Talk:Authentication Cheat Sheet
I have a few suggestions for this page:
- 1 General Guidelines
- 2 Password length
- 3 Password complexity
- 4 Utilize Multi-Factor Authentication
- 5 Authentication and Error Messages
- 6 Use of authentication protocols that require no password
- 7 Adapting the password complexity section to conform to NIST Special Publication 800-63B
Email address as a User ID
"To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt."
Another, less obtrusive way of making sure an email address is deliverable is to use the "RCPT TO" command during a SMTP dialogue and making sure you get a "250" or "251" response. There may be a temporary error if the server uses greylisting.
Why is there the recommendation of having a maximum password length of 128?
This should mention UTF-8 characters, making sure they are legal to enter.
Utilize Multi-Factor Authentication
This should mention receiving the token via SMS as it is a separate channel (not the internet), which provides security benefits.
Authentication and Error Messages
Correct Response Example
If the response doesn't specify whether the username is wrong (does not exist) or the password, that is an inconvenience for the user, especially if she/he doesn't notice the error. Many times, there is an alternative way of finding valid usernames anyway, so there is no additional security gained. Use good judgement.
Use of authentication protocols that require no password
Mozilla Persona is missing in this list, it seems to be the best solution in terms of privacy, its only problem is a lack of adoption, something this cheat sheet could change.