Test user-viewable log of authentication events (OTG-LOG-002)

Brief Description
Proving users with their last logged in date/time is a useful way to help them identify mis-use of their own accounts. Providing a list of important authentication events over a longer time period is even better.

Issue
If visibility is given to users of applications with user interfaces (e.g. websites) about their previous use, this can provide them with confidence about the use of their account. If unexpected events are found, this might encouarge a user to change their password. If a number of users contact the application's owner, it could indicate a more significant intrusion or data breach.

Example
A user logs in and goes to their profile page. There is a paginated list of recent site authentication actions, with the most recent first. For example:

Tue, 15 Oct 2013, 14:43:05 GMT  Europe        Successful log in          User Tue, 15 Oct 2013, 14:40:37 GMT  N.America     Reset link sent            Application Tue, 15 Oct 2013, 14:40:36 GMT  SE.Asia       Account unlocked           Call centre [6RE34] Tue, 15 Oct 2013, 14:40:20 GMT  SE.Asia       Account details viewed     Call centre [6RE34] Tue, 15 Oct 2013, 14:40:20 GMT  Europe        Caller identity verified   +44 191 *** **** Tue, 15 Oct 2013, 14:21:15 GMT  N.America     Account locked             Application Tue, 15 Oct 2013, 14:21:15 GMT  Europe        Failed log in              User Tue, 15 Oct 2013, 14:21:06 GMT  Europe        Failed log in              User Tue, 15 Oct 2013, 14:20:53 GMT  Europe        Failed log in              User Mon, 29 Apr 2013, 19:54:09 GMT  Europe        Logged out                 User etc

Testing Method
Log in as a valid user and identify if there is a list of account activity, especially authentication events such as:


 * Successful log in
 * Failed log in
 * Account locked / disabled
 * Account unlocked / enabled
 * Account created
 * Password changed
 * Username changed
 * Logged out

These should relate to all such actions:


 * Using the web application itself (i.e. by the authenticated user)
 * Using related/partner applications where the same credentials are valid
 * By someone or something else (e.g. a call centre agent, a website administrator, another application)

Also review whether these additional properties relating to the user are accessible:


 * Events that cost the user money (e.g. purchase history)
 * Changes to role or access privileges
 * Significant status changes (e.g. credit limit altered)

Ensure that sensitive data is not exposed in the event list.

Test Tools
None. Use a web browser to log in and examine information available to the user themselves.

Related Test Cases
None.

Remediation
Implement a list of account activity, viewable by the user after they have been authenticated. This provide the ability to look back over several months.