Is it secure to use .NET membership class for user authentication?

Is it secure to use .NET membership class for user authentication?

Our developers are looking to create an online Internet-facing application and use .NET membership class for user authentication. Users would be commercial clients, not employees. Active Directory was eschewed in order to have the option of different password controls available, depending on the nature of the data in a particular application. AD can also facilitate different business groups that handle user administration. Is this a "secure enough" authentication framework?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

There are two parts to your application: a Web-based customer-facing front end and a back end directory service or data store with authenticated users. The authentication feature in .NET needs both pieces. Since a user directory is required, no matter what you do, the issue isn't just about only relying on the .NET membership classes on the front end. It's also about the directory services, and connecting to them on the back end.

Here's a quick overview of authentication in .NET with some options to consider.

On the Web side, ASP .NET 2.0 provides ready-made code for creating log-in pages and server controls. Prior versions of ASP .NET didn't have this feature, and log-in pages for new Web applications had to be coded from scratch.

On the directory side, there are two built-in membership classes for connecting to Active Directory (AD) or SQL Server, which is no surprise since both are also Microsoft products just like .NET itself. The two classes, ActiveDirectoryMembershipProvider and SqlMembershipProvider, work with a configuration file called Web.config.

But, if you want to use some other directory service, a custom provider can be created by deriving from the MembershpProvider abstract class and tweaking the Web.config file.

Either way, these provider classes manage all the heavy lifting for connecting to the directory services, whether they're Microsoft or not. They are used for adding and deleting users, modifying users and their groups and other access management tasks, such as changing passwords.

The question isn't whether the .NET authentication framework is secure enough; it's how secure is the back-end directory service, which is what drives the application. Since .NET is compatible with its sister Microsoft product, AD, it would probably make the most sense to stick with that.

If flexibility is an issue, there are many options that allow access to multiple directory services for the same application. The details, however, are beyond the scope of this brief answer. Code and instructions are available on Microsoft's Web site and its developer network, MSDN.

For more information:

  • In this expert Q&A, Michael Cobb discusses using Sender ID as an email authentication tool.
  • Security pro Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.

    • This was first published in December 2007

    Back to top