OWASP Top 10 Identification and Authentication Failures

Everyone knows the co-worker with their computer password written on a post-it note on their desk, but protecting against identification and authentication failures is more than using a password manager.  

In this article, we will concentrate on Identification and Authentication Failures and provide recommendations for protecting against them. 

Read More About OWASP Top 10: OWASP Top 10 Vulnerable and Outdated Components Explained 

What are Identification and Authentication Failures? 

Identification and authentication failures are security vulnerabilities that can occur when a system or application fails to identify or authenticate a user correctly. This can allow attackers to gain unauthorized access to systems and data. 

Some of the most common identification and authentication failures include: 

• Weak Or Reused Passwords: Users often choose weak or easily guessed passwords, such as "password" or "123456." This makes it easy for attackers to crack the passwords and gain access to the accounts. 
• Brute-Force Attacks: Attackers can use brute-force attacks to try all possible combinations of characters to guess a password. This can be successful if the password is not strong enough. 
• Credential Stuffing: Attackers can use lists of stolen usernames and passwords to try to log in to different websites. This can be successful if the attacker has a list of passwords for the website the user attempts to log into. 
• Missing Or Weak Multi-Factor Authentication (MFA): MFA adds an extra layer of security to authentication by requiring users to provide two or more pieces of evidence to verify their identity. This can make it much more difficult for attackers to gain unauthorized access. 
• Unvalidated Redirects And Forwards: This vulnerability occurs when attackers can redirect users to a malicious website. This can be used to steal the user's credentials or install malware. 
  

Real-Life Example of Identification and Authentication Failures: Microsoft Exchange Hack 

Attackers were able to exploit a vulnerability in Microsoft Exchange Server to gain access to organizations' email systems. ProxyLogon's vulnerability allowed attackers to execute code on vulnerable Exchange servers remotely. This allowed them to install malware, steal data, or take control of the servers. 

Microsoft released patches for the vulnerability in March 2022, but many organizations were slow to apply the patches. This allowed the attackers to continue to exploit the vulnerability and gain access to organizations' systems. 

Read More on Bleeping Computer: Ransomware Gang Uses New Microsoft Exchange Exploit To Breach Servers 

How Can You Protect Against Identification and Authentication Failures? 

The key to protecting against Identification and Authentication Failures is to instill best practices at the user and program levels. 

To strengthen the authentication process, implementing multi-factor authentication (MFA) requires users to provide multiple forms of evidence to verify their identity, making it more difficult for attackers to impersonate legitimate users.  

Implement password policies requiring minimum length, complexity, and regular rotation. This approach dramatically reduces the risk of passwords being cracked or guessed. 

Prioritize adopting secure password storage by implementing robust hashing algorithms and salted hashes to securely store passwords. These added layers of complexity make it difficult for attackers to retrieve and exploit stolen password data. 

To prevent brute force attacks, limit the number of failed login attempts and throttling mechanisms. After each unsuccessful try, the system introduces progressive delays between login attempts. These measures have proven effective in deterring attackers, slowing down their progress, and reducing their chances of success. 

Implement secure session management practices, including using secure session cookies, setting appropriate session timeouts, and securely handling session identifiers.  

Set up a system for monitoring and logging authentication events to help detect any suspicious activities and investigate potential breaches or security incidents. 

Bring The Diligent Developers to Your Organization  

Our AppSec experts at Security Journey recommend that developers don’t just take annual training on the most current OWASP Top 10 to be aware of prominent vulnerabilities and code risks but to have continuous training and conversations about code security in your organization.  

But why not have fun in the process?   

Security Journey developed The Diligent Developer Security Awareness & Education Program as a fun way to enhance security awareness and build skills across your development team to empower them to think securely. This could be added to National Cybersecurity Awareness Month initiatives for the entire development team or be used to engage/grow a security champions program -- whatever works best for your organization. 

In Chapter Seven, The Diligent Developers defeat The Evil Twins of Identification and Authentication Failures: 

As The Diligent Developers continue their journey, stay tuned to see what OWASP Top 10 Challenge they take on next. 

Visit our webpage to learn more about accessing security awareness program materials and a program guide to effectively training your organization on OWASP Top 10 vulnerabilities.