For service providers, handling customer accounts and personal data is a huge responsibility and managing their security an ongoing battle against new technology and types of attacks.
At TIMIFY we are constantly working to ensure our solution goes above and beyond the recommended security measures, helping to give our clients peace of mind when building their business around our system.
What’s the threat to my business?
While security risks should be considered across all your operations, this article is focussed specifically on an issue known as ‘Broken Authentication’.
This refers to an attacker who takes advantage of poor user authentication and session management functions to hijack the identity of a genuine user, and their access to your systems and data.
The Open Web Application Security Project (OWASP), a leading organisation working to improve software security, lists Broken Authentication as the second biggest threat to software systems, stating that its prevalence is usually due to the “design and implementation of most identity and access controls”.
“Once an authenticated session has been established, the session ID (or token) is temporarily equivalent to the strongest authentication method used by the application, such as username and password, passphrases, one-time passwords (OTP), client-based digital certificates, smartcards, or biometrics (such as fingerprint or eye retina).”
– OWASP Session Management Cheat Sheet
To help combat this threat for TIMIFY clients, we have launched two new features which should be used in conjunction to help secure your session management against attacks.
Reduce session length
This lets you set how long a highly sensitive session ID for an individual user is valid before requiring them to log in again, even if they have been using the system continuously.
With user sessions, security best practice suggests they should be shortened as much as is feasible to minimise an attacker’s window of opportunity to access your account (our default is 48 hours).
The time limits are simple to set up and can be adjusted by days, hours or minutes.
The examples below show just how easily poorly implemented session length can be exploited.
A user on a public or shared machine is logged in to TIMIFY. When they finish, they close the browser. However, if the session length is long, it’s possible for an attacker to continue the session just from reopening the browser.
Even if a user clicks a log out button before leaving the device, if the session is long the session ID remains in existence and could be accessed from anywhere without re-authenticating.
Hijacking a user session doesn’t even require someone to physically access your machine. Using TIMIFY on an insecure or public Wi-Fi allows an opportunity for an attacker to intercept your browser or internet cookies and use them to access your session without re-authenticating.
Again, if the session is long, this gives the attacker a longer window of opportunity to gain access.
Activate idle time log out
In addition to reducing the session lengths, TIMIFY allows you to further strengthen security with the option to force a session to end after a period of user inactivity.
After a designated idle period, users will be prompted to confirm if they are still using their account. If they don’t respond, they will be logged out.
This protects against attackers gaining access to your system via a logged in machine which has been left unattended for just a few moments.
It can be particularly relevant for service providers, where staff will often be using shared or portable devices while also delivering the service and distracted by a face-to-face interaction.
Exactly how long you should set an inactivity timeout again depends on the nature of the data your system holds, but OWASP gives some general advice below:
“OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial information. It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications.”
– Auth0 blog – Balance User Experience and Security to Retain Customers
The scenarios below show how not having an inactivity timeout in place can quickly be manipulated by attackers.
A physiotherapist may have a laptop or tablet in a treatment room to have customer details to hand, but frequently leave the device while they treat others or fetch materials.
Likewise, computers in an open plan office, shared workspace or reception area can be accessed when employees leave a machine to assist a visitor, go to the kitchen or use the bathroom.
In just a few moments an attacker can take control of the machine and have an authorised user’s access to your data or steal login information to use later.
A work laptop could be left on a train or in a coffee shop, or simply snatched by a thief.
If there is no inactivity timeout, an attacker can simply take the machine and access your TIMIFY account later, when they are not in a public area.
With a short inactivity timeout, the window of opportunity is very small and risky for an attacker to exploit in a public area.
Involve your team in implementation
Of course, most teams will express frustration at being regularly logged out of their account and forced to re-enter their details.
It’s actually a common change request on TIMIFY mobile and tablet apps, where we force users to log in each time they reopen the app due to the increased risk their portability brings.
Therefore, it’s crucial to make it clear to all staff why these new features are being put in place.
Consult with your in-house security experts on a reasonable session length and inactivity logout that will help to find a reasonable balance between user experience and security.
Furthermore, ensure employees understand how combining simple measures like reduced session length and inactivity timeouts are highly effective against Broken Authentication attacks.
The minor inconvenience of repeating logins is simply incomparable to the damage a data breach could do to the business, its reputation and its customers.
Don’t delay – contact our team at TIMIFY for more information and tips on how to optimise your session management controls at the earliest opportunity.