370 – Authentication mechanism absence or evasion - Security Image

Description

It is possible to eliminate the use of the image and security phrase at user login.

Impact

Remove image and security phrase which can facilitate other types of attacks.

Recommendation

Make sure that only one number of an existing image can be sent so that the image and passphrase function is not eliminated.

Threat

User authenticated from the Internet.

Expected Remediation Time

240 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 227 - Display access notification
• 228 - Authenticate using standard protocols
• 229 - Request access credentials
• 231 - Implement a biometric verification component
• 235 - Define credential interface
• 264 - Request authentication
• 323 - Exclude unverifiable files

Fixes

• Swift

Last updated

2024/02/20