Use case 9
- Author: Jarno Huusko
- Date / Version: 20/02/2024 / 1.0
User roles
- User (Actor1): Any individual who wants to create an account and securely authenticate to access Tukko's services.
- Dev / Sec (Actor2): Responsible for implementing and maintaining the security measures for the authentication process.
- Dev (Actor3): Develops the server-side logic for handling user registration, authentication, and data storage securely.
Prerequisites / Conditions
- The web app must have an accessible user interface for account registration.
- Backend systems and databases are in place to securely store user credentials and personal information.
Use Case Diagram
Description of use case -eg. Modify existing request
- Registration Form: The User accesses the registration form on Tukko's web app, filling in required information such as name, email, and password.
- Password Security: The User is guided to create a strong password, possibly with the assistance of a password strength meter implemented by the Back-end Developer.
- Data Submission: Upon form submission, the Back-end Developer ensures that the user's data is transmitted securely to the server, using encryption (e.g., Argon2).
- Account Verification: The User receives an email or SMS with a verification link or code to confirm their account, preventing unauthorized account creation.
- Secure Authentication: For login, the User enters their credentials, which are securely verified against the stored data.
- Session Management: Upon successful authentication, the User is granted a secure session, with mechanisms like session timeouts and token invalidation upon logout to enhance security.
Exceptions
-
E1: If the User enters weak or compromised passwords, they are prompted to choose a stronger password.
-
E2: If there are multiple failed login attempts, the account is temporarily locked, and the User is notified to prevent brute-force attacks.
Result
- Users can register for an account and authenticate securely, with robust mechanisms in place to protect their credentials and personal information.
Use frequency
- Account registration is a one-time process for new users, while authentication occurs each time a user accesses the service.
Additional information
- The authentication system's design and implementation details, including the encryption methods and password policies should be documented for reference and compliance purposes.
Sources * Security practices are informed by industry standards and guidelines from organizations like OWASP and NIST for secure authentication and account management.