Hello and welcome to another Auth0 video tutorial. My name is Ado and today we will be taking a look at enhanced security through multifactor authentication and anomaly detection. We’ll take a look at why additional security measures are needed in managing modern identity and also how to easily implement these features with Auth0.
Username and password authentication has been around for a very long. It is a well established method for giving users access to protected resources. This method of authentication is everywhere: in banking, ecommerce, education and companies both large and small. In recent years, this method of authentication has proven to be weak for multiple reasons:
Users tend to reuse the same password across multiple services. This means that you can follow all of the security best practices and if a service unrelated to your business becomes compromised and leaks their user accounts, attackers could gain access to your systems. This creates a single point of failure and violates the defense-in-depth concept that aims to provide multiple layers of security and information assurance. Aside from password reuse, users tend to choose weak passwords or even worse write their passwords on a sticky note and leave it on their desk.
To combat this, companies started enforcing various password policies. Your password must be at least eight characters long, with at least one capital letter, one number, and a symbol. Mandatory password changes were also implemented - so users would have to change their password every one to three months for example. Some organizations went even further, preventing the user from using the last 5 or 10 passwords, blacklisting common passwords such as 123456 or letmein or preventing the password from being the users name.
These methods did have the benefit of enforcing better security practices, but they were also anti-user. The user experience greatly suffered which can lead to a decrease in adoption or engagement with a product or service. That’s not good either.
Here at Auth0 we have two products that greatly enhance the security of username and password authentication, without hindering the user experience. Two factor authentication adds an additional layer of security while anomaly detection works in the background to ensure attempted login requests are valid.
I’ve written a simple app here that requires me to login with a username and password. I’ll just login to show you that it works - and then i’ll log out. Right now, this app does not have any enhanced security features enabled. If someone else had my credentials, they could login and impersonate me. Let’s fix that.
Auth0 allows us to easily add multifactor authentication to our applications by simply enabling the service in the management dashboard. Multifactor or two factor authentication works by requiring the user to provide an additional set of credentials, referred to as a one-time passcode, before they are granted access to the system. There are of course other methods of multifactor authentication physical tokens but we’ll omit those for now. Let’s enable this service for our application.
I’ll head over to the management dashboard and navigate to the multifactor auth tab. From here, you have a couple of different options. You can enable multifactor auth via push notifications or SMS text messages. Let’s enable push notifications. We’ll use the Auth0 Guardian app as our authenticator, which is available for both iOS and Android devices, but you could also use other apps such as the Google Authenticator, or just rely on SMS messages to get the one-time passcode.
Flipping the switch is all we need to do. The next time I attempt to login, I will be required to setup a 2nd factor of authentication which I will need for any subsequent logins. Let’s go through this process as well. I’ll login to the app and now I am presented with a new screen informing me about the newly required multifactor authentication process.
I already have the Auth0 guardian app download on my phone, so I’ll simply open it and will opt to scan the QR code presented on the screen. Once that is done, I will be given further instructions on how I can recover my 2nd factor and also a backup password in the event that I do not have access to my phone.
Once this setup process is done, I will receive a push notification asking me whether I want to allow the login attempt I made earlier to go through. I have two options here, I can either either hit accept or deny or if I wanted to I could also type in the code provided. I’ll choose to accept the login request and right away I’ll be logged into my account.
To show the subsequent multifactor authentication flow, I’ll log out and log back in. Since I already setup the 2nd factor earlier, I’ll just receive the request in the Guardian app asking me whether I want to approve or deny the login request.
In this example, we used the Auth0 Guardian app. The flow would have worked similarly for other authenticator apps such as the Google Authenticator. The Guardian app provides the friction-free multifactor experience and is my recommendation.
Next, I’d like to introduce a couple of quick and easy security wins provided by anomaly detection.
Auth0 Anomaly detection provides an extra layer of security to you and your users against various types of attacks and anomalies. The two major features here are brute force protection and breached password detection. Brute force protection, as the name implies, prevents malicious users from trying to brute force their way into a users account. If our system detects too many failed login attempts, we’ll block the attacker and notify the user via email.
The feature I really want to focus on in this video is breached password detection. What this service does is every time a user logs in, we’ll run their credentials against our database of known leaked credentials and if we find a match, we’ll alert the user and optionally block the login until their password is changed. We update our leaked credentials database daily, and with the recent hacks of large enterprises which leaked hundreds of millions of accounts, it’s likely that your users may not even be aware their accounts were compromised.
Enabling breached password detection can be done with the flip of a switch in the management dashboard. Once we enable the setting, we are given an option to alert the user and block their login attempt until their password is changed. Let’s do that.
To test our application, I’ll attempt to login with an account I know was leaked a few years ago. Putting in the same set of credentials I used on a website that leaked my credentials and attempting to login will produce an error with a message telling me that the login attempt was blocked due to a third party service leaking my credentials and to check my email for further instructions on how to unblock it.
I’ll check my email and follow the link to reset my password. After changing my password, I will be able to login again and gain access like before.
Breached password detection helps enhance the security of your applications by preventing hackers from using publically leaked credentials to gain access to your services.
Traditional username and password authentication still plays a large role in managing modern identity. Enhanced security features like multifactor authentication and anomaly detection help secure user accounts without hindering the user experience.
Sign up for a free Auth0 account today and give your users a peace of mind when it comes account security.