What are Identification and Authentication Failures?
Identification and authentication failures are vulnerabilities related to applications’ authentication schemes. Such failures can lead to serious and damaging data breaches. In this blog post, we dive deep into the attacks that identification and authentication failures can cause, how they can be prevented, and how zero trust can help.
Any vulnerability related to an application’s authentication scheme, whether it is related to how strong it is or how it is implemented, is called an Identification and Authentication Failure. The “Identification and Authentication Failure” vulnerability was previously known in the OWASP Top Ten as “Broken Authentication,” but it acquired its new name in 2021. In the new version, this vulnerability covers both the authentication process and the identification process, instead of just authentication as before.
The types of attacks that Identification and Authentication Failure vulnerabilities might lead to include:
This is an attack that leverages a stolen or leaked database of credentials and automatically attempts to login with them and gain access to a system or resource. This attack is effective because many users reuse the same credential combinations across multiple sites.
How do attackers obtain these passwords? As one example, Ubiquiti, a large IoT vendor, was breached in 2022 through a third party cloud provider. The attacker accessed the Ubiquiti database and stole personal information and credentials, like passwords. These stolen passwords can be used in credential stuffing attacks.
Brute Force Attacks
As their name suggests, brute force attacks automatically attempt every possible valid combination for a password. This type of attack uses massive amounts of processing power to methodically guess the password used. Brute force attacks are efficient for passwords that are short in length, simple and include dictionary words.
Session Identifier Exposed in the URL
When a user opens an internet browser, the browser (front) sends a request to the web server. This creates a unique identifier called a Session ID. This Session ID identifies the communication between that specific user and the application (web server). Cookies are normally used to store session IDs.
However, when the session ID is included in the URL, the attacker can sniff the network, access web history information or read the network logs, and obtain a user’s session ID. Then, the attacker can use it to impersonate a valid user and attack the network.
Here are some examples of session identifier exposed in the URL:
Similar to the session identifier vulnerability, a session fixation occurs when an attacker is able to hijack a user’s session.
A session fixation occurs when:
- A web application authenticates a user without first invalidating the existing session, continuing to use this session already associated with the previous user. If an attacker gets the previous session ID, it can impersonate the user that is logged in at that moment.
- An attacker is able to force a known session identifier on a user so that, once the user is authenticated, the attacker has access to the authenticated session. Here is an example:
- The attacker logs in to get a session cookie. He accesses http://www.myweb.com/login and gets the session ID 98ab65oj44.
- Then the attacker tricks the user into logging in using the attacker’s existing session token. He sends the URL http://www.myweb.com/login;sessid=98ab65oj44.
- Once the user logs in, the attacker can access the user’s account because both the user and the attacker are using the same session ID (sessid=98ab65oj44). This is possible when the application does not change the session ID when a user is authenticated.
- The application or container uses predictable session identifiers. The attacker creates a new session on a web application and records the associated session identifier. After analyzing it, the attacker predicts the next session ID. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user’s account through the active session.
Other examples of Identification and Authentication Failures are:
- No validation of weak passwords
- Weak credential recovery and forgot-password processes
- Using plain text or weakly hashed passwords data stores.
- Ineffective multi-factor authentication
How Can Identification and Authentication Failures be Prevented?
There are multiple methods that IT and security teams can use for preventing identification and authentication failures. Mainly:
Requiring Strong Passwords
Strong passwords include numbers and symbols as well as letters (mixed uppercase and lowercase characters), and must have 8 characters at least (we recommend 10!). Also, a good password policy includes a password rotation (every 90 days) and avoiding the reuse of previous passwords.
Securing Password Data Stores
Passwords must not be stored in plain text. If an attacker accesses a database, they can compromise every user account. So, passwords should be processed with a cryptographic hash algorithm before being stored in the database. That hash can’t be reversed. A good hash algorithm to use is bcrypt.
Nowadays, hackers have created rainbow tables, which is a lengthy database with users and their correspondent hashes. If they steal a database of users and hashes, they can search in these rainbow tables and can find the real password.
To protect against rainbow table attacks, you can salt your password hashes. This means adding an element of randomness to the hashing algorithm so the input password does not solely determine the generated hash. This salt should be stored separately from the users and password data.
Personal Password Vaults
It is recommended to avoid users from using passwords altogether. By using a personal password vault instead of a central password database, organizations can ensure attackers do not have a single resource to attack if they want to compromise passwords. In addition, this provides a passwordless user experience, making password attacks redundant.
Securing the Logout/Login Function
The Logout function is just as important as the Login. Your session logout function should:
- Clear the session cookie in the browser.
- Invalidate the session identifier if this is stored on the server.
This is basic protection against attackers who capture or intercept a session cookie and want to reestablish a session using it. It is also important to change the session ID when a user logs in the application and invalidate the previous session ID used. This method prevents session fixation attacks.
Securing Password Resets
Password reset or forgot-password processes must be secure. It is recommended to:
- Send the user an email with a password-reset link, containing a validation token.
- When the user opens the email and clicks the link, you can validate the incoming token, and allow the user to choose a new password for their account.
- The password-reset links must be short-lived (about 15 or 30 minutes) and must expire after the user uses them.
Why only use one method to authenticate users when a system can use more than one authentication method or factor? This is called multi factor authentication (MFA) and it is by far the best defense against the majority of password-related attacks. The most popular form of MFA is the one-time passcode (OTP, an authentication standard where a constantly changing code is provided by the user) sent by SMS or email, mostly because a large portion of the world population has access to mobile phones or an email service. Much stronger form of MFA includes biometrics and certificates.
MFA can be strengthened by the review of the IP address of the authentication request. That IP can be suspicious:
- If the IP is different than the previously used.
- If the IP corresponds to another country or location.
- If the IP is included in the known block lists.
If MFA is not possible to implement, alternative defenses like PINs (personal identification numbers) and security questions can provide additional security to the system.
Preventing User Enumeration
If an attacker can’t enumerate users, it is more difficult to compromise the authentication system. Here are some recommendations:
- Show generic error messages to prevent the attacker from inferring the user’s identification. For example: “invalid user or password”, rather than just “invalid password”.
- In the password-reset function don’t show a message revealing that a username exists. For example: when a user requests a password-reset link the system can show the message “Check your inbox.”
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a method to prevent automated attacks. It is based on a challenge-response model as a way to differentiate human beings from automated scripts. CAPTCHA’s work by presenting a test that is easy for humans to pass but difficult for computers to pass. The best known implementation is Google reCAPTCHA.
Multi-Step Login Processes
This is an interesting way to foil an automated cyber attack. Most applications use a single step login form including the credentials (user and password). The request is sent to the web server and the response indicates if the login was successful. If the process is executed in two (or more) steps using an CSRF (Cross Site Request Forgery) Token, first requiring username and then the password sequentially, this makes it more difficult to perform an automated attack.
How Zero Trust Helps Prevent Identification and Authentication Failures
Identity management and authorization are the key to success with a zero trust program. This model provides an identity-focused approach to cybersecurity and is based on the premise “never trust, always verify.”
An identity management system needs to manage the assignment, by provisioning and deprovisioning of users and their accesses. This important role relies on the policies that determine “who should get access to what” and ensures that users only get access to what they are permitted to. That identity governance is driven by compliance and security requirements.
Access management is the main part of identity management and consists of two components: authentication (the means validating that entities/users prove they are who they claim to be) and authorization (the set of actions that a given entity/user is permitted to perform).
In a Zero Trust framework, strong identification and authorization relies on:
Zero Trust Identification
- User Directories. Systems typically need centralized records of users. The core element of an identity management system is its Identity Store or Directory. This is the basis by which all future authentication will occur. User Directories can be stored in databases, LDAP or Identity-as-a-Service.
- Directory Maintenance. Keeping user directories complete and updated is critical. Users are expected to come and go over the system lifetime, so operations procedures should be implemented to keep the system accurate and complete.
Zero Trust Authorization
MFA is a big part of Zero Trust. The methods chosen will depend on the level of trust required:
- Passwords. Strong passwords can be forced to secure the system (see Requiring Strong Passwords recommendation). In some cases, zero trust providers (like Cyolo) do not require using passwords at all. How does this work? The user is authenticated once by the organization’s identity provider and then the zero trust product can inject the user’s credentials for the application directly into the user’s session at the backend, thus eliminating the need for the user to have to store their credentials at the client side.
- One-Time Password (OTP).
- Security Tokens.
- Biometrics: fingerprints, handprints, retina scans, voice analysis, face recognition.
When it comes to implementation, there are some secure protocols to take in consideration: LDAP, RADIUS, SAML, OAuth2, OpenID Connect.
Zero trust covers most of the recommendations for preventing Identification and Authentication Failures on applications. Combined with MFA, identity protection, endpoint security and efficient workload technology, this framework strengthens identification and authentication processes.