2

I'm building a site that lets users schedule interviews/conferences with third parties and I'm wondering what's the best way to provide security around the participant experience while providing the smallest usability barrier possible.

Currently, I send an email with a link and a 5 digit auth-code. The link opens a page, the participant types in the auth-code and is temporarily logged in for the duration of the interview/conference.

From a security standpoint, I think the auth-code is redundant and introduces friction for the participant, who may never have cause to visit my site again and may not be technically proficient. The link I send as part of the invitation contains a random string, so I could just increase its length by 5 characters and have the same size search space for potential attackers.

The downside is that I would potentially have to rate-limit the responses for the invitation URLs, so I'm not sure there's any benefit from a complexity/lines-of-code perspective.

The non-auth-code feels less secure, but I know that's irrational. Any thoughts on what the best approach would be?

Improve this question

3 Answers 3

Reset to default
2

having a 5 digit code they have to type in is nothing, its almost too short. Its far better than my average experience with online meeting that generally require typing in a meeting id + potentially a password.

If your worried about the tech savyness of a user the password is the least of your problems, if they can use their webcam/mic to conduct the interview they can handle a password.

Nothing is going to ruin your site faster than people getting in to interviews/conferences they don't belong in, so erring on the side of security is a good thing.

Improve this answer
2

What about encrypting the auth code in the querystring of the link instead, so then all they have to do is click the link to join?

In the past I've encrypted some kind of identifier field in the query string, and the page the link takes them to decrypts the id and checks it for things like if its for a valid session, and if the session is currently active. If it passes, it will take them to their session. If not, display some kind of page telling them the link they used is invalid or expired.

Improve this answer
3
  • Does it really buy you anything if you have an encrypted auth code on in the query string? Aren't you just increasing the search space for valid combinations whether or not there's a relationship between the invitation id (already in the query string) and the auth code? Commented Jan 31, 2012 at 15:53
  • @edoloughlin I thought your concern was that it wasn't very user-friendly to non-tech saavy users, and this would be a way to eliminate them having to fill out a code in the first place. Honestly in your case I would skip the auth code altogether and encrypt the invitation Id, since that should tell you who the user is and what session they were invited to. Commented Jan 31, 2012 at 16:08
  • You're correct. My concern was, from a security perspective, was I losing anything in not asking the user to type in an auth code (apart from potentially making automated attacks easier). On balance, probably not, so I think I'll remove it. Commented Jan 31, 2012 at 16:22
0

Almost anything a human can do, a machine can also do. This includes entering a bit of text in a form on a web page. For example, curl(1) can be directed to submit POST requests, including form fields:

curl -F 'code=foo' 'http://example.com?session=bar'

And so adding some steps for a human to perform rarely improve security.

Another issue is one of what you are really trying to prevent. Do you really care if it's a script issuing ten requests per second or a couple of bored humans (who type fast) doing the same? What you really want is to limit abuse.

You can go a long way in that by using a network filter that does do rate limiting for everyone (or for certain urls) which can usually be configured in most http servers. You can also arrange for each link you provide to be usable only once (or once per day).

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.