319 – Make authentication options equally secure

Summary

All of the systems authentication pathways and identity management APIs must be equally secure.

Description

Some systems offer more than one option to authenticate their users or verify their identity. All of these options must have the same security control strength, so that there is no weaker alternative.

Supported In

Essential: True

Advanced: True

References

• CAPEC-114. Authentication abuse
• CAPEC-115. Authentication bypass
• CAPEC-151. Identity spoofing
• CWE-287. Improper authentication
• CWE-306. Missing authentication for critical function
• CWE-862. Missing authorization
• CWE-1390. Weak Authentication
• OWASP10-A7. Identification and authentication failures
• OWASPM10-M4. Insecure authentication
• NYDFS-500_12. Multi-factor authentication
• PADSS-8_3. Operation of two-factor authentication technologies for secure remote access
• SANS25-13. Improper authentication
• ISO27002-5_17. Authentication information
• ISO27002-8_5. Secure authentication
• IEC62443-IAC-1_5. Authenticator management
• IEC62443-CR-1_1-RE_1. Unique identification and authentication
• OSSTMM3-9_5_4. Wireless security (access verification) - Authentication
• OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
• OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• OWASPSCP-5. Access control
• BSAFSS-SI_1-3. Avoid architectural weaknesses of authentication failure
• CWE25-287. Improper authentication
• ASVS-3_7_1. Defenses against session management exploits
• PCI-8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse
• SIG-I_1_20. Application security
• ASVS-4_3_1. Other access control considerations
• ISO27001-5_17. Authentication information
• ISO27001-8_5. Secure authentication
• CASA-2_10_1. Service Authentication
• CASA-3_7_1. Defenses Against Session Management Exploits
• CASA-4_3_1. Other Access Control Considerations
• RESOLSB-Art_27_11. Security in Electronic Channels
• RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
• RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking

Weaknesses

• 240 – Authentication mechanism absence or evasion - OTP
• 241 – Authentication mechanism absence or evasion - AWS
• 242 – Authentication mechanism absence or evasion - WiFi
• 243 – Authentication mechanism absence or evasion - Admin Console
• 244 – Authentication mechanism absence or evasion - BIOS
• 388 – Insecure authentication method - NTLM
• 397 – Insecure authentication method - LDAP
• 449 – Insecure authentication method
• 006 – Authentication mechanism absence or evasion
• 015 – Insecure authentication method - Basic
• 056 – Anonymous connection
• 081 – Lack of multi-factor authentication

Last updated

2023/09/18