When developing a Ruby on Rails application, one of the best gems to start with is Devise. Devise can handle user registration, login, forgot password initiation, and much more. While Devise works great from the get-go, there are times where additional tweaks are necessary to tighten up security in order to adhere to particular company policies. If your web application deals with sensitive information, these Devise settings and gems are helpful to ensure your application’s information stays secure.
Out-of-the-Box
Right out of the gate, Devise comes with a slew of capabilities to tailor your login functionality around your company’s security policy – along with many options that have already been enabled. Once you install Devise, you can look through the devise.rb file to find most of the customizations.
Here are a few settings to tweak in devise.rb:
config.password_length = 8..72
This setting will extend the password length requirement – which complicates the possibilities of a compromised password.
config.expire_all_remember_me_on_sign_out = true
Once a user signs out, all of their “remember me” cookies on various devices should also expire.
config.timeout_in = 30.minutes
If a user leaves a computer or browser window unattended for a period of time, Devise will automatically log them out of the site. Thirty-minutes is still a pretty generous timeframe, but won’t annoy users too much.
Using the :lockable module, you can enable the following settings:
config.lock_strategy = :failed_attempts
This enables a user to be locked out of the system after a certain amount of failed attempts
config.maximum_attempts = 3
This setting sets the number of failed login attempts.
config.unlock_in = 30.minutes
Once a user is locked out, you can set how long their account will be locked. Recently, I saw a website that would lock out users for 24 hours. This seems a bit overkill – even 30 minutes is a lifetime for a user who has forgotten their password, but 30 minutes slows a hacker to a halt.
config.last_attempt_warning = true
Be sure to warn users when they’re on their last attempt to login. If you don’t, they’ll be locked out without an ability to reset their password. If they’re warned one last time, they could go through the reset password process instead of attempting the last login.
Third-Party Gems
devise_security_extension
This gem is a must if security is vital to your organization. It has quite a few key options that can help with improving your application’s security. It adds seven additional modules to Devise. Here’s a few things you can do:
- Expire passwords – this will help force users to create new passwords periodically
- Ensure old passwords aren’t reused – there’s no sense in making users change their passwords periodically if they’re able to reuse the same password
- Enforce a one-session at a time policy – this helps prevent users from sharing their accounts with others
- Expire accounts that haven’t been used recently – if a user isn’t using their login, you can automatically lock them out
devise-two-factor / two_factor_authentication
Both of these gems allow developers to implement two-factor authorization for login. Typically this includes a one-time password or code that is somehow transmitted to the user, for them to enter during login. This is most-likely a text message or email to the user with a specific code. These two gems both provide a means to implement your own two-factor authentication. Both gems provide some flexibility with how the implementation is completed, which allows room to apply a variety of different security policies.
devise_zxcvbn
This gem helps ensure weak passwords are not used. While the devise_security_extension helps ensure a certain criteria is used for password (e.g. an uppercase letter, a lowercase letter, and a number), a password like “Password1” could still be used. “devise_ zxcvbn” helps ensure password strength for user accounts. This gem utilizes fork of a Dropbox password-strength Javascript library.
Third-party plugins and gems are great for extending your website in a quick and efficient manner. Sometimes security requirements require a more robust solution than what Devise provides out-of-the-box. These gems and configuration tweaks and help ensure your Ruby on Rails application remains secure.