy to implement on web servers like Apache & Nginx that serve website content in a variety of different formats and languages, the main being HTML and PHP. I have set up applications in a private repository on Github that utilize this basic login method because of its easy integration.
- Burp Suite
Basic authentication has several other basic vulnerabilities such as;
- The username and password are passed in every request. Which is 100% unsafe in HTTP, and a bit safer under HTTPS.
- Credentials submitted with every request open a risk for an attacker to retrieve a session or authentication token.
With basic auth, any request is an opportunity to steal the user’s password. This is not the best practice by far.
Digest Auth reduces many of these vulnerabilities in terms of offering a bit more security by only sending an MD5 digest and bits that include the username/password, meaning attackers cannot extract credentials from a captured digest. However, it seems to be more trouble to set up than it’s worth in terms of security, according to this article it is likely more secure and easier to choose the following methods.
2. OAuth - SSO
Single sign-on (SSO) is an authentication method that allows users to securely authenticate with many applications and websites by granting a single set of credentials.
OAuth is a public standard way for access delegation, most commonly used as a means for internet users to allow websites or applications to access their information on other websites but without revealing their passwords.
This standard is a bit more effort to add to an application but offers a much higher security grade compared to HTTP Basic Auth.
I plan on completing the below tutorial and adding it to workflows because of its higher layers of security. OAuth also has open-source solutions that should speed up such integrations through the project Vouch-Proxy.
3. SAML - Security Assertion Markup Language
Security Assertion Markup Language (SAML) is an authentication method and similarly to OAuth, its main function in online security is that it grants a user access to multiple web applications using one set of login credentials.
SAMLs main difference between itself and OAuth, is that SAML is designed for a specific user, while OAuth is designed for multiple applications.
This standard is a good amount of effort to add to an application based on some guides I found but offers the highest security grade compared to OAuth & HTTP Basic Auth.
From the guides, I’ve researched the two main components of SAML involve Identity Providers ( the home application base that verifies users ), and Service Providers ( the various applications themselves that users access through IDP) to control the verification and granting of application permissions to a user. Typically, to set up SAML you would choose a 3rd-party IDP provider to host your main verification portal.
However, I also found the below open-source projects PHP-SAML & Lightsail SAML that help you build your own private IDP server and will be adding it to my workflow because of its high layers of security.
No matter what method you choose to implement your security measures for your users and applications make sure you ask yourself and research the following questions:
- What are the vulnerabilities of my security solution?
- What are the best practices for implementing my security measure?
- What are the known hacks? Or how do you hack my security measure?
Awareness is a must when it comes to security.
Authored By Is-Rael Landes
Is-Rael Landes, a good man living on the earth, loving making website, teaching others and coding.