Another week, yet another high profile security breach for a website. This time it's Evernote; who will be next? It seems like it's becoming an almost daily occurrence that some website has had a security breach. Are our current methods of security broken? Do we need an international standard or just better eduction?
The web has come on in leaps and bounds over the last 10 years, and it now seems as if every website requires you to sign up. All of the security experts recommend you use different passwords for different sites, but how many people actually do this and how reasonable a request is this? If you have different passwords for your email , Twitter, Facebook, Google+, LinkedIn, Evernote, Amazon, iTunes, Dropbox and GitHub accounts then that is 10 already. If each one is meant to be long and complex (10 characters plus, and a mix of characters, numbers and symbols) is it reasonable or even possible to remember them all? And this is just a small selection of accounts you have that you use on a daily basis, and is not including all the throw away accounts you always end up signing up for.
There are a number of services already available such as LastPass and 1Password but neither are the silver bullet, even though they go part of the way to solving the problem.
So as a web developer what can we do to protect ourselves and more importantly the user data we hold - what options are available?
OpenID and 3rd Party Sign Ins
A popular solution is using OpenID; this goes part way towards taking the responsibility of protecting user passwords and other sensitive information away from your website as you don't store the data in your application. StackOverflow is probably one of OpenID's success stories. However it has not been a success for everyone. Rob Conery has detailed some of the issues he's faced in the past with OpenID.
A way around this is just allowing your customers to sign in with a single 3rd party account. For example Spotify allows users to register with just Facebook; this is easier to manage but it does require all of your users to have a Facebook account.
An alternative to OpenID and a step further than 3rd party sign-ins like Facebook is Mozilla Persona. This is a relatively new development and hasn't had a huge amount of traction yet but it is growing and is one to watch.
2 Factor Authentication / Single Use Code
An additional security step that can be taken is the use of two-factor authentication. This is when a code is sent via email, phone, text or app and is required as a second step in order to login. This is becoming a popular option with Google, Dropbox, Steam, Microsoft (through the use single-use codes), plus many more having this option for its users. This is a complex system to set up, and if you are on limited resources it's not always feasible to implement.
The Password-less Option
A unique take on the issue of security has been taken by Marco Arment (of Instapaper fame) in his new project The Magazine. Rather than logging in with a username and password you login with just your email address. From this a one-time login link is sent to your Inbox and this logs you into the site. I think this is a nice approach to the problem and one that is definitely worth considering if you are implementing a new system.
I think the key to providing successful security to your users is giving them feedback at every opportunity. For example, if your user logs in on a new computer, send them an email to say that. Then, if the real person actually hasn't logged in, the user can quickly change their password and/or contact you. Facebook, Dropbox and GitHub are just a few of the companies out there that do this.
Google takes this one step further. If you've ever looked at the bottom of your Gmail inbox you can see a link called "Details". This shows recent sessions for your account and the relevant IP Addresses, so you can see any suspicious activity and reset the session as well. This is also handy if you've left your account logged in on any public machine as well.
As you can see, there are a number of different options to consider when even thinking about security, let alone implementing it. Not all of these options are easy to implement, or possible depending on the size of your project or team. I think the key though is providing user feedback at every opportunity. This will help to gain the trust of your users and improve their overall experience of your product.
If you want links to technical articles and blogs feel free to follow me on twitter @lancscoder as I tweet links throughout the week.