Security of Limited Access URLs and Basic Authentication

Tadashi Shigeoka ·  Sat, August 15, 2020

I’ll introduce the content of my research and considerations regarding the security of limited access URLs and Basic authentication for general users.

限定公開 URL のセキュリティ

Background: URLs Accessible Only to Specific Users

First, the background requirement is to provide URLs that only specific users can access.

The following approaches can be considered to meet this requirement:

  1. Limited access URLs
  2. Basic authentication

Security of Limited Access URLs

This is explained in detail in “Web Authentication Without Authentication: Considering the Security of Limited Access URLs - Public Version - Google Slides”.

Basic Authentication

Setting up Basic authentication only for staging environments is something that’s commonly done.

On the other hand, I consider it challenging to have general users use Basic authentication for the following reasons:

  • Some browsers and apps don't support Basic authentication (e.g., Yahoo! Mail app)
  • The Basic authentication login screen uses browser defaults, and you can't customize the design or text
  • Users might confuse Basic authentication login information with their personal login information

I’m concerned about the security of limited access URLs and the usability of Basic authentication. That’s all from the Gemba.