5. Security considerations
1. General recommendations
Cyberus Key solves most of the security issues related to password-based authentication.
By using one-time tokens, the risk of leaking sensitive credentials is eliminated. While Cyberus Key is a secure authentication mechanism, it cannot protect against vulnerabilities in the integrated application itself. Vulnerabilities like SQL Injection, Cross-Site Scripting or Insecure Deserialization may cause direct access to data of other users. For more details about protecting your application against general security vulnerabilities, you may consult documents created by the Open Web Application Security Project:
Some of the basic defense mechanisms are listed below:
1.1 Regularly update OS, web server software and libraries used by the application
1.2 Use TLS (https) for all web pages and APIs exposed by the application
1.3 Use HTTP Strict Transport Security (HSTS)
1.4 Mark all cookies in the application with “secure” and “httpOnly” flags
1.5 Change (regenerate) session cookies after each successful login
1.6 Protect the application against Cross-Site Request Forgery attacks
1.7 Protect the application against Cross-Site Scripting attacks
1.8 Protect the application against injection attacks, including SQL Injection
1.9 Avoid using XML for processing user-supplied data and disable DTD processing
1.10 Do not deserialize untrusted data
2. Login page recommendations
The widget included on the integrated application’s login page has its own protection mechanisms. However, there are several recommendations that have to be met in order to avoid security issues.
2.1 The login page must use TLS (HTTP Script Transport Security is also suggested)
2.2 Use a login page URL is easy to recognize by users
2.3 Do not include untrusted JavaScript code on the login page*
2.4 When including Cyberus Key widget on the login page, do not create it based on user-
supplied data like GET/POST parameters. For example, do not allow the user to provide “redirect” value as a GET/POST parameter.
2.5 When using the callback login mechanism, verify the origin value for messages sent by the Auth-Server (it should be equal to “https://<auth-server-hostname>”
* Please note that placing 3rd party JavaScript code on the login page is not less secure than placing these scripts in the integrated application itself. In fact, it is much easier for an attacker controlling such script to perform unauthorized action in case his/her code is placed within the application, after authentication.
3. Cyberus Key session management recommendations
The following defense mechanisms should be in place in order to ensure secure session flow during Cyberus Key login:
3.1 All connections to the Auth-Server must use TLS (https) and must validate the Auth-Server SSL/TLS certificate
3.2 When using redirect login mechanism, after receiving Cyberus Key session token in the URL, immediately redirect to another page of the application without displaying the token in the URL
3.3 After receiving an Cyberus Key session token and using it to retrieve user data from the Auth-Server, immediately close the session
3.4 Ensure that the client secret is adequately protected against unauthorized access