Scribd
Upload
27 views20 pages

07 Identification and Authentication Failures

The document outlines the OWASP Top 10 2021 category of Identification and Authentication Failures, detailing weaknesses in user identity verification and session management. It highlights key statistics, common vulnerabilities, and attack scenarios such as credential stuffing and password reuse, along with prevention strategies including multi-factor authentication and secure password policies. Additionally, it references NIST guidelines for password management and provides resources for secure authentication practices.

Uploaded by

ahmad zahiri mohamed hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
27 views20 pages

07 Identification and Authentication Failures

The document outlines the OWASP Top 10 2021 category of Identification and Authentication Failures, detailing weaknesses in user identity verification and session management. It highlights key statistics, common vulnerabilities, and attack scenarios such as credential stuffing and password reuse, along with prevention strategies including multi-factor authentication and secure password policies. Additionally, it references NIST guidelines for password management and provides resources for secure authentication practices.

Uploaded by

ahmad zahiri mohamed hassan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

Identification and

Authentication Failures
Previously known as Broken Authentication, this category is now
#7 in the OWASP Top 10 2021 list. It includes weaknesses in how
systems verify user identity and manage sessions.
Key Statistics
CWEs Mapped 22

Max Incidence Rate 14.84%

Total Occurrences 132,195

Total CVEs 3,897


What Are Authentication
Failures?
1 Identity Verification 2 Authentication
Process
Weaknesses in how
systems confirm who Flaws in the methods
users claim to be. used to validate
credentials.

3 Session Management
Problems with how user sessions are created and maintained.
Common Weakness
Enumerations
CWE-297 CWE-287
Improper Validation of Improper Authentication
Certificate with Host
Mismatch

CWE-384
Session Fixation
Automated Attack
Vulnerabilities
Credential Stuffing
Applications vulnerable to attacks using lists of valid
usernames and passwords.

Brute Force
Systems that don't limit repeated login attempts.

Default Credentials
Applications allowing weak passwords like
"Password1" or "admin/admin".
Password Storage Vulnerabilities

Weak Encryption
2 Using easily breakable encryption
methods.
Plain Text
1
Storing passwords without any
encryption.
Poor Hashing
Implementing weak hashing
3 algorithms without salting.
Session Management Flaws
URL Exposure 1
Session identifiers visible in the URL.

2 Session Reuse
Reusing identifiers after successful login.

Invalid Session Handling 3


Not properly invalidating sessions during logout or
inactivity.
Recovery Process
Weaknesses

Knowledge- Weak Recovery SMS


Based Answers Emails Vulnerabilities
Using insecure Poorly implemented Using SMS for
security questions password reset recovery which can
that can be processes. be intercepted.
researched or
guessed.
Multi-Factor Authentication Issues
Missing MFA
1 No second factor required

Weak Implementation
2 Poorly designed MFA

Bypass Vulnerabilities
3 MFA that can be circumvented
Prevention: Multi-Factor Authentication

Biometrics Hardware Tokens Software Tokens


Implement fingerprint or facial Use physical security keys for Implement app-based
recognition as a second factor. enhanced protection. authentication codes.
Prevention: Password Policies
NIST Guidelines
1 Follow NIST 800-63b standards

Password Checks
2 Test against common passwords

Length Over Complexity


3 Prefer longer passphrases
Prevention: Default
Credentials
0 100%
Default Accounts Custom Setup
Never ship with default Require all credentials to be set
credentials, especially for admin during installation.
users.

1st
Priority
Make this a top security
requirement for all deployments.
Prevention: Account Enumeration

Harden registration, credential recovery, and API pathways. Use identical messages for all outcomes to prevent
revealing valid accounts.
Prevention: Brute Force Protection

Login Attempt Delay (seconds)

Implement increasing delays for failed login attempts. Log all failures and alert administrators when attacks are detected.
Prevention: Session
Management
Secure Generation
Use server-side, built-in session managers with high entropy.

Secure Storage
Store session IDs securely, never in URLs.

Proper Invalidation
Invalidate sessions after logout, idle timeout, and
absolute timeout.
Attack Scenario: Credential Stuffing
The Attack The Vulnerability The Impact

Attackers use lists of known No automated threat detection. No Attackers can validate credentials
passwords from data breaches. credential stuffing protection. No for use on other sites. They can
Applications without protection rate limiting on login attempts. gain unauthorized access to
become password oracles. accounts.
Attack Scenario: Password Reuse
User Behavior

2 Users reuse passwords across


multiple sites when forced to
Outdated Practices change frequently.

Password rotation and complexity


requirements encourage weak
1
passwords. Better Approach
NIST 800-63 recommends
3 stopping these practices and
using MFA instead.
Attack Scenario: Session Timeout

Step 1 Step 2 Step 3


User accesses application on public Attacker uses same browser later Attacker now has full access to the
computer but closes browser and finds user still authenticated. user's account and data.
without logging out.
Key OWASP Resources
Proactive Controls Verification Standard
Implement Digital Identity guidelines for secure Follow V2 Authentication and V3 Session Management
authentication. standards.

Testing Guide Cheat Sheets


Use Identity and Authentication testing methodologies. Reference Authentication, Credential Stuffing, Forgot
Password, and Session Management cheat sheets.
NIST Password Guidelines

NIST 800-63b Section 5.1.1 for Memorized Secrets provides evidence-based password policies. It recommends
longer passphrases over complex rotation requirements.

You might also like