Extra Layer of Security in Applications : Do’s and Don’ts

01 / Oct / 2015 by Nikhit Kumar 1 comments

Almost every web and mobile application today gives you an option to create an account. Once you have created an account, you can login and access all the features of the application. This login process allows you to manage data that is private to you. This feature is referred to as Authentication, where a user is authenticated to use a particular service.

A pair of username and password is the most common authentication mechanism present all across internet. Every application uses this approach to manage users. This method requires you to remember two string values – a username and a password. These string values are chosen during signing up on the application.

But a single layer of security is not always enough. An extra layer of security is always better with the increasing number of online attacks. Developers have adopted various approaches to implement an extra layer of security in their application. Some of these approaches, the issues they raise and their remediation are discussed below.

Security Questions

This method got popular on the internet in 2000s. These security questions are used in scenarios such as retrieving passwords.

Once the user creates an account, he is provided with an option to choose one or more security questions from a list of given questions. This implementation is incorporated for scenarios such as ‘Forgot Password’ or ‘Multiple failed login attempts’. The questions are of type – “What was the name of your first school?” or “What is your mother’s maiden name?” etc. Some applications also provide an option to create your own security questions. After choosing one or a series of questions( as required by the application) and answering them, the user saves the changes and his account is created. In future, if the user forgets his account password, he is posed with the security question(s) that he had chosen at the time of signing up. Once the right answer is entered, the required action is carried out.

Key issues
  • The security questions are very general and their answers can be guessed with little research i.e. the answers are pretty much obvious. For instance, questions such as “When were you born?” or “What was the name of your first school?” are public knowledge, if anyone tries a little bit.
  • The answer of the security question acts as a second password. If the user is clever enough, he may set a wrong or complex answer(For eg. #wcw%^8) for a security question. But the thing is, what if he forgets? Being clever has its limitations, i guess. The workaround would be to save this complex password somewhere safe.
  • Don’t use general questions whose answers can be easily guessed. Instead use questions such as “Whom did you despise in your high school?”. Allowing the users to create their own security questions can be a good idea. But sometimes, the users are in haste to create their accounts and may choose poor questions.
  • Periodically, make users review their security questions. This time they may choose a better question.
  • At Least encrypt the answers while storing. The answers may contain sensitive data in case a user chooses his own question.

Security Images

A Security Image is a feature incorporated by various banking and social media applications to save their users primarily from phishing attacks. How? Well, an attacker can create websites that look similar to legitimate ones and lure the victim to enter his credentials. This is where the concept of security images sneaks in. The user is accustomed to see an image while logging in, and when he finds there’s no such image, he can get the idea that it is some kind of scam.

Once the user creates an account, he is provided with an option to select a list of images that will be linked with his account. Now whenever a user wants to log in, he has to enter his username. If the username is correct, one of the images that he chose while signing up appears along with the password field. Seeing a familiar image, the user comes to know that he is accessing an official website, not a fraudulent phishing website.

Key Issues
  • This approach raises a serious issue. By guessing the user id of a user, the attacker can view the security image linked to that user’s account. According to the hackernews.com, this issue was found in the e-banking portal of HDFC by an Indian security researcher Jiten Jain of Xebia Architects. HDFC, a popular Indian bank used to follow this security image approach in their Netbanking login portal. The username for accessing the portal was the Customer id of the user. After the user entered this information, he was redirected to a new webpage that displayed his security image along with a field to input his password. An attacker can try random Customer IDs, and if successful, is able to view the related security image with that user. Then, he can create a database of all these security images and take his phishing scam to the next level by including the image in the fraudulent web pages.
  • A solution to the above stated problem can be using an extra layer of security between the first and the second page. Once the user enters his username, he is redirected to a new page posing a security question. After the user answers this question correctly, he is redirected to the security image page. Obviously the security question used here would be chosen by the user himself while signing up.


Who does not know about CAPTCHA,right? It is present everywhere on the internet. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart.

It is a type of challenge response system used in many applications. The main aim of CAPTCHA implemented in a web form is to stop automated scripts or bots to submit numerous responses.

CAPTCHA is being used in signup and login forms from a long time. CAPTCHA in login forms saves the application from Brute Force Attacks. Also, incorporating CAPTCHA in critical action submission forms such as Change Password may protect the user from CSRF attacks.

Key issues
  • One of the issues that users face is that sometimes CAPTCHAs are difficult to comprehend.
  • There have been cases where an attacker was able to bypass CAPTCHA using Optical Character Recognition. Many add ons and apps are also present on the internet that are capable of bypassing CAPTCHA.
  • Easily readable CAPTCHA must be generated. Though the algorithm used to generate it can be varied from time to time to maintain the randomness.
  • Google’s reCaptcha extension is also a good option.

Two Factor Authentication

Two Factor Authentication is a mechanism to authenticate a particular user using two factors :- something the user knows and something the user has . Something a user has can be a physical token such as a Credit Card and something he knows can be his pin.Two Factor Authentication (also written as 2FA) is a secure way of handling user logins. This feature saves the users from brute force and other automated attacks.

For eg. Google Authenticator. It is a two-factor authentication app. To access any  website or a web-based service, the user enters his username and password and submits the response. Then, a one-time passcode (OTP) is delivered to his device. He is prompted to enter this value. If the OTP he enters is correct, then only is he allowed to access that service. The main thing to note is that this six-digit one time password is valid only for a limited time(30-60 seconds), so it can’t be replayed, thus providing an extra layer of security.

Key issues
  • Though 2FA is considered to be a secure, yet some implementation issues can defeat its purpose. For e.g., the validity period of an OTP may not be properly set. Also, due to network issues the message(OTP) does not reach on time.
  • A malware toolkit namely ‘Remote Overlay Toolkit’ could be used by an attacker to bypass OTP Two Factor Authentication. This issue can be mitigated using an out-of-band two factor authentication.
  • It must be made sure that 2FA has been properly implemented with proper working of OTP feature.
  • An out-of-band two-factor authentication method is preferred. This method involves using of  a separate channel to verify authentication requests. For example,  if the first authentication request is sent over the Internet, the second authentication request should be sent over a different channel, such as SMS.


Care must be taken before implementing the above mentioned approaches for an extra layer of security as it has been rightly said, “Security is only as strong as the weakest link.”

Thus, it is important to assess the level of security of your application at regular intervals. This is as simple as answering a 5-minute questionnaire like the one below –


comments (1 “Extra Layer of Security in Applications : Do’s and Don’ts”)

  1. Kartik Jha

    Of course, there has to be extra layers of security in apps. And the layers present currently have to be secure enough to pass the pentests. These dos and donts will help you realize more.


Leave a Reply

Your email address will not be published. Required fields are marked *