The Palos Publishing Company

Follow Us On The X Platform @PalosPublishing
Categories We Write About

Design a Secure Login System Using OOD Principles

Written by

Bernardo Palos

in

Overview

A secure login system is essential for safeguarding user data and ensuring that only authorized individuals have access to sensitive information. In this design, we’ll employ Object-Oriented Design (OOD) principles to create a secure, extensible, and maintainable login system. The system will consist of several components, each responsible for a specific task, such as user authentication, password hashing, and session management.

Key Requirements

  1. User Authentication: The system needs to verify the user’s identity.

  2. Password Management: Passwords should be securely stored using hashing techniques.

  3. Session Management: Once logged in, users should be able to maintain their sessions.

  4. Account Locking: For security, accounts should be locked after a certain number of failed login attempts.

  5. Multi-factor Authentication (MFA): Optionally, the system should support MFA for added security.

Key OOD Concepts

  1. Encapsulation: Hide the details of the login process and password management inside the respective classes.

  2. Inheritance: Use base classes for common behavior, and extend them for specific functionality (e.g., basic user vs. admin).

  3. Polymorphism: Implement authentication strategies that can be swapped easily, such as password-based vs. OTP-based authentication.

  4. Abstraction: Simplify the user login process by abstracting away the complex details of authentication, password hashing, and session management.

Design Components

1. User Class

This class represents the user and holds essential information such as the username, password hash, and account status.

python
class User:
    def __init__(self, username, password_hash, failed_attempts=0, locked=False):
        self.username = username
        self.password_hash = password_hash
        self.failed_attempts = failed_attempts
        self.locked = locked
    
    def increment_failed_attempts(self):
        self.failed_attempts += 1
    
    def reset_failed_attempts(self):
        self.failed_attempts = 0

    def lock_account(self):
        self.locked = True
    
    def unlock_account(self):
        self.locked = False

2. PasswordManager Class

Handles the hashing and verification of passwords. This ensures that passwords are never stored or transmitted in plaintext.

python
import bcrypt

class PasswordManager:
    @staticmethod
    def hash_password(password):
        # Hash the password using bcrypt
        return bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
    
    @staticmethod
    def verify_password(stored_hash, password):
        # Verify the password by comparing the stored hash
        return bcrypt.checkpw(password.encode('utf-8'), stored_hash)

3. Authentication Class

This class handles the login logic, including the verification of user credentials and applying security measures like account locking.

python
class Authentication:
    MAX_FAILED_ATTEMPTS = 5

    def __init__(self, user_db):
        self.user_db = user_db  # A dictionary of users (username -> User)
    
    def authenticate(self, username, password):
        user = self.user_db.get(username)
        
        if not user:
            return "User not found."
        
        if user.locked:
            return "Account is locked due to too many failed attempts."
        
        if PasswordManager.verify_password(user.password_hash, password):
            user.reset_failed_attempts()
            return "Login successful."
        else:
            user.increment_failed_attempts()
            if user.failed_attempts >= self.MAX_FAILED_ATTEMPTS:
                user.lock_account()
                return "Account locked due to too many failed attempts."
            return "Invalid credentials."

4. Session Class

Responsible for managing user sessions after authentication. Sessions store information such as the logged-in user and session expiration.

python
import time

class Session:
    def __init__(self, user):
        self.user = user
        self.start_time = time.time()
        self.expiry_time = self.start_time + 3600  # 1-hour session timeout
    
    def is_session_active(self):
        return time.time() < self.expiry_time
    
    def extend_session(self):
        self.expiry_time = time.time() + 3600

5. MFA (Multi-Factor Authentication) Class (Optional)

For higher security, users can opt for MFA. This class manages the OTP (One-Time Password) generation and verification.

python
import random
import time

class MFA:
    def __init__(self, user):
        self.user = user
        self.otp = None
        self.otp_expiry = None
    
    def generate_otp(self):
        self.otp = random.randint(100000, 999999)
        self.otp_expiry = time.time() + 300  # OTP expires in 5 minutes
        return self.otp
    
    def verify_otp(self, input_otp):
        if time.time() > self.otp_expiry:
            return "OTP expired."
        return "OTP valid." if input_otp == self.otp else "Invalid OTP."

6. Login System Class

A wrapper class that coordinates the login process, integrating all the components such as authentication, password management, and session management.

python
class LoginSystem:
    def __init__(self):
        self.users = {}
        self.sessions = {}
    
    def add_user(self, username, password):
        password_hash = PasswordManager.hash_password(password)
        self.users[username] = User(username, password_hash)
    
    def login(self, username, password, mfa_code=None):
        auth = Authentication(self.users)
        result = auth.authenticate(username, password)
        
        if result == "Login successful.":
            user = self.users[username]
            
            # Optional MFA
            if mfa_code:
                mfa = MFA(user)
                otp = mfa.generate_otp()
                mfa_result = mfa.verify_otp(mfa_code)
                if mfa_result != "OTP valid.":
                    return "MFA failed."
            
            session = Session(user)
            self.sessions[username] = session
            return f"Login successful. Session started for {username}."
        
        return result

Example of Usage

python
# Create the login system
login_system = LoginSystem()

# Add users
login_system.add_user("alice", "securepassword123")
login_system.add_user("bob", "password456")

# Simulate login
print(login_system.login("alice", "securepassword123"))  # Successful login
print(login_system.login("alice", "wrongpassword"))  # Invalid credentials

Security Considerations

  1. Hashing: Passwords are hashed using bcrypt, a secure and slow hashing algorithm that protects against brute-force attacks.

  2. Account Locking: The system locks an account after a number of failed login attempts, protecting it from brute-force attacks.

  3. MFA: The system supports multi-factor authentication (MFA), which adds an additional layer of security by requiring the user to provide an OTP.

  4. Session Management: Sessions are time-limited, ensuring that unauthorized access is minimized after prolonged inactivity.

  5. Encryption: Although not explicitly shown in the classes above, it is recommended that communication between the client and server be encrypted (e.g., using HTTPS).

Conclusion

This object-oriented design for a secure login system ensures that the system is flexible, scalable, and maintainable. The use of OOD principles such as encapsulation, abstraction, inheritance, and polymorphism ensures that different components are isolated, making the system easier to extend (e.g., adding more authentication methods or improving session management).

Share this Page your favorite way: Click any app below to share.
See all the ways to share this page

Enter your email below to join The Palos Publishing Company Email List

We respect your email privacy

Check Out Our Newest Posts we wrote about

Categories We Write About