OWASP Developer Guide

Implement Digital Identity Checklist

4.2.6 Checklist: Implement Digital Identity

Authentication is the process of verifying that an individual or entity is who they claim to be. Session management is a process by which a server maintains the state of the users authentication so that the user may continue to use the system without re-authenticating.

Refer to proactive control C7: Implement Digital Identity and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

1. Authentication

  1. Design access control authentication thoroughly up-front
  2. Force all requests to go through access control checks unless public
  3. Do not hard code access controls that are role based
  4. Log all access control events
  5. Use Multi-Factor Authentication (MFA) for sensitive or high value transactional accounts

2. Passwords

  1. Require authentication for all pages and resources, except those specifically intended to be public
  2. All authentication controls must be enforced on a trusted system
  3. Establish and utilize standard, tested, authentication services whenever possible
  4. Use a centralized implementation for all authentication controls
  5. Segregate authentication logic from the resource being requested and use redirection to and from the centralized authentication control
  6. All authentication controls should fail securely
  7. Administrative and account management must be at least as secure as the primary authentication mechanism
  8. If your application manages a credential store, use cryptographically strong one-way salted hashes
  9. Password hashing must be implemented on a trusted system
  10. Validate the authentication data only on completion of all data input
  11. Authentication failure responses should not indicate which part of the authentication data was incorrect
  12. Utilize authentication for connections to external systems that involve sensitive information or functions
  13. Authentication credentials for accessing services external to the application should be stored in a secure store
  14. Use only HTTP POST requests to transmit authentication credentials
  15. Only send non-temporary passwords over an encrypted connection or as encrypted data
  16. Enforce password complexity and length requirements established by policy or regulation
  17. Enforce account disabling after an established number of invalid login attempts
  18. Password reset and changing operations require the same level of controls as account creation and authentication
  19. Password reset questions are deprecated, see Choosing and Using Security Questions Cheat Sheet as to why
  20. If using email based resets, only send email to a pre-registered address with a temporary link/password
  21. Temporary passwords and links should have a short expiration time
  22. Enforce the changing of temporary passwords on the next use
  23. Notify users when a password reset occurs
  24. Prevent password re-use
  25. The last use (successful or unsuccessful) of a user account should be reported to the user at their next successful login
  26. Change all vendor-supplied default passwords and user IDs or disable the associated accounts
  27. Re-authenticate users prior to performing critical operations
  28. If using third party code for authentication inspect the code carefully to ensure it is not affected by any malicious code

3. Cryptographic based authentication

  1. Use the server or framework’s session management controls
  2. Session identifier creation must always be done on a trusted system
  3. Session management controls should use well vetted algorithms that ensure sufficiently random session identifiers
  4. Set the domain and path for cookies containing authenticated session identifiers to an appropriately restricted value for the site
  5. Logout functionality should fully terminate the associated session or connection
  6. Logout functionality should be available from all pages protected by authorization
  7. Establish a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements
  8. Disallow persistent logins and enforce periodic session terminations, even when the session is active
  9. If a session was established before login, close that session and establish a new session after a successful login
  10. Generate a new session identifier on any re-authentication
  11. Do not allow concurrent logins with the same user ID
  12. Do not expose session identifiers in URLs, error messages or logs
  13. Implement appropriate access controls to protect server side session data from unauthorized access from other users of the server
  14. Generate a new session identifier and deactivate the old one periodically
  15. Generate a new session identifier if the connection security changes from HTTP to HTTPS, as can occur during authentication
  16. Set the secure attribute for cookies transmitted over an TLS connection
  17. Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie value

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

\newpage