Secure sign-in is a feature of Passport that provides a more secure login than you can get with the standard Passport login. This is an especially important concern for banks, brokerage houses, medical sites, and anywhere a user keeps confidential data. In fact, implementing secure sign-in requires you to use SSL and special parameters for the Passport login functions.
Except for requiring a browser that supports HTTPS almost all browsers do today , secure sign-in does not impose any additional burden on your users. Developing a site that's enabled for secure sign-in is as easy as setting up a site for standard sign-in—it requires just a few lines of code. In this article I'll compare sign-in approaches and describe the steps that are necessary to set up secure sign-in on your site. I'll look at secure sign-in through the lens of two programming paradigms, the Passport.
NET Framework. Finally, I'll show some samples of Web pages that are designed to use secure sign-in. See the Glossary for definitions of some of the terminology used in this article. As I mentioned, there are several security concerns that Passport standard sign-in shares with other verification mechanisms. The first is vulnerability to a brute-force attack against a user's credentials.
To reduce this vulnerability, login servers for. NET Passport implement a slow-down mechanism to discourage attacks based on repeatedly guessing passwords. After five consecutive failed login attempts, a user will be asked to wait five minutes before trying to sign in again.
This functionality protects the user from being locked out of the site indefinitely while significantly thwarting a malicious user's attempt to gain access to the account. A replay is another type of attack in which a login transaction is captured as it passes over an open HTTP connection. Passport is currently vulnerable to replay attacks, even though the ticket and profile are encrypted, because they're exchanged over an open HTTP connection.
Someone listening in on the conversation could capture these packets and replay them, which would allow this hacker to impersonate the user until their login ticket expires. Login credentials e-mail address and password , on the other hand, are sent to a Passport domain authority over HTTPS, so they are safe from exposure.
To avoid silent reauthentication, participating sites can require the user to reenter his or her sign-in name and password regardless of the user's current authentication state.
By forcing a user to retype credentials, the site effectively denies access to someone who does not know the user's username and password. Secure sign-in eliminates the vulnerabilities of standard sign-in by adding new features. The first level, Secure Channel, requires the use of SSL communication for all authentication iterations.
The second level, Security Key, requires that the consumer select an additional credential—a PIN—to sign in. The Secure Channel level of secure sign-in includes several new features to eliminate the packet-sniffing window of opportunity used in replay attacks. Secure Channel requires use of SSL communication for all authentication iterations. This level of security requires you to serve pages over HTTPS, which means that your site must have established and signed certificates from a certification authority CA.
If you've chosen to use cobranding on the login server and other network servers, each cobranding element must also be available via HTTPS. Finally, the secure sign-in page is cobrandable in the same way as the standard sign-in page. Inline sign-in is not permitted for gathering secure login credentials.
Using HTTPS keeps packet sniffers from extracting this secure cookie, so they can't be captured and used for spoofing a user. To prevent cookies submitted in headers to the login server from being copied and used on other sites, Passport decrypts the secure cookie and checks against the user's PUID in the ticket. If there is a mismatch or if no secure cookie exists , the user is not authenticated and must go through the steps to resubmit credentials. The ticket and profile are still written as plain text cookies so that they can be accessed by pages on your site that don't use HTTPS.
If, for example, the IsAuthenticated method returns True with this parameter, it means that the last sign-in wrote the secure cookie and that the PUID in the secure cookie must match the one in the nonsecure ticket. An efficient use of secure sign-in would be to request it on the initial check for authentication when the user goes to the login server. Subsequent checks for authentication would use IsAuthenticated, specifying that the secure cookie should be checked. This action doesn't require another round-trip to the login server.
Even if someone captured ticket or profile parameters from your site or managed to submit captured header cookies to the login server, the authentication would fail because there would not be a secure cookie to match the most recent ticket.
This option can be used separately without requiring a security key. To do this, the SecureLevel parameter of the Passport login function should be set to This is considered strong security because it requires a hacker to compromise base credentials in order to attack a site effectively increasing the overall security on a secure site , and because it is protected by a lock-out mechanism that goes into effect after five failed attempts.
The security key does not automatically unlock; once the lock-out mechanism is triggered, the user must go through a reset process to regain access to secure sites. A PIN will usually be used to protect secure sites that deal with sensitive financial or personal information, where preventing access by an unauthorized person is more important than providing quick and easy logins for the user.
The Security Key level of secure sign-in was introduced in. NET Passport version 2. The Security Key level of secure sign-in includes all of the features of the Secure Channel level, plus several others.
The first time a user attempts to access a site where Security Key is required, a Security Key selection page is displayed. The user must select a four-character Security Key along with three different secret question and answer combinations. The secret questions and answers are used if the user needs to change or reset the Security Key. In the event the user forgets her PIN, she will have to go to Member Services, where the PIN reset process will ask her to answer her three secret questions.
E-mail is not used to reset a user's PIN. The Secure Key is intended to protect secure sites from vulnerable base credentials. Since the majority of Passport users use the base credentials to access their e-mail especially users of Hotmail. Your site might use secure sign-in if you are already using fairly long TimeWindows and you don't expect to make many further reauthentication checks. The default is to keep a sign-in alive for 14, seconds or 4 hours.
This is the registry default which is set when the Passport SDK is installed. Longer TimeWindows increase the opportunity for replay attacks, but they provide better performance on a site because round-trip redirects back to the login server are minimized. You could also use secure sign-in if successful.
NET Passport authentication gives your users access to extensive personal or sensitive information, such as transactional abilities or the ability to edit personal data above and beyond the. NET Passport profile. Microsoft Passport May 17, The following steps explain how Microsoft Passport works: The client attempts to connect to a web application using a browser.
The IDP sends an authentication challenge to the client device. The private key is used to sign the challenge and send it back as a response with the original challenge along with the ID of the key that was used to sign the challenge. The AD then fetches the corresponding public key for the key ID in the response and checks if the signed challenge matches the original unsigned challenge.
The device now uses its own private key to decrypt the session key and then uses that key to decrypt the authentication token. This authentication token is then used to gain access to the web application. Related posts Active Directory Fundamentals. Managing shared resources December 1, Active Directory Groups: An explanation August 12, Leave a Reply Cancel reply Your email address will not be published. People also read Active Directory Policies.
Active Directory Policies. Active Directory Objects. How to locate Active Directory Objects March 2, Central to the Microsoft Passport network is the Passport Nexus , which facilitates synchronization of Passport participant sites to assure that each site has the latest details on network configuration and other issues.
Each Passport component Passport Manager, Login servers, Update servers, and so on periodically communicates with the Nexus to retrieve the information it needs to locate, and properly communicate with, the other components in the Passport network. A Passport login server handles all requests for tickets for any resource in a Passport domain authority. Before a request can be authenticated using Passport, the client application must contact the login server to obtain the appropriate tickets.
When a client requests tickets from a Passport login server, the login server typically responds with a status code to indicate that user credentials must be provided.
When these credentials are provided, the login server responds with the tickets required to access the specified resource on the server that contains the originally requested resource. The login server can also redirect the client to another server that can provide the requested resource. When the client has the tickets that correspond to a given server, those tickets are included with all requests to that server.
If the tickets have not been modified since they were retrieved from the Passport login server, and the tickets are valid for the resource server, the resource server sends a response that includes both the requested resource and cookies that indicate that the user is authenticated for future requests. The additional cookies in the response are intended to speed the authentication process. Additional requests in the same session for resources on servers in the same Passport Domain Authority all include these additional cookies.
Credentials do not need to be sent to the login server again until the cookies expire. During the initial request, the server responds with a status code when authentication is necessary. The status code actually indicates a redirection and is part of the Passport protocol for backwards compatibility. The WinHTTP application is notified of the status code sent by the login server to request user credentials. To the application, however, it appears as if the status originates from the server from which the resource was requested.
In this way, the WinHTTP application is unaware of interactions with other servers, and it can handle Passport authentication with the same code that handles other authentication schemes. Typically, a WinHTTP application responds to a status code by supplying authentication credentials.
When credentials are supplied with WinHttpSetCredentials or SetCredentials for passport authentication, the credentials are actually being sent to the login server, not to the server indicated in the request. Because WinHttpSetOption is a less secure way to supply credentials, it should normally be avoided.
0コメント