Authentication: Implement enhanced user security
-
Implement reputable identity framework - avoid custom identity management, plain text password storage, etc -
Password policy (implementation of #10) -
Multi-factor authentication -
Login attempts limit -
Session limit -
Autologout -
Prevent username enumeration -
Add more as required
Ref:
- OWASP: Authentication cheat sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
- OWASP: Pen test: WSTG-ATHN-03: Testing for Weak Lock Out Mechanism: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism
- OWASP: Pen test: WSTG-ATHN-07: Testing for Weak Password Policy: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy
- OWASP: Pen test: WSTG-ATHN-09: Testing for Weak Password Change or Reset Functionalities: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities
Edited by Janna