It's all about IAM

Cybersecurity World: Security vs User Experience

I want to ask this question to all the security professionals, What is more important between security and user experience?

I have been working in a security domain for almost 15 years and I have noticed one thing that people keep emphasizing to the security and completely neglect the user experience part, but I think that security and user experience are two sides of the same coin. They are different but cannot be neglected. Both should be given the equal importance. Let me try to explain the same with following simple example:

Example:  

Note: This example is just to explain the point and I understand that we are in 2022 and passwords are considered as the weakest solution in Cybersecurity today. 😊

Suppose we have 5 applications and we want to implement authentication solution for all these apps. To improve the security posture, what if we define below password policy:

  • Minimum Password Length = 15
  • Minimum Numbers = 2
  • Minimum Uppercase Characters = 2
  • Minimum Lowercase Characters = 2
  • Minimum Special Characters = 2
  • No consecutive numbers or alphabets are allowed
  • Last n password cannot be used = 25
  • Password Expiry= 15 days or 30 days
  • Applications cannot share passwords
  • Passwords cannot have user attributes like first name, last name, userid, email etc.
  • Passwords cannot have dictionary words – Custom Dictionary  

This password policy will enforce users to come-up with a complex and unique password for each application every 15 days or 30 days.

From security point of you it may be good  because each application will have its own unique password but is it easy for an end user to remember such complex passwords? Even for one time, users can remember but is it possible for users to come up with new passwords every 15 days or 30 days for each application.

Answer is No, so What’s wrong in this solution?

In this solution we completely ignored the user experience and providing very poor user experience to our customers. If we implement this kind of password policy, end users will end up writing the password in a notebook, in a notepad in laptop or in sticky notes which will impact our same security posture which we wanted to improve. Final outcome is poor security.

Being a security professional, we keep our entire focus on security and less on user experience, but I think it’s our responsibility to come-up with a solution which is not only secured but also provide a better user experience to our customers so that our aim to improve security posture remains intact. We cannot have a ratio of 60-40 between security and user experience, it must be a 50-50 which means we need to start giving equal importance to user experience which we give to security. Only by doing this, we would be able to improve the security posture of the organization in real.

Again, these are just my thoughts. 

 

 

 

 

 

Disclaimer

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information

 

Authention App for 2FA - TOTP

Nowadays using authentication mobile apps for 2FA is very common. I was always wondered how does it work in the background. How mobile app generates code which can be validated by the application to grant access.

I was reading about it, did some research on Google and developed an eclipse client to test also.

  1. When we create account in application, application generates "Secret Key"
  2. Application keeps this Secret Key for each user
  3. User register this Secret Key in Authentication App as well
  4. Authentication App generated 6 digit code every 30 seconds using this Secret Key
  5. When user tries to login, user is asked to enter the 6 digit code from the Authentication App. At the same time application also generates the 6 digit code using the Secret Key which is stored with the application. Both the codes, application and authentication app generated codes, are compared, if they match, user will be granted the access to application.

 I validated this flow from eclipse client.

 Here are the libraries which will be used for this Java client:


Code to generate Secret Key, this will return the Secret Key which you need to store and register in Authentication App like Google Authentication App.

Sample Secret Key: RDOVRBFZFT54DZ7E3LWTJPUNTRQINUJO

You can also generate the QR code using this Secret Key which can be used by App for registration

Code to Generate 6 Digit Code (TOTP), you need to pass the same Secret Key. This method will be there at application end.

main method to test:


You will be asked to enter the 6 digit code from authentication app which will be validated against the 6 digit code generated by application.

Important things:

  • Time must be in sync 
  • Secret Key is the main thing, if you setup your eclipse client, you don't even need the authentication app for 2FA

Good Resources:

  • https://www.protectimus.com/blog/time-drift-in-totp-hardware-tokens/