DATABASE SECURITY PART 2: TOKENS AND STANDARDS
In the part1 of this series on the competition site security we established the essential role of session and account management in preserving the integrity of your data and the trust of the customers. Handling loads of data in the age of GDPR is risky and complicated by itself to constantly worry about the security of the whole endeavour. That’s why it’s better to stay with professional software database developers like Tentacle Solutions who have established protocols and methods of securing your systems.
What are those methods and best practices?
All the security issues and potential risks should be evaluated and openly discussed between the company and the development house.
The best tokens in the game
One of the best methods to ensure the safety of your competition site and its databases is to utilize authentication management systems that use authentication tokens. Tokens are a web authentication technique that lets users enter their username and password once and receive a uniquely-generated encrypted token in exchange. Basically, the digital token proves your competition site user has already been allowed in.
That’s a huge step ahead when compared to passwords and other means of login and session management. Two types of tokens dominate the session management niche: JWT and Opaque.
JSON Web Token (JWT) contains specific information that can be interpreted by any party that has that token. For example, this information can contain the user ID of the user for whom it was issued. An advantage of using JWTs is scalability as the backend does not need to do a database lookup for every API call. The drawback is that revoking a single token on demand (before it expires) can be difficult if methods like blacklisting are not used (which impacts the scalability of the solution). However, one can revoke all tokens by changing the signing key.
Opaque Tokens - these are random strings which act as pointers to information that is held only by the system that issues them. These require a database/cache lookup each time they are used. A single token can easily be revoked on demand.
Implementing one of the above token types, along with social media login and two-step verification, can lower the risk of roaming users and session abuse to a minimum while creating a sense of security and trust between your company and its’ clients and staff.
Don’t take us at our word, one of the biggest names in the business – Google, came up with some of the best practices in login session management and after reading our article the list will already be familiar to you:
1.  Hashing passwords
2.  Allowing third-party identity providers if possible
3.  Separation of user identity and user account
4.  Allowing multiple identities to link to a single user account
5.  Allowing long passwords
6.  Allow users to change their username
7.  Letting users delete their accounts
8.  Conscious decision-making on session length
9.  Two-step verification
10.  Don't impose unreasonable rules for usernames
All of the above should be kept in mind when looking for the software database development company and all the way through development until the product is delivered to you. All the security issues and potential risks should be evaluated and openly discussed between the company and the development house. At least that’s how Tentacle Solutions handle bespoke software database development and that is why you should drop them a line if you are considering an upgrade or want a consultation with the top database specialists in the UK.