Recommendation ITU-T X.1282 (11/2023) Security measures for countering password-related online attacks
Summary
History
FOREWORD
Table of Contents
1 Scope
2 References
3 Definitions
4 Abbreviations and acronyms
5 Conventions
6 Overview
     6.1 HTTP header enrichment technology
     6.2 Security risks
     6.3 Security authentication process based on HTTP header enrichment technology
7 Security threats in the authentication process
     7.1 Authenticator compromise risks
     7.2 Transaction compromise risks
     7.3 Verifier impersonation risks
8 Security authentication process via HTTP header enrichment technology
     8.1 Authentication process
     8.2 User authorization process
     8.3 Platform verification process
9 Client security
     9.1 APP security
     9.2 SDK security
          9.2.1 SDK communication request verification
          9.2.2 SDK request message encryption protection
          9.2.3 HTTPS protocol for SDK interface
          9.2.4 Local data storage security
          9.2.5 SDK code obfuscation
          9.2.6 User privacy data security protection
          9.2.7 SDK authorization page
     9.3 H5 security
          9.3.1 H5 JSSDK code obfuscation
          9.3.2 H5 page reference verification
          9.3.3 JSSDK communication request verification
          9.3.4 HTTPS protocol
          9.3.5 Browser fingerprint
          9.3.6 JSSDK authorization page
          9.3.7 User privacy data security protection
10 Authentication platform security
     10.1 Request verification
          10.1.1 Client verification
          10.1.2 Service provider verification
     10.2 Data encryption and decryption security
          10.2.1 Client data encryption and decryption security
          10.2.2 Service provider data encryption and decryption security
     10.3 User data security management
     10.4 Business risk control security
          10.4.1 Flow control
          10.4.2 User-level blacklist management and control
          10.4.3 SDK version management security
          10.4.4 Application level security control
          10.4.5 Authorization credential frequency control security
Bibliography