User Authentication Best Practices Checklist

User authentication is a functionality that every web application shares. We should have perfected that a long time ago, having implemented it so many times. And yet there are so many mistakes made all the time.

Part of the reason for that is that the list of things that can go wrong is long. You can store passwords incorrectly, you can have a vulnerable password reset functionality, you can expose your session to a CSRF attack, your session can be hijacked, etc. So I'll try to compile a list of best practices regarding user authentication. The OWASP Top 10 is always something you should read, every year. But that might not be enough.

So, let's start. I'll try to be concise, but I'll include as much of the related pitfalls as I can cover - e.g. what could go wrong with the user session after they log in:

• Store passwords with bcrypt/scrypt/PBKDF2. No MD5 or SHA, as they are not good for password storing. Long salt (per user) is mandatory (the aforementioned algorithms have it built in). If you don't and someone gets hold of your database, they'll be able to extract the passwords of all your users. And then try these passwords on other websites.
• Use HTTPS. Period (otherwise, user credentials can leak through unprotected networks). Force HTTPS if the user opens a plain-text version. And make sure you use only the latest protocol (TLS 1.2 at the moment; TLS 1.1 doesn't seem to have vulnerabilities, so it can also be supported). You can do a Qualys Scan to check whether your supported protocol versions are OK.
• Mark cookies as secure. Makes cookie theft harder.
• Use CSRF protection (e.g. CSRF one-time tokens that are verified with each request). Frameworks have such functionality built-in.
• Disallow framing (X-Frame-Options: DENY). Otherwise, your website may be included in another website in a hidden iframe and "abused" through JavaScript.
• Have a same-origin policy.
• Logout - Let your users log out by deleting all cookies and invalidating the session. This makes the use of shared computers safer (yes, users should ideally use private browsing sessions, but not all of them are that savvy).
• Session expiry - Don't have forever-lasting sessions. If the user closes your website, their session should expire after a while. "A while" may still be a big number depending on the service provided. For Ajax-heavy websites, you can have regular Ajax-polling that keeps the session alive while the page stays open.
• Remember me - Implementing "remember me" (on this machine) functionality is actually hard due to the risks of a stolen persistent cookie. Spring-security uses this approach, which I think should be followed if you wish to implement more persistent logins.
• Forgotten password flow - The forgotten password flow should rely on sending a one-time (or expiring) link to the user and asking for a new password when it's opened. 0Auth explain it in this post and Postmark gives some best practices. How the link is formed is a separate discussion and there are several approaches. Store a password-reset token in the user profile table and then send it as a parameter in the link. Or do not store anything in the database, but send a few params: userId:expiresTimestamp:hmac(userId+expiresTimestamp). That way you have expiring links (rather than one-time links). The HMAC relies on a secret key, so the links can't be spoofed. It seems, however, that there's no consensus on this topic, as the OWASP guide has a bit of a different approach.
• One-time login links - This is an option used by Slack, which sends one-time login links instead of asking users for passwords. It relies on the fact that your email is well guarded and you have access to it all the time. If your service is not accessed too often, you can have that approach instead of (rather than in addition to) passwords.
• Limit login attempts - Brute-force through a web UI should not be possible; therefore you should block login attempts if too many occur. One approach is to just block them based on the IP. The other one is to block them based on the account attempting to log in. (Spring example here). Which one is better? I don't know. Both can actually be combined. Instead of fully blocking the attempts, you may add a captcha after, say, the 5th attempt. But don't add the captcha for the first attempt - it is bad user experience.
• Don't leak information through error messages - you shouldn't allow attackers to figure out if an email is registered or not. If an email is not found, upon login, just report "Incorrect credentials." On password resets, it may be something like "If your email is registered, you should have received a password reset email." This is often at odds with usability - people don't often remember the email they used to register, and the ability to check a number of them before getting in might be important. So this rule is not absolute, though it's desirable, especially for more critical systems.
• Make sure you use JWT only if it's really necessary and be careful of the pitfalls.
• Consider using a 3rd party authentication - OpenID Connect, OAuth by Google/Facebook/Twitter (but be careful with OAuth flaws as well). There's an associated risk with relying on a 3rd party identity provider, and you still have to manage cookies, log out, etc., but some of the authentication aspects are simplified.
• For high-risk or sensitive applications use 2-factor authentication. There's a caveat with Google Authenticator though - if you lose your phone, you lose your accounts (unless there's a manual process to restore it). That's why Authy seems like a good solution for storing 2FA keys.

I'm sure I'm missing something. And you see it's complicated. Sadly we're still at the point where the most common functionality - authenticating users - is so tricky and cumbersome, that you almost always get at least some of it wrong.