Define credential interface
Summary
The authentication must have a separate interface for on-screen credentials input.
Description
This requirements suggests that there should be a separated user interface element for users to input their authentication credentials. The separation of the interface helps to mitigate the risk of credential exposure.
References
- NIST80053-SC-3. Security function isolation
- OWASP10-A5. Security misconfiguration
- HITRUST-08_b. Physical entry controls
- ISO27002-7_3. Securing offices, rooms and facilities
- WASC-W_01. Insufficient authentication
- NIST800171-1_17. Protect wireless access using authentication and encryption
- ASVS-14_1_5. Build and deploy
- CWE-1262. Improper access control for register interface
- ISO27001-7_3. Securing offices, rooms and facilities
- CASA-14_1_5. Build and Deploy
- FISMA-SC-3. Security function isolation
- OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
Weaknesses
- 006. Authentication mechanism absence or evasion
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.