Want to log in to your bank account? First type in a text message code. Need to access your cloud files? Tell us what street you grew up on. Logging on to your social network? Not before you confirm the email address we have on file.
Yes, we now live in an era where companies are finally taking security seriously. And after the recent spate of high-profile breaches we’ve had in the past couple of months, it really is a good thing. Pretty much everyone heard about what happened with iCloud. But did you know about Dropbox? How about Kmart?
Still, all that extra protection comes at the expense of a simple user experience. Consider this story from a friend of mine – let’s call him Brad – who’s the owner of a small business:
A few weeks ago I met my family at the mall for dinner. It was a last-minute, spur-of-the-moment thing. When my wife called to say she and the kids were nearby, I hurriedly got up and left the office to meet them.I knew I had to transfer some money before the end of the day, but thanks to my handy iPhone I can do that from anywhere. It felt a bit like a corny commercial about the power of mobile banking… but that was exactly the case.
What I didn’t realize was how low my battery was – and sure enough, my phone died before I could execute the transfer. “No problem,” I thought, “it’s a mobile world.” I borrowed my wife’s phone, but it wasn’t a registered device and couldn’t work until I responded to a text message on my dead phone. So I tried calling customer service – but it was already closed for the day. I walked down to the Apple store to log on from there, but sure enough those computers were also unregistered. Ultimately, I had to borrow an old charger cable from the store, wait for the phone to boot up, and only then could I complete the transaction.
So much for anywhere banking.
The point is, security has an obvious effect on the user experience. As a load tester, when your job is all about the end-user experience, all these extra layers of security are bound to pose problems. In today’s blog post we’ll talk about how modern security impacts your load testing strategy.
How Companies Are Improving Security
If you run an online service that stores sensitive information on behalf of your users, you have to do a lot of things right to protect that information. Unfortunately, a hacker only needs to do one thing right to gain access to it. Sometimes it’s exploiting a bug in a piece of software. Other times – like in iCloud’s case – it’s as simple as guessing a password.
To keep users secure, companies are employing a number of different technologies to make sure that user accounts are inaccessible to anyone but the appropriate user. Collectively called two-factor or multi-factor authentication, these technologies generally operate on the principle that a user should be required to prove who they are by submitting two different classes of information about themselves. This information could be:
- Something you know – like a password or your mother’s maiden name
- Something you have – like your mobile phone
- Something you are – like your fingerprint
- Something you do – like what country you typically access your bank account from
On that idea, you’ll find a number of ways that websites secure themselves. In fact, you’ve probably experienced most if not all of these
Mobile Authentication: When you log in, the system sends a short code via text message to your phone. To continue, you must enter the code on the computer. This proves your identity because presumably only you both 1) know your password, and 2) possess your mobile phone.
One-Time Passwords: Some organizations provide users with a small keychain device that displays a unique passcode. This passcode changes every minute or every time you click a button on the device. To authenticate you must provide both your 1) password, and 2) the code on the device.
Behavior-Based Authentication: If you’ve ever tried to log into your bank from a foreign country you may notice that you are asked for extra security information. That’s because the bank is tracking your normal patterns and raising a red flag whenever something different happens. Authentication depends on 1) your password, and 2) your normal patterns of behavior.
Personal Questions: This is the simplest form of enhanced authentication, where users are asked to answer questions, like the name of the street they grew up on. Unfortunately, since so much of this information is easily discoverable today, this method is not nearly as reliable as it used to be.
How Security Impacts Load Testing
When it comes to performance testing, you need to think about security procedures like those listed above for three reasons:
- The security process impacts the end-user experience directly. For example, the introduction of a text message code could add minutes on to standard login times. Take Brad’s example – he couldn’t log on for an hour.Be sure to build automated functional and performance testing around the authentication experience. Probe the performance of the normal login experience and compare it to the 2-factor experience. Look for ways that performance can be improved, and work in tandem with your security team to deliver the best user experience you can.
- Error conditions in the login process could be their own bottlenecks. Think about what happens if a lot of people end up resetting passwords at the same time. This may seem like a remote possibility – but what if there is a system error that requires a massive password reset? Or what if a data breach occurs? With multiple cases every month, there is bound to be a massive appeal to “reset all your passwords” from some breached organization. This could result in a huge spike in your authentication system activity.This is especially important if your security process depends on a third-party service for credential validation or text message generation. Make sure you understand how that service performs under load so you can plan accordingly.
- Finally, the security process is an important one to be aware of when you are generating lots of users for load tests or simulating users for performance monitoring. If you need to create thousands of users at a time and they all have to be authenticated, that’s going to consumer resources unnecessarily, and potentially skew your numbers.There are a number of ways to get around the security system when you are doing your load testing. Here are a some approaches, summarized below:
- Manual spidering: start with a manual test and then transition to automated testing. Not for super-scale, but good for simulated testing on a small scale.
- Write a plugin that lets the tool log in and participate in the 2-factor authentication experience
- Write a proxy / man-in-the-middle system to handle the authentication process, trick the system into providing access, and then return control to the automation tool
- Disable 2-factor authentication – which will not give an accurate picture of performance for that portion of the system, but will let you get on to testing everything else
And Remember, Before You Take That NSFW Pic…
As a user, it may be a good idea to take advantage of available two-factor authentication systems for anything important or sensitive you are doing. Here’s a great list of how to enable multi-factor authentication on a number of popular services – it even gets updated on a periodic basis as new capabilities are rolled out.
As a tester, be sure to work with tools that give you the flexibility you need to conduct realistic tests in both your testing and production environments – like NeoLoad and the Neotys Cloud Platform. Especially if you are a celebrity on iCloud.