Recommendation ITU-T X.1282 (11/2023) Security measures for countering password-related online attacks Summary History FOREWORD Table of Contents 1 Scope 2 References 3 Definitions 4 Abbreviations and acronyms 5 Conventions 6 Overview 6.1 HTTP header enrichment technology 6.2 Security risks 6.3 Security authentication process based on HTTP header enrichment technology 7 Security threats in the authentication process 7.1 Authenticator compromise risks 7.2 Transaction compromise risks 7.3 Verifier impersonation risks 8 Security authentication process via HTTP header enrichment technology 8.1 Authentication process 8.2 User authorization process 8.3 Platform verification process 9 Client security 9.1 APP security 9.2 SDK security 9.2.1 SDK communication request verification 9.2.2 SDK request message encryption protection 9.2.3 HTTPS protocol for SDK interface 9.2.4 Local data storage security 9.2.5 SDK code obfuscation 9.2.6 User privacy data security protection 9.2.7 SDK authorization page 9.3 H5 security 9.3.1 H5 JSSDK code obfuscation 9.3.2 H5 page reference verification 9.3.3 JSSDK communication request verification 9.3.4 HTTPS protocol 9.3.5 Browser fingerprint 9.3.6 JSSDK authorization page 9.3.7 User privacy data security protection 10 Authentication platform security 10.1 Request verification 10.1.1 Client verification 10.1.2 Service provider verification 10.2 Data encryption and decryption security 10.2.1 Client data encryption and decryption security 10.2.2 Service provider data encryption and decryption security 10.3 User data security management 10.4 Business risk control security 10.4.1 Flow control 10.4.2 User-level blacklist management and control 10.4.3 SDK version management security 10.4.4 Application level security control 10.4.5 Authorization credential frequency control security Bibliography