Make authentication options equally secure
Summary
All of the systems authentication pathways and identity management APIs must be equally secure.
Description
Some systems offer more than one option to authenticate their users or verify their identity. All of these options must have the same security control strength, so that there is no weaker alternative.
References
- CAPEC-114. Authentication abuse
- CAPEC-115. Authentication bypass
- CAPEC-151. Identity spoofing
- CWE-287. Improper authentication
- CWE-306. Missing authentication for critical function
- CWE-862. Missing authorization
- CWE-1390. Weak Authentication
- OWASP10-A7. Identification and authentication failures
- OWASPM10-M4. Insecure authentication
- NYDFS-500_12. Multi-factor authentication
- PADSS-8_3. Operation of two-factor authentication technologies for secure remote access
- SANS25-13. Improper authentication
- ISO27002-5_17. Authentication information
- ISO27002-8_5. Secure authentication
- IEC62443-IAC-1_5. Authenticator management
- IEC62443-CR-1_1-RE_1. Unique identification and authentication
- OSSTMM3-9_5_4. Wireless security (access verification) - Authentication
- OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
- OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
- NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASPSCP-5. Access control
- BSAFSS-SI_1-3. Avoid architectural weaknesses of authentication failure
- CWE25-287. Improper authentication
- ASVS-3_7_1. Defenses against session management exploits
- PCI-8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse
- SIG-I_1_20. Application security
- ASVS-4_3_1. Other access control considerations
- ISO27001-5_17. Authentication information
- ISO27001-8_5. Secure authentication
- CASA-2_10_1. Service Authentication
- CASA-3_7_1. Defenses Against Session Management Exploits
- CASA-4_3_1. Other Access Control Considerations
- RESOLSB-Art_27_11. Security in Electronic Channels
- RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
- RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking
Weaknesses
- 006. Authentication mechanism absence or evasion
- 015. Insecure authentication method - Basic
- 056. Anonymous connection
- 081. Lack of multi-factor authentication
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 388. Insecure authentication method - NTLM
- 397. Insecure authentication method - LDAP
- 449. Insecure authentication method
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.