Designing a Login Architecture to Prevent Account Takeovers
Imagine a building with multiple entrances: a guarded front door, a busy delivery bay, a garage entrance—and a few old back doors with simple locks and no cameras.
Large organizations often have a similar digital footprint: many separate login pages for different services, regions, or legacy systems.
While DDoS attacks target high-value, high-traffic assets to cause disruption, account takeover (ATO) attacks work differently. Attackers don’t go for the “front door” protected by MFA and heavy monitoring. They look for the weak, low-traffic login pages—the equivalent of those forgotten back doors.
By slowly testing stolen credentials or brute-forcing passwords on these lightly defended portals, attackers can quietly gain valid logins without triggering alarms. And once inside, the same reused username-password pairs often grant access to more valuable systems, since most users recycle credentials across services.
Account Takeover mitigation: less is more
As we’ve noted in the past, DDoS protection focuses on defending your most valuable, central and high-profile services or sites. From the perspective of ATO prevention, however, effectiveness is measured by login security at the most vulnerable point in your online ecosystem, regardless of its proximity to critical assets.
To address the ATO threat, therefore, you need to consider your entire login architecture. How are authentication, authorization and secure access managed across your system? Is it consistent everywhere users can log in or are there some unsecured “back doors”?
You may try to standardize login security for multiple separate entry points, effectively leveling protection while leaving the basic architecture in place. This can be a challenge, as it requires consistency in implementation and maintenance in various siloed systems.
Alternatively, you may decide that you want to minimize exposure by limiting the number of entry points open to the public as much as possible. This ideally means funneling login requests from all your services into a single location. And then monitoring and defending that location from ATO attacks with the best tools at your disposal.
Options for effective login architecture
The key to effectively implementing a common authentication framework is establishing a single sign-on domain (SSD). An SSD provides more centralized control for authentication management and makes it easier to monitor logins for anomalies, failures and ATO trends.
One option for companies with many active services or locations, each with its own separate login interface, is integration of an external solution that redirects entered credentials to a single behind-the-scenes login system. The advantage for well-established organizations is that it does not require changing the entire customer-facing online structure.
One of the best tools for this purpose is Keycloak, an open-source identity and access management solution. It can be embedded into your current applications or run as a standalone server. All login requests from all services are funneled to a single service by KC, where every login process takes place.
Another alternative is creating a default structure in which users of any company service are directed to the same page when they want to log in. The domain can be dynamically branded to suit whichever service is being accessed, but the actual login mechanism would be the same for all. This SSD is part of the company’s internal digital architecture, rather than a hidden redirect dependent on an external service.
Some pushback: centralization challenges
Transitioning to a consolidated login architecture has its challenges, as well. There is always a trade-off between centralized security and distributed resilience, as a single entry point is also a single point of failure. A technical issue or a targeted DDoS attack on a login page, for example, could disrupt or paralyze all digital services simultaneously.
It bears repeating that a successful ATO attack, in which user credentials are compromised, can ultimately jeopardize operations and data security for an entire company. The damage comes from the inside and it can be far more destructive than a brief period of downtime.
Limiting the points of entry minimizes exposure while allowing you to uniformly implement the highest-level monitoring and mitigation measures to secure access to all your services. From an ATO perspective, therefore, the SSO and SSD option is clearly the safest option and in line with best practices.
For a company transitioning to a centralized login architecture, there is the time factor to consider. Depending on the number of services or subsidiaries a company has, and how siloed the systems are, it may take a long time to consolidate authentication management. However, some external login management options that we’ve already touched on integrate with your existing systems and services. Hardening your ATO defenses in this way is significantly faster and easier than redesigning your internal login architecture. In any case, though, the unacceptable alternative to investing the necessary time and resources is continued vulnerability to ATO attacks.
Aside from the data security considerations, single sign-on options raise a potential customer experience question as well. A consumer might want to share different user details or set different configurations for each service they use. A single sign-on solution links all their digital activity together and may make it difficult to separate out certain customization options. The solution to this is intuitive and commonly used in such scenarios – creating multiple user IDs, each configured and managed individually by the customer.
Our recommendation
At Red Button, we strongly recommend using a single sign-on domain for ATO mitigation, consolidating access to all your services (possibly even corporate subsidiaries) in a unified login system. This centralized authentication point should be fortified with the same robust security measures used to protect your most critical assets.
Once you do that, you can sleep well, knowing that you did remember to lock the back door.