Skip to main content

Best Practices - IAM/Login

Authorization, Authentication and Roles

Authentication, authorization, and roles are all related concepts that are used to control access to resources and services.

1. Authentication:

  • Verifying a user's identity. It is the first step in the process of granting access to a resource or service.
  • Verifying a user's credentials, such as a username and password, to ensure that the user is who they claim to be.

2. Authorization:

  • Determining whether a user is allowed to access a resource or service.
  • Second step in the process of granting access, and it
  • Checking a user's permissions or roles to see if they have the necessary access rights.

3. Roles

  • Assign permissions and access rights to users or groups.
  • A role defines a set of permissions and access rights that a user is granted.
  • Roles can be assigned to users, groups, or other entities, and different roles can have different levels of access to resources and services.

IAM Security Best Practices

17 best practices for security regarding user account information in a mobile app:

Best PracticeDescription
EncryptionUse industry-standard encryption techniques to protect user account information both in transit and at rest.
Secure communicationUse secure protocols such as HTTPS for all communication between the app and the server to prevent man-in-the-middle attacks.
Secure storageStore user account information on the device in an encrypted format and use secure key management techniques to protect the encryption keys.
Two-factor authenticationImplement two-factor authentication to provide an additional layer of security for logging in to the app.
Password policyEnforce a strong password policy that requires users to use complex, unique passwords and regularly update them.
Session managementImplement session management to ensure that sessions are terminated when the user logs out or after a period of inactivity.
Input validationValidate all user input to prevent malicious data from being entered into the app.
AuthorizationImplement proper authorization controls to ensure that only authorized users can access sensitive information.
Risk assessmentRegularly assess the security risks associated with the app and implement appropriate controls to mitigate those risks.
Penetration testingRegularly conduct penetration testing to identify and address vulnerabilities in the app.
AuditingRegularly audit the app's security controls to ensure that they are functioning as intended.
Security awareness trainingProvide security awareness training to all app users to educate them on how to protect their account information and identify potential security threats.
Secure backendEnsure that the backend servers that store user account information are secure and properly configured with firewalls, intrusion detection and prevention systems, and other security controls.
Data backupRegularly backup user account information to prevent data loss in case of a security incident or system failure.
Remote wipeImplement a remote wipe feature that allows administrators to remotely delete user account information from a lost or stolen device.
Device managementImplement device management controls to ensure that only authorized devices can access user account information.
Continuous monitoringContinuously monitor the app and its backend servers for security incidents and respond quickly to any detected threats.

Secure Password Policy

  • Length:
    • Passwords should be at least a certain length, typically 12 or more characters.
  • Complexity:
    • Passwords should include a mix of upper and lowercase letters, numbers, and special characters.
  • Unique:
    • Passwords should be unique and not used for other accounts or services.
  • Regular updates:
    • Passwords should be required to be changed at regular intervals, for example every 90 days.
  • Prohibiting common passwords:
    • Passwords should not be common words or phrases that can be easily guessed, such as "password" or "1234".
  • Prohibiting personal information:
    • Passwords should not include personal information such as name, address, phone number or dates that can be easily guessed.
  • Two-factor authentication:
    • Two-factor authentication is a strong measure to ensure account security.
  • Validating password strength:
    • An app should validate the strength of a password before accepting it, and provide feedback to the user on how to improve their password if necessary.

Encryption Standards

  • Transport Layer Security (TLS) and Secure Sockets Layer (SSL):
    • These protocols are commonly used to encrypt communication between a client and a server. They provide secure communication by establishing an encrypted link between the two parties.
  • Advanced Encryption Standard (AES):
    • AES is a symmetric encryption algorithm that is widely used to encrypt data at rest. It uses a secret key to encrypt and decrypt data, and is considered to be very secure.
  • RSA:
    • RSA is an asymmetric encryption algorithm that is commonly used to encrypt data at rest, as well as for digital signatures and key exchange. RSA uses a public key to encrypt data, and a private key to decrypt it.
  • Blowfish and Twofish:
    • These are symmetric key block ciphers, Blowfish is a block cipher that uses a variable-length key, from 32 bits to 448 bits, to encrypt data in blocks of 64 bits. Twofish is a symmetric key block cipher that accepts keys of any length up to 256 bits.
  • Hash functions:
    • Hash functions such as SHA-256 or SHA-512 are commonly used to encrypt password, they are not encryption in the traditional sense, but are a one way function that ensures the integrity of the data, and make it difficult to reverse the process.
  • PGP (Pretty Good Privacy):
    • PGP is a widely used encryption standard for email and other forms of digital communication. It uses a combination of symmetric and asymmetric encryption to provide both confidentiality and authenticity of the message.
  • Elliptic Curve Cryptography (ECC):
    • ECC is a type of public-key cryptography that uses the mathematics of elliptic curves to provide stronger security than traditional RSA and DH algorithms. It is well suited for use in mobile and embedded devices.
  • Identity-based Encryption (IBE):
    • IBE is a form of public-key encryption in which the public key of a recipient is derived from their identity, rather than being a randomly generated number. This can simplify key management and deployment.
  • Homomorphic Encryption:
    • It is an encryption scheme that allows computations to be performed on ciphertext, producing an encrypted result which, when decrypted, matches the result of operations performed on plaintext. It is useful when some operations are to be performed on the data but it should not be decrypted.
  • Format-preserving encryption (FPE):
    • FPE is a technique that encrypts data in such a way that the encrypted data has the same format as the original data, meaning that it can be used in places where the format of the data is important, such as credit card numbers.

Input Validation

  • Whitelisting:
    • Involves defining a set of acceptable input values and only allowing input that matches those values.
    • Effective in preventing malicious input, but can be more restrictive.
  • Blacklisting:
    • Involves defining a set of unacceptable input values and rejecting any input that matches those values.
    • Can be less restrictive than whitelisting, but may not catch all malicious input.
  • Format validation:
    • Involves checking that input data matches a specific format, such as a phone number or email address.
    • Can be effective in catching input that is in the correct format but still malicious.
  • Range validation:
    • Involves checking that input data falls within a specific range of values.
    • Can be effective in catching input that is within the correct range but still malicious.
  • Type validation:
    • Involves checking that input data is of the correct data type, such as a string or number.
    • Can be effective in catching input that is of the correct type but still malicious.
  • Input Sanitization:
    • The process of removing or replacing any special characters or tags that could be used to inject malicious code or SQL statements into the application.
  • Regular expressions:
    • A pattern matching language that can be used to check input for specific patterns, such as an email address.
  • Input validation libraries:
    • A number of libraries available for different programming languages that can be used to handle input validation, such as the 'validator' library in JavaScript or the 'validate' library in Python.

Risk Assessment

  • Threat modeling:
    • Identifying potential threats to the system and evaluating the impact of those threats using techniques such as STRIDE and PASTA.
  • Vulnerability scanning:
    • Identifying vulnerabilities in the system by using automated tools that check for known vulnerabilities.
  • Penetration testing:
    • Simulating a real-world attack on the system to identify vulnerabilities that may not be found through automated scanning.
  • Access control:
    • Ensuring that only authorized users are able to access sensitive information using authentication and authorization mechanisms such as RBAC or ABAC.
  • Authentication and Authorization:
    • Implementing a robust authentication and authorization mechanism, such as multi-factor authentication, to ensure that only authorized users are able to access the system.
  • Monitoring and Auditing:
    • Regularly monitoring the system for suspicious activity and conducting regular audits to ensure that security controls are functioning as intended.
  • Risk Management:
    • Identifying, assessing, and prioritizing risks, and taking steps to mitigate or transfer them.
  • Incident response plan:
    • Having a well-defined incident response plan in place to respond quickly and effectively to security incidents, minimizing damage and disruption.
  • Least privilege:
    • Implementing the principle of least privilege so users are granted only the minimum level of access necessary to perform their job functions.
  • Input validation:
    • Checking and ensuring that the input data meets certain criteria before it is processed by the system to prevent malicious input.
  • Secure coding practices:
    • Ensuring that the code is written securely and following best practices for secure coding, such as avoiding hard-coded passwords, to prevent common vulnerabilities.
  • Network and infrastructure security:
    • Configuring the network and infrastructure securely and protecting it with firewalls, intrusion detection and prevention systems, and other security controls.
  • Compliance:
    • Ensuring that the system is compliant with relevant security standards and regulations, such as HIPAA, PCI-DSS, or SOC2, to ensure that the system is designed and configured securely and can be audited.