Identification and Authentication Failures — OWASP A07:2021

A detailed guide on identification and authentication risks, common failures, examples, and mitigation strategies.

Understanding Identification and Authentication Failures

What Are Identification and Authentication Failures?

Identification and Authentication Failures, previously known as Broken Authentication, occur when web applications improperly implement mechanisms for confirming user identities and managing sessions. Such flaws allow attackers to impersonate legitimate users or access sensitive data without proper authorization.

These failures impact how users prove their identity, how credentials are stored and verified, and how sessions are maintained.

Common Types of Failures

Weak or Default Credentials: Using easy-to-guess passwords or leaving default accounts/passwords unchanged can lead to account takeover via simple guessing attacks.
Credential Stuffing/Brute Force: Lack of rate limiting allows automated attacks, such as using breached username/password lists or attempting every possible password, leading to rapid unauthorized access.
Missing or Weak Multi-Factor Authentication (MFA): Not implementing MFA or relying on easily bypassed mechanisms leaves accounts highly vulnerable to credential theft.
Insecure Session Management: Flaws like session IDs in URLs, session fixation, or improper invalidation on logout/password change enable attackers to hijack sessions without needing the password.
Vulnerable Account Recovery: Weak "forgot password" flows can allow attackers to reset passwords without proper verification, leading to unauthorized account access.
Insecure Credential Storage: Storing passwords in plaintext or using weak hashing algorithms (MD5/SHA-1) without salting enables attackers to compromise credentials if the database is breached.

Prevention and Mitigation Strategies

Implement Multi-Factor Authentication (MFA): Enforce MFA for all users, prioritizing those with privileged access.
Enforce Strong Passwords: Require complex passwords and check against lists of commonly used or weak passwords.
Secure Credential Storage: Use salted, adaptive hashing algorithms like Argon2, bcrypt, or scrypt to store passwords securely.
Rate Limiting: Apply throttling on login, registration, and password reset endpoints to prevent brute-force or credential stuffing attacks.
Secure Session Management: Use high-entropy session tokens over HTTPS, invalidate sessions on logout, idle timeout, or password change, and never expose session IDs in URLs.
Disable Default Credentials: Remove or change all default accounts and enforce strong password policies.

Key Takeaway

Properly implementing and managing identification and authentication mechanisms is critical for web application security. Combining strong credentials, MFA, secure session handling, and careful recovery processes helps protect users and prevent unauthorized access.