During an engagement, i have been asked by a client to explain (with the use of one or more examples) why they must update their website authentication mechanism, as they are currently using HTTP Basic-Authentication and how it can be dangerous for the security of a system
Asked
Active
Viewed 72 times
0
-
5It's your client and you made the recommendation - why did you recommend it? – Apr 21 '22 at 12:29
-
1@MechMK1 iam not the one who designed the system, i didn't recommend it – pashani jaulani Apr 21 '22 at 15:22
-
@SteffenUllrich's linked answer answers the main points. I would also the lack of support for 2FA/MFA. – Sir Muffington Apr 21 '22 at 19:53
-
1If I remember correctly basic auth in a web browser has one large disadvantage: it is impossible to log out. The only way to do so it to close the web browser. – Robert Apr 21 '22 at 20:32
1 Answers
0
One possible issue in the current scheme: the user passwords may be stored in clear text in the backend, if that is the case then this is the "problem" you'll want to fix. Hash them, salt them. The transport is only part of the problem.
Also consider alternatives like client certificates.
Kate
- 6,967
- 20
- 23