Enterprise Service Product Security | ToB product login security

Enterprise Service Product Security | ToB product login security, enterprise-class service products, product security is the key factor when users choose, in the login security, password security, device security and other three aspects to be comprehensive and extreme.

Multi-device login at the same time is not unsafe

Currently, most products on the market are single-device login, that is, one mobile terminal + one computer terminal. When using other devices to log in to the same account, other devices need to be logged out to ensure that the same account can only be on one device at a time Log in; users with WeChat QQ sometimes feedback with me, saying that this product is more safe to use, only one device login, your product using the same strategy, the user will not be uncomfortable.

In fact, even if the product supports multi-device login, it is not insecure. In use, it not only satisfies the convenience of using multiple devices in the work environment, but does not form a relative disadvantage in account security. Just in the product design, more consideration should be given to the global unification of many function setting items. For the unified processing of the server, the immediacy of the request of the terminal and the server and the immediacy of the request processing under the weak network are relatively high, Because users do not control whether you are local or server-side operations, they want the same experience.

Equipment must be easy to operate and process closed loop

Multi-device login, you need to log in to the device and equipment management for closed-loop design, the more commonly used authorization method for the SMS authentication code, you can also do quick authorization between the devices, but due to the current introduction of new Apple requirements, IOS deviseID Not unique, so the deviseID device can not be used between the only device tag, SMS verification code for a more stable approach is relatively safe.

Single device login to enhance security, you can also do device login authorization.

Authorization records in device management, authorization to cancel actions, and logging of log entries are the way to close the loop

Password security should be combined with login framework design, a two-pronged approach

From a technical point of view, it is necessary to minimize the password exposed in the login process, that is, as the web page input account password form can be considered in the entire login framework to be weakened, on this form of login should also try to do double Factor check, that is, password check + phone number check.

To ensure the safety of equipment, based on the device as far as possible through the authorization of other end, such as web-side or desktop to log in, the typical Liezi is WeChat.

There are two ways to design password changes:

Verify the phone number directly modify the password (phone number verification more and more common, but also relatively safe) Verify the old password, set a new password (this is more stereotypes) on the strength of the password design, different security levels have different designs

On the strength of the password design, different levels of security will have different designs, you can configure a set of rules at the server, at any time based on feedback and data adjustment, do not need to follow the release.

The following is a relatively detailed scoring rules that I searched online when I designed the complete set of password rules. You can refer to it as follows:

Password length:

0: Less than or equal to 6 characters 10 points: 6 to 10 characters 25 points: Greater than or equal to 10 characters

letter:

0 points: no letter 10 points: all small (large) to write letters 20 points: mixed-case letters

digital:

0 points: no number 10 points: 1 number or number consecutive or consecutive numbers 20 points: greater than or equal to 3 numbers

symbol:

0 points: no symbols 10 points: 1 symbol 25 points: more than 1 symbol

reward:

0 points: letters and numbers 2 points: letters, numbers and symbols 5 points: uppercase and lowercase letters, numbers and symbols

Minus points:

-10 points: 3 digits or more consecutive numbers or 3 digits and more Repeat letters -20 points: letters, numbers and symbols 5 points: uppercase and lowercase letters, numbers and symbols

The final score:

> = 90: Very safe> = 80: Secure> = 70: Very strong> = 60: Strong> = 50: Average> = 25: Weak> = 0: Very weak

Inspired by the scoring criteria, the following is my password design rules, the focus is to join the weak password calibration and reminder, and password strength testing, most of the requirements of the password security requirements, the following rules are basically met (reproduced please mark Source, thanks):

Goal

Flexible password rules

Exclude the simple password: 123456a 123qwe 123abc 111aaa

Normal password standard: 6 to 20 alphanumeric combination? The password strength to meet the standard is generally ** Under the weak password standard 30 and above

Medium password standard: 6 to 20 alphanumeric combination of password strength to be strong? ** 50 points and above

Strong password standard: 6 to 20 alphanumeric combination? Password strength needs to be very strong? ** 70 points and above

Password rules

The basic rules: 6 to 20 letters and numbers combination

Increase the weak password library: password base

On the basis of the above, the password strength detection: general - strong - very strong (adjust the text thinking: to reduce the user's brains to set the password pressure, and give the user set the password confidence point, no weak words, weak password Not allow users to set up successfully)

【General】 password standard: the basic password rules that is the general password

[Strong] password standard: upper or lower case mixed letters or contain symbols or passwords longer than 12 characters

[Very strong] password standard: uppercase and lowercase mixed letters and contains symbols

Prompt copy

Password setting prompt copy:

The password set by the user is the password in the weak password bank, then the prompt "You set the password too common, easily cracked, please change the settings" is not allowed to submit

Strength testing tips Copywriting:

General: Mixed case or letter can increase password strength

Strong: Mixed letters or symbols can increase password strength

Very strong: password is very safe, please keep in mind

| Weak password library (maintained on the server, can be extended at any time)

123qwe

qwe123

1234qwer

qwer1234

abc123

123abc

abcd1234

1234abcd

password

qq123456

123456qq

123456a

a123456

123qweasd

qweasd123

1q2w3e4r

q1w2e3r4

1q2w3e4r5t

q1w2e3r4t5

Some needs, do not need the scoring mechanism so complex design, the following is a simplified version of the design (reproduced please mark the source, thank you):

Basic rules:

6-20 combination of letters and numbers

| Additional Terms:

Can not contain 5 or more repetitions / letters

Can not contain 5 or more consecutive numbers (positive / negative)

| Can not be the following 10 commonly used passwords:

Top 10 most used password:

123qwe

1234qwer

abc123

abcd1234

password

qq123456

123qweasd

1q2w3e4r

q1w2e3r4

1q2w3e4r5t

After the server expands the rule, the user triggers the judgment when the user logs in again. The web terminal of the terminal jumps to the page of resetting the password. Hope that the server may provide the supplementary prompt

"Can not contain 5 or more digits or letters" "Can not contain 5 or more consecutive digits" "You set the password too simple, for enterprise information security, please reset" For enterprise-class services, extended scene design to add: The administrator can set the security level

Different companies have different requirements for security level and administrators have different capabilities. Therefore, the product design will tangle, is not for the user want more, is not over-design, sometimes into this degree of consideration tangle, you can consider these Intensity and rules into several levels of security level selection, the option back to the enterprise itself, such as the administrator can open whether to force users to scan code, the administrator can force the user to set all the personal password to a strong password .

How to design login renewal

For the mobile terminal users are not aware of the renewal of the bill this matter, the upgrade is also mostly covered upgrade, the user usually use the experience to open the app can be used without prompted to re-login or directly kicked out.

For the terminal are basically unlimited renewal of the web-side are not the same, there are 7-day bills expired, there are 5-day bills expired, the best way is to log the frequency of recording and calculation, in accordance with the frequency of use of the user, according to the Certain rules for the renewal of the web-side login, as little as possible to the user directly kicked out.

In addition, the special identity, such as enterprise administrators can log on each need to verify identity, notes can also be designed shorter; also based on user IP and other common user computing sites, common locations + -5 km and other rules can be used as the user whether The basis for abnormal login, but also because the user has been logged in as a common site for automatic renewal.

Security reminder for login process is indispensable

Even on the basis of equipment authorization, but also make up for other equipment to try to sign abnormal reminders, other equipment abnormal login reminder.

The following are abnormal login:

Password attempts to log in unsuccessfully Multiple times the device failed to log in.