Protecting service users

This chapter discusses protecting end users and guiding them to secure their accounts properly.

Even if team members maintain high security standards internally, malicious actors can go after the end users. For example, phishing operations target a group of users who are likely users of the service. If the end users give out their login credentials in the phishing attack, the attacker may damage these users even though the integrity of the service as a whole is not compromised.

The service should take several measures to protect its users so that even if the attacker gains access to the user’s email inbox or password, the harm to the user is minimized.

• Two-factor authentication
• Third-factor authentication
• Re-authentication on sensitive actions
• Brute force login prevention
• Effective session kill
• User audit logs
• Account verification process
• Flood action throttle
• Trademark protection