Process security for website

[Simon Harvey]

Hi all,

A new project I'm working on requires a high level of security - possibly
around the same level used by banks as its deling with highly confidential
medical info.

I'm thinking about the process of letting users register and get their
password.

The current suggestion is that when a user registers an interest, a staff
member has to authorise that persons entry into the site.
If the staff member believes this person to be legit, then they user is sent
an email asking them to come to the site.

When the user follows the link, they are told that they are about to be sent
their password (by email) and that it will be valid for 5 mins. The user
picks up their email, logs in and completes registration.

Now, that seems to me to be a rather drawn out solution.

Has anyone else implemented a solution that is ultra secure but also
relatively simple

Thanks all

Simon

 

[Nicole Calinoiu]

Simon,

There are some rather big problems with the proposed solution, including the
following:

1. If you set the "timeout" on the invitation to be sufficient short that
it is unlikely that someone will pick the credentials off an SMTP server
before the user receives the e-mail, you will also have a reasonably high
likelihood of the target recipient not receiving it in time. This means
that you should also plan for more "manual" processing, such as allowing the
new user to phone in for their temporary password. This also incurs risk
since it can be difficult to validate the identity of a caller.

2. If a potential attacker learns of the approval process (e.g.: by
attempting a new registration), an interception trap could be set for any
messages matching the pattern, allowing the attacker to receive the
temporary credentials before or instead of the intended recipient. This
attacker might be, for example, an employee of the ISP via which the e-mails
are being sent, so setting such a trap may be quite trivial.

While encrypting the e-mail would be a potential workaround for the above
problems, a better approach would be to allow the new user to enter their
desired credentials with the initial request. Then, instead of transmitting
credentials in the subsequent e-mail, simply send a message indicating
whether the registration request was approved or denied. Obviously, there
are still plenty of issues surrounding validation of the requester's
identity, but I'm guessing that the staff approval might be intended to
address at least part of that problem.

HTH,
Nicole