School Project • Application Security

Elderlink: Community Platform for Elderly

Enterprise-grade multi-layered authentication protecting 50+ elderly users with password hashing, session management, and time-limited password reset

Timeline May - August 2025
Team Size 3 Members
My Role Authentication and Authorization Security Developer
Status Completed
Python Flask bcrypt Flask-Session smtplib SQLite TLS/SSL

Problem

Aging Population & Social Isolation

With Singapore's ageing population, loneliness and social isolation is the biggest enemy for seniors in Singapore. Singaporeans aged 62 years and older are lonely, with a 7% increased risk of dying for lonely seniors.

Need for Connection

Elderly users face unique challenges with complex systems, yet require secure platforms to connect and socialize. There's a critical need for simple, accessible technology that brings seniors together safely.

What is Elderlink?

Elderlink is a web application that connects elderly users based on shared hobbies and interests. It is also a hub for learning and community events.

We wish to create a simple, community-focused platform that encourages seniors to socialize and combat loneliness through meaningful connections.

My Role

I developed a comprehensive secure authentication system for Elderlink using Flask and industry-standard security libraries. The system implements three layers of protection: password hashing with bcrypt for credential security, server-side session management for authenticated access control, and a secure password reset mechanism with time-limited tokens sent via email. This multi-layered approach ensures robust protection while maintaining user accessibility.

🔐

Two-Factor Authentication (2FA)

Email-based verification codes providing an additional security layer beyond passwords for enhanced account protection

👥

Role-Based Access Control (RBAC)

Granular permission management with distinct roles (Admin, Moderator, User) controlling feature access and data visibility

Rate Limiting & Brute-Force Protection

Intelligent throttling limiting login attempts to 5 per 15 minutes, preventing automated attacks and credential stuffing

🔒

Password Hashing with bcrypt

Industry-standard password hashing with salt and adaptive cost factor (12 rounds) ensuring credentials are never stored in plain text

✉️

Email Verification

Account activation via email confirmation links with time-limited tokens validating user identity during registration

🛡️

Session Management

Secure server-side sessions with HttpOnly cookies, automatic expiry, and session regeneration preventing hijacking attacks

Input Validation & Sanitization

Server-side validation on all user inputs with regex patterns and whitelist filtering preventing SQL injection and XSS attacks

🔑

Password Strength Enforcement

Minimum 8 characters with uppercase, lowercase, numbers, and special characters; real-time strength meter and common password blacklist

⏱️

Secure Password Reset

Time-limited reset tokens (30-minute expiry) sent via SMTP with cryptographically secure generation using Python's secrets module

👤

Accessible Security Design

User-friendly interface balancing enterprise security with elderly accessibility through clear messaging and guided workflows

🛡️

OWASP Top 10 Compliance

Security architecture aligned with OWASP Top 10 standards, addressing critical vulnerabilities including injection attacks, broken authentication, and security misconfigurations

Security Features in Action

See how Elderlink's multi-layered security system protects users while maintaining accessibility

Click image to enlarge

Elderlink Signup Page

User Registration

Streamlined signup process with real-time password strength validation and clear form feedback

Email Verification Required

Email Verification System

Account activation via email confirmation ensuring verified user identities and valid contact information

Signup Completion

Registration Completion

Final step of the signup process confirming successful account creation and email verification status. This also ensures that user creates a strong password to match Elderlink's password policy

Elderlink Login Page

Secure Login Interface

Clean, accessible login form with clear error messages and user guidance designed for elderly users

Two-Factor Authentication Code Entry

Two-Factor Authentication (2FA)

Additional security layer with email-based verification codes for enhanced account protection

Two-Factor Authentication Email

2FA Email Delivery

Automated email system sending time-sensitive verification codes for two-factor authentication

Rate Limiting Protection

Rate Limiting & Brute-Force Protection

Intelligent throttling system limiting login attempts to prevent automated attacks and credential stuffing

User Dashboard

User Dashboard Access

Role-based dashboard view with permissions tailored to standard user access levels

Forgot Password Page

Password Reset Request

User-friendly password recovery interface with email-based reset link generation

Password Reset Email

Secure Password Reset Email

Time-limited reset tokens (30-minute expiry) sent via SMTP with cryptographically secure generation

Change Password Interface

Password Change Security

Secure password update process requiring current password verification and strength validation

Admin Dashboard Overview

Admin Dashboard - Overview

Comprehensive admin interface with elevated permissions for platform management and monitoring

Admin Dashboard Management

Admin Dashboard - Controls

Advanced administrative controls for user management, content moderation, and system configuration

User Management System

User Management System

Role-Based Access Control (RBAC) interface for managing user roles, permissions, and account status

Unverified User Access Control

Unverified User Protection

Access control preventing unverified accounts from accessing platform features until email confirmation

Disable User Feature

Account Suspension Control

Administrative capability to disable user accounts for policy violations or security concerns

Security Analytics Dashboard

Security Analytics - Metrics

Real-time monitoring of authentication events, failed attempts, and security metrics for threat detection

Security Analytics Insights

Security Analytics - Insights

Detailed security insights and user activity patterns for proactive threat identification and response

Implementation Process

01

Multi-Layer Authentication System

Architected a comprehensive three-tier authentication system combining password hashing (bcrypt with cost factor 12), email verification, and two-factor authentication. Designed the complete user journey from signup to secure access, ensuring each layer provides independent security while maintaining seamless user experience for elderly users.

02

Role-Based Access Control (RBAC)

Implemented granular permission management system with three distinct roles: Admin, Moderator, and User. Developed role-specific dashboards with tailored interfaces, user management controls for administrators, and access restrictions preventing unverified accounts from accessing sensitive platform features until email confirmation.

03

Attack Prevention & Security Analytics

Built rate limiting system restricting login attempts to 5 per 15 minutes to prevent brute-force attacks and credential stuffing. Implemented security analytics dashboard tracking authentication events, failed attempts, and user activity patterns for real-time threat detection. Added account suspension controls for policy violations.

04

Secure Communication & Password Management

Developed complete SMTP email integration for automated delivery of verification codes, 2FA tokens, and password reset links. Implemented cryptographically secure token generation using Python's secrets module with 30-minute token expiry. Created password change interface with current password verification and real-time strength validation.

05

OWASP Compliance & Security Testing

Aligned security architecture with OWASP Top 10 standards, addressing injection attacks, broken authentication, and security misconfigurations. Conducted comprehensive security testing including penetration testing, token expiry verification, session fixation prevention, and input validation. Collaborated with team to balance enterprise-grade security with accessibility for elderly users.

Technical Implementation

Authentication & Authorization

Password Security (bcrypt)

Library: Industry-standard password hashing with built-in salt generation and adaptive hashing algorithm.

Implementation: Cost factor of 12 (4,096 iterations) providing exponential time complexity against brute-force attacks. Automatic per-password salting prevents rainbow table attacks.

Security Benefits: Passwords never stored in plain text. Even with database breach, attackers face computationally infeasible cracking attempts.

Two-Factor Authentication (2FA)

Method: Email-based verification codes generated using cryptographically secure random number generation.

Implementation: 6-digit time-sensitive codes with 3-minute validity window. Codes invalidated after successful use or timeout.

Flow: Post-login verification step sending automated emails via SMTP with unique codes stored in database with timestamp validation.

Email Verification System

Purpose: Validates user email addresses during registration, preventing fake accounts and ensuring communication channel reliability.

Implementation: Unique verification tokens generated with Python's secrets module, sent via SMTP. Accounts remain inactive until email confirmed.

Security: Token-based verification with expiry timestamps preventing unauthorized account activation.

Role-Based Access Control (RBAC)

Roles: Three-tier permission system: User (standard access), Moderator (content management), Admin (full system control).

Implementation: Database role field with server-side permission checks on every protected route. Role-specific dashboard rendering.

Features: User management interface for admins, account suspension/activation controls, permission-based feature access, audit trail logging.

Attack Prevention & Security Hardening

Rate Limiting & Brute-Force Protection

Implementation: Server-side throttling limiting login attempts to 5 per 15-minute window per IP address.

Mechanism: Failed attempt tracking in Redis/session storage with automatic lockout and exponential backoff.

User Feedback: Clear error messages indicating remaining attempts and lockout duration without exposing security details.

Session Management (Flask-Session)

Storage: Server-side session storage preventing client-side tampering and session hijacking.

Security Features: HttpOnly cookies (prevents XSS access), Secure flag (HTTPS-only), SameSite attribute (CSRF protection), automatic expiry (30-minute idle timeout).

Session Fixation Prevention: Session ID regeneration after login/logout events preventing session fixation attacks.

Input Validation & Sanitization

Server-Side Validation: Regex pattern matching for email, password complexity requirements, username format restrictions.

SQL Injection Prevention: SQLAlchemy ORM with parameterized queries, no raw SQL execution, prepared statements for all database operations.

XSS Prevention: Input sanitization, output encoding, Content Security Policy headers, template auto-escaping in Jinja2.

Password Strength Enforcement

Requirements: Minimum 8 characters, uppercase letter, lowercase letter, number, special character.

Implementation: Real-time client-side validation with visual strength meter, server-side enforcement preventing weak passwords.

Common Password Blacklist: Database of 10,000+ common passwords preventing dictionary-based passwords.

Password Recovery & Communication

Secure Password Reset

Token Generation: Python secrets module generating cryptographically secure 32-byte hexadecimal tokens (64 characters).

Implementation: Unique token per reset request, stored with user ID and timestamp. Tokens expire after 30 minutes.

Security: Single-use tokens invalidated after password change, no password hints, email confirmation required before reset.

SMTP Email Integration

Purpose: Automated delivery of verification emails, 2FA codes, password reset links, and security notifications.

Implementation: Flask-Mail with SMTP configuration, templated HTML emails, asynchronous sending for performance.

Security: TLS encryption for email transmission, no sensitive data in email body, time-limited links.

Monitoring & Analytics

Security Analytics Dashboard

Metrics Tracked: Authentication events (login/logout), failed login attempts, 2FA usage rates, account creation trends, password reset requests.

Visualization: Real-time charts and graphs showing security metrics, suspicious activity detection, user behavior patterns.

Admin Tools: Activity logs, IP tracking, user session monitoring, threat detection alerts.

OWASP Top 10 Compliance

A01 - Broken Access Control: RBAC implementation, permission checks on all routes, unverified user restrictions.

A02 - Cryptographic Failures: bcrypt hashing, TLS/SSL for data transmission, secure token generation.

A03 - Injection: Parameterized queries, input validation, ORM usage preventing SQL injection.

A07 - Authentication Failures: Multi-factor authentication, rate limiting, session management, password policies.

Key Learning Outcomes

💡

The Challenge

Understanding the balance between security and usability, especially for vulnerable user groups. Learning to implement multiple layers of defense while keeping the authentication process simple and accessible for elderly users.

🛠️

Skills Developed

  • Secure authentication design and implementation
  • Password hashing with bcrypt and cryptographic best practices
  • Session management and state handling in web applications
  • Email integration with SMTP for password reset flows
  • Security vulnerability assessment and mitigation
  • User-centered design for accessibility
📈

Growth & Impact

This project taught me the critical importance of security in protecting vulnerable users. I learned that strong security doesn't have to come at the cost of usability, and gained practical experience implementing OWASP security standards. The experience of protecting 50+ real users reinforced my commitment to building secure, trustworthy systems.