Facebook Icon Facebook Icon Twitter Icon Twitter Icon Linkedin Icon Linkedin Icon Blog Icon Blog Icon Checkmark Icon Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Clock Icon Clock Icon Cloud Icon Cloud Icon Cloud Upload Icon Cloud Upload Icon Compass Icon Compass Icon Medium count 1 Icon Medium count 1 Icon Medium count 2 Icon Medium count 2 Icon Medium count 3 Icon Medium count 3 Icon Medium count 4 Icon Medium count 4 Icon Medium count 5 Icon Medium count 5 Icon Medium count 6 Icon Medium count 6 Icon Medium count 7 Icon Medium count 7 Icon Medium count 8 Icon Medium count 8 Icon Medium count 9 Icon Medium count 9 Icon Medium count 10 Icon Medium count 10 Icon Medium count 11 Icon Medium count 11 Icon Medium count 12 Icon Medium count 12 Icon Medium count 13 Icon Medium count 13 Icon Medium count 14 Icon Medium count 14 Icon Medium count 15 Icon Medium count 15 Icon Device with a checkmark Icon Device with a checkmark Icon Device Icon Device Icon Documentation Icon Documentation Icon Dollar Sign Icon Dollar Sign Icon Extend Icon Extend Icon Eye Icon Eye Icon Gear Icon Gear Icon Globe Icon Globe Icon Graph Icon Graph Icon Guidelines Icon Guidelines Icon Laptop Icon Laptop Icon Layers with checkmark Icon Layers with checkmark Icon Key Icon Key Icon Lock Icon Lock Icon Paper Airplane Icon Paper Airplane Icon Pencil Icon Pencil Icon Phone Icon Phone Icon Reliability Icon Reliability Icon Reset Icon Reset Icon Shield with Checkmark Icon Shield with Checkmark Icon Timer Icon Timer Icon Tools Icon Tools Icon Tutorial Icon Tutorial Icon Upload Icon Upload Icon User with Checkmark Icon User with Checkmark Icon User Icon User Icon Wallet Icon Wallet Icon Case Study Icon Case Study Icon Video Icon Video Icon Webinar Icon Webinar Icon White Paper Icon White Paper Icon

Protecting The Front Door To Your App: The Login

frontdoorThis is the first article in the 3-part series: App Security: To Build or To Buy? 

When building any software application, making it secure is a top priority. But security software is very complex and very risky to build yourself. Do you task your development team to design their own? Or do you buy it from a vendor?

Asking your team of developers to build the security that protects and powers your solution is risky, not to mention an unnecessary time and resource drain, taking your team away from their core value.

You may be experts in the financial, social, gaming or other industry specific features of your software. But are you well versed in, or up to date on, implementing important security mechanisms? Security requires an expertise of its own. It is a critical piece in the construction of applications, and unless you already have a team of highly trained security developers, you don’t want to be taking the risks of building your own solution, keeping it current and monitored.

Many people think that buying a solution means building a server, installing software and configuring it, which results in costly long-term maintenance of the operating system, database and vendor’s software. While this was true in the 1990’s, it doesn’t accurately describe today’s massively scalable and API-driven cloud services.

Investing in software exposed via a cloud API allows you to buy and THEN build. You have full control over how the technology integrates into your application, without the headache of running and maintaining the infrastructure.

USERNAME + PASSWORD ≠ PROTECTION

Everyone knows that requiring just a username and password is not enough to secure application access and yet this is still the most commonly used method. The problem is not the idea of passwords, but rather that people choose to use passwords that are appallingly vulnerable or use the same password across many accounts.

Passwords can however still be effective when paired with other information and protocols. In the security industry, we refer to these extra pieces of information as factors, and they break down into three main categories:

  • Something you know, i.e. something knowledge-based; like your password, username, PIN, and security question responses.
  • Something you have, i.e. a device, smart card, or USB token.
  • Something you are, i.e. a trait of your human self. This is usually in the form of biometrics, like iris scanning or fingerprints.

USERNAME + PASSWORD + 2FA  = BETTER PROTECTION

Using more than one piece of information to secure access to applications is called two-factor (2FA) or multi-factor authentication (MFA). 2FA technologies have been around for a while, in the 80’s and 90’s they typically involved an expensive 2FA device that was shipped to every employee.

Nowadays the common smartphone can perform the same 2FA role. Many 2FA projects begin under the belief they can be integrated for free and/or are trivial to build. In practice, neither is true, making the age-old question of whether to “Buy or Build” more critical than ever.

Read our free white paper to learn more about the most common and immediate problems any developer faces protecting the front door to an application:  Why You Can Buy Your Application Security And The Build With It

Next week: Part 2 – The Pitfalls Of Developing Your Own 2FA

 

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.