On this episode, James talks about authentication alerts and why they're critical to your authentication mechanism. Tackling the challenge to integrate security into the development process? Looking for insights, answers and practical solutions to avoid getting overwhelmed? Hey everyone, welcome to this episode of the DevelopSec podcast. I'm your host, James Jardine. And today I want to talk about alerts, but more specifically, I want to talk about authentication alerts. We talk a lot, especially in security, about authentication, and we talk about login and the breaches that occur around username and password. And obviously, we want to have as many controls as we can that don't prohibit the user from being able to actually use the system. And so we do see things like having the username and password. We see things like multi-factor authentication. We have controls in place like brute force authentication, brute force protections, such as account lockout. Some places even implement a CAPTCHA. And these are all things that help us limit somebody's capability to access our account But at the same time on the back side of that we have to have some way or we're starting to see more and more some way to let us know that somebody has accessed our account. So we've got that kind of before, and hey, we want to stop this as best we can, and we throw all these controls at it. And then we've got the, well, once this has happened, I want to know that it's happened. I want to be aware of that. And oftentimes this is done typically through an email to the email address on record. Some applications may actually send you a text message, but most of them I see are typically emails. And so the process goes once you authenticate and you've passed multi-factor authentication, if that exists, then you may get an email that says, Hey, we just want to let you know an authentication has just occurred. You know, and some places will try to throw geolocation into it and say, hey, this happened in Ohio, or they'll show the IP address it came from. And you know, it says, hey, if you don't recognize this login attempt, then maybe it wasn't you, you need to take action. And I actually had this happen years ago with a Yahoo account I had, lo and behold, where I got an email message saying, hey, you know, you just authenticated to your account. I'm thinking, no, no, I didn't authenticate to my account. And, you know, so I went in, I logged in, I changed the password, all that stuff that you would normally do. And, you know, but it was that quickness of receiving that alert that helped me understand, hey, somebody just authenticated here. And I can verify, hey, is that me or not? And if it's not, then I can take the appropriate steps to hopefully go in and lock that account down before anything happens. So it's important that we have alerts set up on our systems and that we send this out. Now, of course, it's also important that we're not over alerting so that people just ignore the messages because we see them all the time. So this may not be something that necessarily works well if somebody has to constantly log in username and password and they're doing it a lot. This is better for that kind of edge case where I'm not getting inundated with messages but instead I'm getting them when I need them. And sometimes we see a lot of applications allow us to kind of remember this device. So you go through your single factor authentication, you do your multi-factor authentication, and it says, hey, do you want to not prompt for this next time? If it recognizes this device and it's like, Oh sure. I don't want to do that. So now when I log in from that device, maybe I don't have to do the multi-factor authentication again, because I already did it, right? It saves you that step. And it says, hey, we recognize this device. But if we go log in on another device and we have to go through that step or because we haven't logged in on that right now we have to go through that step. So this is accounting for, hey, my credentials got stolen somehow, maybe they were in another data breach, maybe I just have a really bad password, and somebody has logged into my account, but it's not my normal computer, so we're gonna prompt them for something more to say, hey, this isn't your normal computer, can you verify this second factor? Right, and then throw on top of that this critical need for that alerting so there's organizations that do this is aptitude this gmail does it so if you log in from another device I know when I do it I'll get an email alert that says an authentication has been successful and it gives me a little bit of information about that. Now for a lot of people that may not be very familiar with IP addresses and all that, It may not make a whole lot of sense. If you're pretty technical and you know what your IP address is, sometimes that works pretty well. I have seen it kind of become a little bit more confusing. I've seen it with Apple's services, where you might log in in the App Store. And it says, hey, somebody just is attempting to log in from Hoboken, New Jersey. And do you want to allow this? And you're like, uh, well, I'm not there. I'm here. Right. So sometimes geolocation can be wrong and they, you know, they do it based off IP address, and depending on how you're connecting, maybe you're going through something else, maybe the IP address has changed and it's not your normal IP address, so it doesn't come back to your location. But in the most part, the goal is is to help reduce somebody else being able to log into your account and do that. So I like the idea of alerts and having them out there. And actually it was funny for any of you that happened to listen to the Down the Security Rabbit Hole podcast, which will actually be releasing that episode, I'm pretty sure tomorrow. So I'm recording this on Monday. They should be releasing that tomorrow. But Raf and I were just talking about some news articles talking about a new vehicle that has fingerprint authentication. So you can actually use fingerprints to get into the vehicle and start the vehicle. And while you talk through these different things it's kind of interesting the stuff you come up with And 1 of the things that I mentioned was, you know, there's got to be some sort of backup code, right? Finger authentication is probably your main method, but there's gonna be a backup. Maybe there's a key There's there's something else right? It has obviously how do you go to the valet booth and let them take your car? You just can't valet, you know, You can't program everybody's fingerprint into this thing. So there's got to be some backup code. So if you've got a main form of authentication, and then you've got a backup, in a scenario like that, you might be able to apply and say, you know what, I'd like alerts, but I only want to get an alert if my car has started or my car has unlocked, not using that main authentication, which is the fingerprint reader. So as long as it's my fingerprint, I'm not going to get a notification. I feel pretty confident. Nothing's going on here. But if in the middle of the night, somebody breaks into my car and they manage to bypass the fingerprint authentication and the car starts, then the car could send out a notification. And we know cars are connected these days, so this isn't that far out there. It could send a notification, say, hey, the vehicle just started, not using the fingerprint authentication. Do you wanna allow or deny this? And if you wanna say deny, you could technically, I don't know, maybe even go as far as to be able to turn the car off if that would be possible, right? This is kind of theoretical, but something like that. So not every time, but on the outlier time, That's where I'm getting my notification. And same thing when we talk about just our regular applications. I don't have to get an authentication alert on most of my apps. Like my Google app, I don't get an authentication alert every time I log in or every time it requests me for my password, which it will do more often than not but if I have to do that second factor if I'm on a different device I've gone that extra step which is a rarity I don't have to do that very often but when I do then I'm getting that alert to let me know that something has occurred. And same thing with your applications. Looking at baselines and understanding how often do people log in, is there something critical or indicative of their logins that you can identify something to be able to say, hey, I can provide alerts in these cases so that in the event somebody does get a chance to log in, hopefully we can catch this and we can alert the user and something can happen. And that's what we really want to do. And that shows the importance of the alerting capability that not just, hey, that's great, we've got the password or we've got touch ID or we've got whatever, we've got multi-factor authentication, but some way to say, if we get past all of these items, then I'm going to, in these situations, I'm going to send an alert out and say, hey, we've made it through all these items. I just want to let you know an authentication has occurred. Do you want to proceed here? Or if you didn't do this, you need to let us know ASAP so we can address it immediately. And if you don't have that ability to notify and for the user to receive those alerts, then they don't have that ability to say, wait, I didn't do that. And the longer it takes, the more information that could be stolen or manipulated within the application under that user's account. So it's important for us to think about those. And so I'm curious out there for anybody that's listening, and share this out at DevelopSec on Twitter, or just shoot me an email out at james.developsec.com, or join the Slack channel. But what type of alerts do you use within your applications? Do you have alerts set up for authentication? Now again, you might not have alerts set up to the user for like failed authentication attempts, right? Because that might, you know, that's really not necessarily something that the user needs to see, that there's failed authentication attempts, because there's no access to the account. Obviously, internally, maybe you're tracking those and you're monitoring those. I hope you're tracking those and monitoring those. So you can then get those baselines and identify, hey, we've got some abnormal activity going on here, we need to put some focus onto it. But what type of alerts are you sending out in your apps? And what conversation do you have internally to discuss and determine when should you do alerts, If you're not doing alerts, what type of reasons did you come up with for not sending out alerts? Is it too much? Is it going beyond what the user needs? Do you feel the app isn't important enough that it needs those type of alerts? What type of decision making ideas come out of these to then lead you down the direction of we're gonna implement this we're not gonna implement this because I'm always interested to know what different people are doing so we can share that with others if there's a reason why people aren't doing it and it's a good reason well then others should have that reason as well. But if there's also really good reasons for certain situations that we are doing it, well let's share those and let other people know, hey, this is the reason why we're doing this because of this threat. All right, We talk about our threat models and building up what our threats are for our organization, for our application, for our users. Same thing goes here. Okay, we've got these threats, we've got our controls in place. Now our next step is making sure that we have proper alerting mechanisms so that in the event that our controls fail, we have a way to alert the user and reduce the time to fix or time to resolve that issue. And I think that's important. So kind of short but I thought it was important to talk about. I like the idea of alerts. I like it when I get the alerts from different applications letting me know that I've logged in. You know it's kind of like that idea you know you got the the camera doorbell sitting out there and you know, it's nice I mean, I don't get much alert from it, but when I do get an alert Oh, I could see the mailman's at the front door. I could see something else is at the front door Oh, there's somebody that doesn't belong there at the front door What are they doing? You know, I've still got locks on the door. I've got all these other things. I've got the alarm system that if they come in, it's gonna set off the alarm system. But I've also got that extra kind of alert that hey, somebody's there. And it just gives a little bit more peace of mind to know that, you know, very slim chance somebody's gonna come up to the front door and come through without having any idea, for me having any idea that's happening because I get an alert as soon as the camera picks up motion. So those things kind of help ease people's minds, make you feel a little bit better. You know, there's lots of talk about passwords not being good and, you know, authentication failures all over the place. While we have multi-factor authentication, we have ways to help protect our accounts. This is just that next way to be able to make people feel a little bit more confident. You know what, if somebody does log into my account, I'll get an alert and I'll know it. You know, and that is important. So share your thoughts. I look forward to hearing anything that you have. Later this week on Wednesday, I'll be doing the YouTube version of this, if you will, talking same topic. And what I'll do is basically my idea is I'm going to record basically my YouTube version. And then as I'm playing it, I'm gonna stream it live, the recording, and then I'm gonna be available to chat during that. So that way, if I'm streaming it live, as I, if I actually just do it live, it makes it a little bit more difficult trying to type in the comments and respond and all that stuff. So I kind of want to make it interactive, but also make it nice and smooth so the video's nice for people that come back later on. So definitely check that out on Wednesday. I'll send out a tweet and let everybody know what time, but typically it'll be at 11.30. I'll also have the link to the YouTube page for the live page. So you can see, because I'll have it programmed in there for when it's going down. But join in. Feel free to chat about it. If you've got thoughts or ideas, it's a perfect place to ask them if you don't want to do it through Slack or anything like that, join in and check us out for that. So other than that, I appreciate everybody listening. This will be episode 111, so really moving down the chain here. Again, reach out at developsec or jamesatdevelopsec.com And we'll talk to you on the next episode. About how we can help you with application security, follow us on Twitter at DevelopSec, or check out our website at www.developsec.com.