Why WAFs Are Not Enough
Learn about what WAFs are and why companies use them and why they’re not enough to protect your organization, and what else you can use.
By
Omkar Hiremath
・
Intro to Identification and Authentication Failures
With this article, read what identification and authentication failures entail and learn how to prevent them.
By
Omkar Hiremath
・
Identification and authentication can comfortably be characterized as one of the first lines of defense against cyberattacks. While identification is the ability to identify a user uniquely, authentication is the ability of an application to prove the authenticity of the user as they claim to be.
The failure of a system to identify and/or authenticate leaves the application susceptible to attacks and leaves user accounts/data at risk. Authentication failure poses a stringent and profound threat to an organization’s security. The consequences of broken authentication trail along a path of immense damage to an organization and its data.
In this post, we will discuss the dangers of identification and authentication failures and how to prevent them. Before we get to that, let’s dive into the significance of securing our first line of defense against a potential cyber attack.
Why are identification and authentication required and important?
Identification and authentication are two steps in the process of logging in of a user into their respective accounts. The immediate and instantaneous response of the system often leads people to misunderstand their meanings in the login process of a user. As important as both of them are, identification of a user of the application must be performed before we can authenticate the user’s asserted identity. This means that the application is expected to recognize a user before it can prove that the user is exactly the person they claim to be.
Authentication, by itself, offers a variety of meanings to different personas and access roles. By way of explanation, a client uses authentication to validate the authenticity of a server or system whereas, a system or server uses authentication to recognize if the client trying to access its stored information is who they claim to be.
Identification and authentication are required and important for several reasons:
Security
Identification and authentication help ensure the security of a system or application by verifying the identity of users and preventing unauthorized access.
Compliance
Many industries and organizations are required to comply with various regulatory standards and laws that mandate strong identification and authentication measures to protect sensitive data.
Accountability
Identification and authentication enable accountability by creating an audit trail of user activity and providing evidence of who accessed what, when, and why.
User experience
Proper identification and authentication processes can improve the user experience by allowing users to access systems and applications quickly and efficiently while still maintaining security.
Overall, identification and authentication are essential components of a comprehensive security strategy, as they provide an important layer of protection against unauthorized access and protect the confidentiality, integrity, and availability (CIA triad) of sensitive data.
What are identification and authentication failures?
Identification failures, from the name itself, suggest the system’s lack of ability to identify the user. Likewise, authentication failures connote the application’s incapability to validate the user’s identity as their own.
Let’s take stock of an example to go with this: A user entering an incorrect username at the prompt of a login screen but successfully entering the website is a prime instance of identification failure. The application uses a username or user ID to recognize a registered user.
Correspondingly, a user entering the incorrect password at the suggestive prompt but is able to login to the website is an example of authentication failure. In this instance, the application failed to accurately validate the identity of the user, allowing the mistaken identity to login.
Now that we have a better understanding of what identification and authentication failures are, let's take a closer look at some of the common techniques attackers use to exploit identification and authentication failures.
What are the techniques used by attackers to exploit identification and authentication failures?
Whether it's user credentials, session keys, or malicious links, attackers have a lot of ground to play when it comes to exploiting identification and authentication failures.
Brute force/credential stuffing
Brute force is a type of attack where the attacker uses automated tools to repeatedly try different combinations of username and password until they find the correct combination. Credential stuffing, on the other hand, involves using automated tools to test known username and password combinations, such as those obtained from a data breach, across multiple websites and services that are most likely acquired from the dark web.
Session hijacking
If Attackers can steal session details, then they could impersonate the user even after the user leaves the session. Hackers gaining access to internet sessions reaps a grave danger to users, especially in the scenario of banking transactions.
Session fixation
Session fixation is a type of attack in which an attacker forces a user's session ID to a known value, thereby gaining access to the user's account. This type of attack typically occurs on shared computer systems (ex: public libraries). The attacker typically sets the session ID before the user logs in or during the login process, allowing the attacker to control the session. Once the user logs in, the attacker can use the predetermined session ID to gain access to the user's account.
Social media account squatting
When a third party creates a social media username that is the same as or confusingly similar to a brand owner's trademark or service mark and uses that social media account in bad faith, it is known as "Username Squatting" or "Social Media Squatting."
Execution after redirect (EAR)
Execution after redirect (EAR) is a vulnerability in which protected functions or resources are executed or returned after a redirect. This likely occurs due to poor coding quality or insecure coding pattern as proper termination was not performed after redirects. This kind of attack can result in DoS server attacks, and can provide the assailant access to administrative features. In a DoS attack using EAR, an attacker could craft a malicious URL that redirects to a page on the target server that triggers a resource-intensive operation, such as a database query or file upload. By repeatedly requesting this URL with different parameters, the attacker could exhaust the server's resources and make it unavailable to legitimate users. Another example would be booking websites where the system waits for the payment to be made. If tickets/seats are not blocked until the payment is made (poor coding practice), the redirect to the payment gateway could be exploited.
Common identification and authentication failures
Despite the importance of identification and authentication, many systems still fail to implement them effectively, leaving users and organizations at risk. Here are the common reasons for it.
Lack of anti-automation controls
When a web application allows an attacker to automate a procedure that was initially solely intended to be carried out manually, this is known as inadequate anti-automation. An attacker might be able to execute brute force attacks or start denial of service if automated attacks are not detected and stopped.
Lack of multi-factor authentication (MFA)
Today, compromised credentials are the main cause of most data breaches. No matter how complicated it is, a single password is insufficient. Passwords can be cracked by hackers. End users may divulge their login credentials to hackers when they receive phishing emails that appear legitimate. A lack of MFA will allow attackers to use these credentials to take control of the account.
Lack of security training for employees
When we talk about cybersecurity, we typically think about how to protect the company from threats. According to Rewterz, organizations fall victim to cyberattacks every day for the two most frequent reasons: employee error and security awareness. Insider threats represent the security risk that develops within the organization. These hazards could be caused by current, and past employees or contractors having access to private information on the network and computer systems of the company.
Lack of password policies
The first blockade in safeguarding a company's data and client information is a strong password. Yet, many businesses have lax or nonexistent password procedures, which increases the risk of being attacked. According to Digicert, 73% of users have the same password for multiple sites, and 33% use the same password every time. Exercising password policies and ensuring their strength while notifying users of regular password changes will help safeguard the system’s security in some capacity.
Considering the above-mentioned reasons, we can summarize that Identification and authentication failures commonly occur when an application/system:
- Enables automated attacks such as credential stuffing if an attacker has a list of valid usernames and passwords.
- Enables brute force attacks.
- Allows default passwords, weak or well-known passwords such as "Password1" or "administrator".
- Uses weak or ineffective credential recovery and forgotten password processes such as "data-based responses" that cannot be secured.
- Is missing multi-factor authentication or MFA is not working properly.
- Displays the session ID in the URL or makes the session ID easily and insecurely available (Ex: using insecure communication channels such as HTTP).
- Does not invalidate session IDs or destroy/revoke authenticated sessions correctly.
Identifying the reason for identification and authentication failures is the first step to mitigating them. Now that we have discussed the common reasons for identification and authentication failures, let's explore the preventive measures that can be taken to reduce the likelihood of such failures.
Preventing identification and authentication failures
Preventing identification and authentication failures is crucial for any organization that wants to protect its sensitive data and assets. Here are some ways to prevent identification and authentication failures.
MFA/hardware keys
According to OWASP, the most effective way to prevent broken authentication is to “implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks.” Multi-factor authentication adds an extra layer of security that is difficult for hackers to crack which means that in order to safeguard users and resources, adding multi-factor authentication creates many layers of protection.
Password policies
Strong passwords are critical to information security. The likelihood of illegal access or compromised data increases when password policies are not carefully thought out. The SANS Institute recommends that strong password policies include the following characteristics:
- Contains a mix of uppercase and lowercase letters, punctuation, numbers, and symbols.
- Contains at least 15 characters.
- Be unique from other accounts owned by the user.
- Never include dictionary words.
- Never include patterns of characters.
- Use of passphrases.
General error messaging
General error messaging can be an effective way to prevent identification and authentication failures. When an error occurs during the login process, it is important to provide clear and concise error messages to the user. These messages should be informative enough to help the user understand what went wrong, but not provide too much information that could be used by an attacker. If the error messages are revealing valuable information, attackers can leverage them to identify security weaknesses and use them to their advantage.
Limit or increasingly delay failed login attempts
One of the most effective ways to prevent brute force and credential-stuffing attacks is to limit the number of failed login attempts. This can be achieved by setting a threshold for the maximum number of login attempts within a certain time frame, after which the account is locked out. Alternatively, the system can increasingly delay login attempts after a certain number of failed attempts. All in all, you should implement mechanisms to prevent exploitation using automated tools.
Use password managers
A password manager is an application that securely stores and manages all your passwords in one place. Using a password manager can help you generate strong, unique passwords for all your accounts and prevent you from reusing passwords. This reduces the risk of a data breach affecting multiple accounts, as well as the risk of brute force attacks.
Security training
Security training is an essential part of preventing identification and authentication failures. It is important to educate users on best practices for creating strong passwords, avoiding phishing scams, and protecting their login credentials.
Conclusion
Sometimes it takes months or years before the full negative effects of a compromised account become apparent. There should be no room for complacency in our approach to account security given the nature of the information we handle online every day.
Fabricating skilled identification and authentication processes to ensure that we do not encounter broken authentication will proficiently narrow down the margin of error. Nowadays, maintaining user, system, and resource security necessitates joint efforts involving the implementation of strong password policies and keeping up with the most recent information security best practices.
To prevent identification and authentication failures, it is essential to implement strong security practices including but not limited to the ones we discussed above. By implementing robust security measures, organizations can reduce the likelihood of data breaches and protect themselves and their users from potential harm.
About the author
Omkar Hiremath
@Table(name = "CUSTOMER",
uniqueConstraints=
@UniqueConstraint (columnNames={"MERCHANT_ID", "CUSTOMER"}))
public class Customer extends
uniqueConstraints=
@UniqueConstraint (columnNames={"MERCHANT_ID", "CUSTOMER"}))
public class Customer extends
Cookies
JWTs
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
Get security insights straight to your inbox
Additional resources
Here to get you started
Security Strategy
15 Risks & Rewards of Pentesting in a Production Environment
No testing strategy is one-size-fits-all. Pentesting in a production environment can provide advantages, though it does come with many risks.
Read more
View report
The State of Penetration Testing as a Service- 2022 Edition
Say goodbye to 300+ page penetration test reports
Providing the quality of the biggest names in security without the price tag and complications.
Book a 30 min consultation
Manual penetration testing
Full time Canadian hackers
Remediation support
