Any help is really appreciated for the following scenario:
How Amazon.com is managing different level of authentication, once at when you visit the site and second when you go to "Your Account"-> "Login & Security" as a security feature?
User logs in (i.e. authenticates) to a website and there is no activity for 7 days. The user revisits the website then user is asked to authenticate again. This can be implemented using cookies but due to security issue, it was implemented using the session token from the server side. After 7 days, when the expired token is provided by the browser, user is challenged to re-authenticate again.
Now, the new requirement is that if the user logs in and visits "Your Account" page then,
if the user still on "Your Account" page and there is no activity for 10 minutes, then user should be challenged to re-authenticate again.
OR.
if the user comes out of the "Your Account" page and revisits the "Your Account" page after 10 minutes, then user should be challenged to re-authenticate again.
So with the token, I can manage only one time period of inactivity, how can I handle multiple states, i.e. state (7 days) and partial state (10 minutes).
What is the industry practice to handle this scenario? Don't want to use cookies as security issue. And as an SSO provider is being used for authentication, use of database will be the last option.
-- David.
How you could handle this is going to boil down to the implementation details of your current expiring session token logic.
A common way to do it is to store your session tokens in a database or in-memory cache. If that's the case, you could simply add a new column that indicates when the user opened the accounts page.
As an example, your new column could be called accountSettingsStartTime. Normally it would have no value, but when the user navigates to the accounts page, it would be populated with the current time. When the user navigates away from the accounts page, you could clear it out. Then, when you check a security token, you just need to check your standard 7 day expiry as well as checking the accountSettingsStartTime column and ensuring it's within the last 10 minutes.
Alternatively, you could give the user a whole new session token with an expiry of 10 minutes when they navigate to account settings, and enforce the usage of that token for operations that involve account settings. You could then check that token when account settings are changed and ask the user to re-authenticate if it has expired (and invalidate their standard 7 day token). Of course, this would require more effort on the client side.
As they say, there's more than one way to skin a cat :)
Related
A strange situation that I am unable to find other people having to deal with. We are using Microsoft AspNetCore.Identity to handle our authentication. Everything is working fine.
The problem is that for a user to perform certain actions, they MUST get another user to 'sign' that action. This act of signing of course requires that other user to use their user name and password to sign the action.
The issue with this is that the other user's details are readily visible in the request payload. So if I am sneaky, I can open the developer tools in my browser (and hide it), then ask my admin to come and sign my action, and when they have gone i can go to the network tab and see their username and login in plain text!
Of course this is all over https but still, we can't allow one user to see another's sensitive information.
How are we to manage to allow a second userB to 'sign' an action for userA while in user A's active session, while removing the capacity for userA to steal userB's credentials??? Any ideas? (Front end is angular.js)
I imagine it's a big rework, but instead of having the "admin" sign the request on the user's machine, the admin could receive a "user A requires this action to be signed, proceed? [ok] [cancel]" on their account, the action would be stored in the database (perhaps temporarily?) & then all of the sensitive information is kept within each user's session with no cross over.
Then the authentication of who is permitted to approve actions can be handled in the backend via standard identity methods.
The user's "Please wait while an admin signs this action" modal (assumption) could then poll an API to determine the status of the action and then proceed once accepted.
I second #justcompile's answer if you need an authorised and authenticated user to sign/confirm the action, more work but the only secure way.
If you just need a second pair of eyes to confirm you could message a private group or slack channel that only "authorised" people have access to with a one-time URL containing a token (that maybe expires after a period of time too).
Assuming admins only access that channel they can follow the link, the app can validate the token and confirm the action.
Saves a second (admin) user logging in on their own machine and the need to build a workflow and UI etc, but again exposes you to risk if nefarious types get access to the channel or the links sent to it.
Depends on your appetite for risk I guess.
another user performs signing action on your local system? and you are sly?
there is no way to protect their password.
use two factor authentication.
The way this would normally be handled is for the user to request an action. This (unsigned) action-request is recorded in the database. The admin user is able to see this unsigned request in their account, and make an (authenticated) request to sign it. The user would be able to see the status of their request, and whether it has been signed yet.
I am doing SAML SSO in my project , the scenario is I am preparing SAML Auth Request URL ,there is a login page where 2 radio buttons are there for Internal/External User ,In both radio case I have to prepare SAML Auth with the IDP Urls provided to me , I was able to prepare and it redirected me to Microsoft login page ,I been given credentials in that domain to login ,the issue is one person sitting in US tries to login with the credentials was successfully able to login ,got the SAML Response and it redirected him to Redirect URL ,when I took the same credentials of him ,tries to login from my machine ,I got error like you are not authorized ,I been confused what does happen ,we are using the same credentials but machine is different ,Is there any settings in Azure Active Directory which checks NETWORK/Machine/IP as well ?
Yes, they do sign-in risk detection based on many factors.
Location is one of them.
The one you probably hit is this one: https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#impossible-travel-to-atypical-locations.
It is impossible for this user to have traveled that large of a distance in such a short time,
so it gets flagged as suspicious and blocked.
I've had this happen as well when I signed in to an account through a VM in another continent.
It does learn typical locations over time though, so it might start working later.
The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of 14 days during which it learns a new user’s sign-in behavior.
You should have your own user id :)
I'm trying out the new model for unified app authentication using passport-azurea-ad from this reference https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-devquickstarts-node-web
The integration is successful,but every time I do login,I get redirected to a page where I get to choose from my existing microsoft accounts or add a new one.
Why is the session or account not getting picked up automatically, if the user is already logged into his azure or microsoft account?
My requirement is user session should be picked up automatically(not for the first time where he gives consent) if he is logged into his azure account or micrososft account
this page needs to be avoided , if he is already signed in
The reason is a technical limitation. Let me see if I can explain briefly:
When a request comes to the v2 endpoint (login.microsoftonline.com), the v2 endpoint can not detect the presence of an existing consumer account session (login.live.com).
Therefore, the v2 endpoint must make a query (via an iframe hosted on the login.microsoftonline.com page) to login.live.com to detect if a consumer session exists or not.
If a consumer session exists, the v2 endpoint should show the user an 'account selection' screen, like the one you depict in the question.
If a consumer session does not exist, and the user only has one business session, it could auto-login the user with that business account. However, by this time the user has likely already been waiting for a second or so for the query to login.live.com to complete. It might be a strange user experience if the page auto-completed after a second.
The v2 endpoint could definitely show a loading spinner or something to hold the user until the decision can be made, but it was decided that having the user click a tile was an acceptable alternative.
After checking FAQs of Securekey Concierge( company which provides authentication services) I have a doubt that there is a possibility of session replay which can compromise the login security. Here is how it works
Lets say that A is the government site to which I want to log in. Instead of creating a new user name and password for site A, I select Securekey Concierge (Say it site is B). Then from site B I pick my financial instituition where i will be logged in. Lets say it is C. So After log in C I will be redirected to the site A along with a randomly generated token where I will fill the rest of the detail to complete the first time sign in process. So the next time I sign in to site C, the same random token will be sent to site A which will recognise me and won't ask the fill in the same detail I did first time.
So my question is that I am not sure if the random token flows through site B. If it does then there is a possibility that some one on site B can use that token to impersonate me.
I known single sign on e.g. Google sign in where only two sites are involved and each time the sign is completed that first site get the info from Google session which is always different for each sign in.
But in Securekey Concierge, the same token is sent by the site C each time I log in and if this token flows through the site B which is broker site then I doubt that there could be a session replay using that token.
If any body aware of Securekey Concierge, could you please elaborate it.
Thanks
How would I retrieve all valid sessions for a specific user? For example, if the user is logged in from multiple devices and decides to change password, or reset password. I need to be able to expire all active sessions and log the user out of all devices. This is specially important if the user is suspecting that his/her account has been compromised and needs to change the password. Currently I can retrieve RMEs but not sessions. I know this is doable from the UI but I need to put this feature in an SDK or API. Is there a curl command to easily achieve this?
Sarah,
Currently there is no endpoint that will let you invalidate all user sessions.You would need the session token of each session and then call the /json/sessions/?_action=logout REST endpoint multiple times (once per session).
That being said you can use the following class to get the list of sessions for a particular user:
com.iplanet.dpro.session.service.SessionCount
You can read the javadoc here.
There are some constraints for using this method though. Session Quota must be enabled. You can enable Session Quota on the admin console by going to Configuration -> Global -> Session page and:
Set the number of "Active User Sessions"
Turn on "Enable Quota Constraints"
To sum up, you can create your own custom endpoint that will take the User ID and invoke SessionCount.getAllSessionsByUUID(uuid) to get the list of active sessions. After that, you can iterate through the list of sessions and invalidate them one by one.
Hope this answers your question.