Security
Introduction
Authentication services that support username + password logins often get targeted by attackers with the purpose of compromising user accounts. Some common attacks are:
- Brute force
- Credential stuffing
- Password spraying
The compromised accounts can later be used for fraud, product scalping, data leakages, etc.In order to mitigate these risks, we recommend implementing some of the mitigation options mentioned below.
Mitigations
Common mitigations
The following options are effective at preventing different types of attacks on customer accounts:
- Implement account lockouts, where a user account will be temporarily disabled after several failed log in attempts.
- Rate-limiting — prevent a single IP from sending a lot of authentication requests in a short amount of time.
- CAPTCHA — integrate a challenge into the login page in order to differentiate humans from automated tools during the login process. Modern CAPTCHA services offer non-interactive challenges, which do not hinder the user experience
- Multi-factor authentication — offer users an option to require a second authentication factor during the login process, such as a time-based one-time password, for example.
Mitigations by SCAYLE
Rate-Limiting
It is possible to implement rate-limiting within the authentication service by sending the following headers with every request to Checkout Authentication API:
User-Agent Header | x-original-user-agent | |
---|---|---|
IP Address | x-original-client-ip | Take the original client IP visible to the web server, not the x-forwarded-for |
Host Header | x-original-host | |
Content-Type Header | x-original-content-type | |
It is then possible to enable rate-limits on Checkout Authentication API. Please reach out to your respective SCAYLE Account Manager to enable this mitigation.NOTE: Checkout Authentication API doesn't rate-limit authentication requests by default, this needs to be enabled.What we commonly recommend is the following set of rules (all per IP address):
- Maximum 10 requests per 10 seconds
- Maximum 30 requests per 1 minute
- Maximum 60 requests per 5 minutes
- Maximum 10 failed logins in 1 minute
- Maximum 20 failed logins per 5 minutes
Monitoring and alerting
SCAYLE monitors your live environment by default for attacks on customer accounts. If an attack happens, you will be notified within the agreed upon timeline and further actions will be taken to secure the compromised customer accounts.
Note: SCAYLE is unable to stop an ongoing attack without the x-original-client-ip
header sent with each authentication request. Without the header, the post-mortem analysis is also less precise and can lead to unnecessary blocking of customer accounts.