👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General practices
  1. Web Application

Authentication

PreviousApplication Security HandbookNextAuthentication with Login and Password

Last updated 1 year ago

Overview

This section contains recommendations for the implementation of authentication mechanisms.

Reuse existing authentication mechanisms to avoid duplication and attack surface expansion.

General practices

Authentication scheme
Proof of identity
Pages

Authentication with login and password

login & password

Authentication with email and password

email & password

Authentication with a phone number and an one-time code

phone number & one-time password

OAuth2 authentication

third-party system

Multi-factor authentication

one time password

Authentication with Login and Password
Authentication with Login and Password
Authentication with Phone Number
OAuth 2.0 Authentication
Multi-factor Authentication