The Digital Standard is an ambitious, community-led effort to build a framework to test and rate products and services on the basis of privacy, security, and data practices.
Creative Commons Attribution 4.0 International
128
stars
46
forks
source link
User authentication on every use is not recommended in most situations #137
The current Authentication.yaml contains an indicator asking whether the tested device/service requires a user to re-authenticate every time "they want to use the product." In our testing at OTI we have found this to be an indicator that is not fulfilled by the products we have looked at. In addition, when compared to the widespread practices of top-tier services, the indicator does not seem to be in sync.
For instance, online services with millions of users such as Google Mail and Docs, or Amazon's AWS do not require re-authentication on every return visit, instead relying on algorithms that analyze threat indicators to determine if authentication should be needed. Most mobile apps, in addition, almost never ask a user to re-authenticate, instead relying on the mobile OS to control access to the device as a whole.
Constant re-authentication can also be detrimental, as it encourages the use of simple passwords by users, knowing that they are going to have to type them in repeatedly. This impact is exacerbated on mobile where complex passwords are that much more annoying to enter.
We would recommend revisiting this indicator with an eye toward balancing sensitivity of data with frequency of authentication and taking into account apps that reasonably defer to the OS for authentication, after a user has been initially identified.
The current
Authentication.yaml
contains an indicator asking whether the tested device/service requires a user to re-authenticate every time "they want to use the product." In our testing at OTI we have found this to be an indicator that is not fulfilled by the products we have looked at. In addition, when compared to the widespread practices of top-tier services, the indicator does not seem to be in sync.For instance, online services with millions of users such as Google Mail and Docs, or Amazon's AWS do not require re-authentication on every return visit, instead relying on algorithms that analyze threat indicators to determine if authentication should be needed. Most mobile apps, in addition, almost never ask a user to re-authenticate, instead relying on the mobile OS to control access to the device as a whole.
Constant re-authentication can also be detrimental, as it encourages the use of simple passwords by users, knowing that they are going to have to type them in repeatedly. This impact is exacerbated on mobile where complex passwords are that much more annoying to enter.
We would recommend revisiting this indicator with an eye toward balancing sensitivity of data with frequency of authentication and taking into account apps that reasonably defer to the OS for authentication, after a user has been initially identified.
Happy to discuss further, thanks!