Test user-viewable log of authentication events (OTG-LOG-002)
Proving users with their last logged in date/time is a useful way to help them identify mis-use of their own accounts. Providing a list of important authentication events over a longer time period is even better.
If visibility is given to users of applications with user interfaces (e.g. websites) about their previous use, this can provide them with confidence about the use of their account. If unexpected events are found, this might encouarge a user to change their password. If a number of users contact the application's owner, it could indicate a more significant intrusion or data breach.
A user logs in and goes to their profile page. There is a paginated list of recent site authentication actions, with the most recent first. For example:
Tue, 15 Oct 2013, 14:43:05 GMT Europe Successful log in User Tue, 15 Oct 2013, 14:40:37 GMT N.America Reset link sent Application Tue, 15 Oct 2013, 14:40:36 GMT SE.Asia Account unlocked Call centre [6RE34] Tue, 15 Oct 2013, 14:40:20 GMT SE.Asia Account details viewed Call centre [6RE34] Tue, 15 Oct 2013, 14:40:20 GMT Europe Caller identity verified +44 191 *** **** Tue, 15 Oct 2013, 14:21:15 GMT N.America Account locked Application Tue, 15 Oct 2013, 14:21:15 GMT Europe Failed log in User Tue, 15 Oct 2013, 14:21:06 GMT Europe Failed log in User Tue, 15 Oct 2013, 14:20:53 GMT Europe Failed log in User Mon, 29 Apr 2013, 19:54:09 GMT Europe Logged out User etc
Log in as a valid user and identify if there is a list of account activity, especially authentication events such as:
- Successful log in
- Failed log in
- Account locked / disabled
- Account unlocked / enabled
- Account created
- Password changed
- Username changed
- Logged out
These should relate to all such actions:
- Using the web application itself (i.e. by the authenticated user)
- Using related/partner applications where the same credentials are valid
- By someone or something else (e.g. a call centre agent, a website administrator, another application)
Also review whether these additional properties relating to the user are accessible:
- Events that cost the user money (e.g. purchase history)
- Changes to role or access privileges
- Significant status changes (e.g. credit limit altered)
Ensure that sensitive data is not exposed in the event list.
None. Use a web browser to log in and examine information available to the user themselves.
Related Test Cases
Implement a list of account activity, viewable by the user after they have been authenticated. This provide the ability to look back over several months.