Sirius Portal Security: Account Security – Beyond Passwords
Vega’s Sirius web portal has been built by a team of expert developers, penetration tested by professionals, and used to protect our customers’ data successfully for decades. As you might imagine from an application with such a track record, Sirius contains many layers of protection against attack. In this post we will cover some of the features, beyond the password, which protect user accounts.
In a previous Sirius Portal Security blog post, we covered various measures in place to prevent a bad actor from being able to access a Sirius account by guessing passwords. But suppose that, somehow, an attacker has got access to a valid username and password. Is there anything to protect the account at this point? Yes. Let’s cover two additional protections which will stop an attacker who has got this far: memorable words and two-factor authentication.
Sirius uses a configurable number of memorable words as part of the login process. After correctly entering the username and password, the attacker must enter a randomly chosen character from one, or potentially more than one, memorable word. As with passwords, a small number of failed memorable word attempts is allowed before the account is locked out. Requiring a random character means that the memorable words are protected against malicious key logger software, which captures all that the user types on their keyboard – such software may be able to capture individual characters from the memorable words, but it would not have the context as to which position in the memorable word each character occupies.
But what happens if something goes very wrong for this user, and an attacker gets hold of all of the security credentials for a Sirius account – the username, password and the memorable words? As a defence in this very bad situation, Sirius offers another level of protection, and another type of protection entirely; two-factor authentication.
When two-factor authentication is configured, any attempt to log in to a Sirius account must be verified using an app on the mobile phone which was linked to the account, when the account was first set up. Microsoft and Google Authenticator apps are supported for this purpose. Suppose an attacker has correctly entered the username and password, and the correct memorable word characters. They must now enter a code generated by an app on the Sirius user’s phone, before they can complete the login process. This is another layer of security, and another type of security entirely – it requires something that the legitimate user owns (their mobile phone), rather than something which can be known (a password, or memorable word).
As you can see, Sirius has many features to protect against illegitimate access to user accounts. If the password is compromised, there is the memorable word, and if a memorable word is compromised, then the attacker would still need to access the legitimate user’s mobile phone in order to approve the login request.
These are just some of the protections that the Sirius web portal offers. We will cover more here in the future. If you are serious about your web portal security, and would like to learn more about what Sirius can do you for, contact us now.