Broken authentication is one of the OWASP Top 10 vulnerabilities that involves hackers impersonating users to compromise data security. See what the causes are and how to avoid broken authentication.
Authentication is the process of verifying that someone is who they say they are. It is a key part of security for any website or application.
However, authentication can be broken if it is not implemented correctly. According to the OWASP Foundation, broken authentication is among the top ten web application security risks, ranking at number two in 2017 and seven in 2021. The causes of broken authentication are poorly implemented authentication and session management. Attackers can exploit these vulnerabilities to access sensitive information, such as financial or personal information.
In other words, broken authentication allows attackers to bypass authentication mechanisms and gain the same privileges as the attacked users. But what is broken authentication?
This blog post will explore this topic deeply and discuss the causes of broken authentication and how to prevent it.
Broken authentication refers to any vulnerabilities involving the attackers impersonating the original users on applications. In other words, authentication is broken when attacks can assume user identities by compromising passwords, session tokens, user account information and other details. The main causes of broken authentication are poorly implemented session management and loose password policies or other weak security measures resulting in stolen or compromised credentials. Let’s dig into the causes and their associated attacks.
Before we get into how poorly implemented session manage leads to broken authentication, there are a few terms that we need to explain.
When your users are browsing most web applications today, they are required to access online accounts. In most cases, they log in using a username and password. Once they access an online account, the application assigns them an irreplicable session ID that acts as an identity key.
This process establishes a session — a series of user-related requests that are tracked together. Sessions are used to store information about the state of your interaction with the application. The session IDs usually exist as cookies or Authorization Header.
For example, a session is created when users log into a website. This session tracks all the requests users make while logged in. Once the user logs out or the session times out, the session is destroyed.
Session management relates to how your website and application users designate a given session’s parameters. It is about aspects such as how long a session lasts before they log out or how you issue session IDs. It also relates to the security of the given sessions when connect to the IP addresses of different users.
You should note that your users establish a session with an application or website every time they log in as a user. This session is authenticated, meaning users need credentials to log into the session.
For this reason, OWASP acknowledges that “the session ID of an authenticated session is temporarily equivalent to the strongest authentication method used by the application.” The authentication method could be username and password, one-time passwords (OTP), or biometrics.
There are different types of broken authentication attacks related to session management. These include:
This type of session management attack happens when an attacker takes over a user's session by stealing their session ID. An attacker can do this in several ways, such as by intercepting the session ID transmitted between the user and the server.
The attacker can also take advantage when a user does not log out after using an application and abandons their device. Cybercriminals will then be able to access the device and use the same session that is still active.
Session ID URL rewriting happens when a user’s session ID is displayed in a website’s URL. Anyone accessing the URL through an unsecured Wi-Fi can continue with the session.
The attack commonly happens when session IDs are inserted into the URL instead of being stored in a cookie. Users might unintentionally share their session ID when they send links to other people. People with the links can then impersonate the original users. This type of attack is common in applications that use URL parameters to store session IDs.
This attack occurs when the web application does not generate a new session ID after the user logs in. In this case, the application gives users the same IDs before and after authentication. It can also happen when the application generates static or easily guessable session IDs.
Cybercriminals can also compromise your authentication process if your apps don’t impose strong password policies. Your users might be inclined to choosing easily-guessed passwords that cybercriminals can use to access their accounts.
Some of the attacks related to stolen or compromised credentials include:
Credential stuffing involves automatically injecting stolen pairs of usernames and passwords into the login forms of a website. Attackers obtain lists of compromised user credentials and use bots to automatically attempt logging into different systems. This is based on the assumption that many users reuse usernames and passwords that are easily to guessed or have been compromised.
If there is a data breach, submitting the stolen credentials to other sites will make it easy for attackers to compromise other accounts. The attackers can sell the stolen credentials or give them away to their fellow cybercriminals. This means more hackers trying your users' credentials on various accounts, which increases the risk of successful attacks.
In this type of attack, cybercriminals try to guess the passwords of many accounts using common passwords. Examples of these passwords include 123456, curse words, sports names, and the term "password." As a matter of fact, 2.5 million people still use “123456” as their passwords. Attackers will normally target a large list of users instead of trying to crack one account during any one period.
The problem with these types of attacks is that they can easily go undetected. This is because most organizations do not track failed login attempts.
Phishing attacks happen when cybercriminals send malicious emails that trick users into revealing their credentials. They can also use this method to install malware on the victim's device or redirect them to a fake website.
Phishing attacks can expose users' credentials, which can then be used to access their accounts on other websites. The attacks can be broad attempts that target all users with one fraudulent email or a spear phishing attack targeting a particular individual. The latter is common because it is easy for attackers to manipulate a user's emotions based on the available personal information.
Although attacks involving broken authentication are common, there are some measures you can take to prevent them. The following safeguards will help you secure your authentication process:
These best practices will help you secure your session management process:
As we mentioned earlier, session IDs should not appear in URLs since anyone who have access to the URL can continue with the session.
Instead, session IDs should be stored in cookies or HTTP authorization header.
Web applications will automatically end a session at a given point. This happens if the user logs out or if they go for a long period without any activity. You should tailor your web application’s session length to the app in use or the user type.
For instance, a money transfer app should log users out periodically, preferably within minutes, to minimize the vulnerability of session hijacking. But if it’s a streaming video service, the session can go on for weeks so that users don’t have to log in every time.
You should also rotate or invalidate session IDs periodically. This will ensure that an attacker cannot use a stolen session ID for an extended period of time. A common practice is to have a refresh token and access token for each session, while the access token is relatively short-lived, and the client can use the refresh token to get a new access token to maintain the session.
You can also protect your users from various attacks related to password compromises through several measures. These include:
Passkeys is a new category of digital credentials that allow users to log into website applications without using complex passwords that are vulnerable to cyber-attacks. Users will only give a username when signing up, after which they will be authenticated using biometrics or PIN, exactly how they unlock their phones. Passkeys then not only reduces friction during the login and sign-up processes but also enhance data security since attackers have no way to trick the users into giving them the credentials.
Multi-factor authentication (MFA) is an authentication method that requires more than one factor to verify the user’s identity. The most common factors are something the user knows (usually a password), something the user has (like a security token), and something the user is (like their fingerprint).
For instance, when users log in to your website application, they may be required to enter their password and input a code sent to their mobile device. MFA adds an extra layer of security to the login process. Even if a cybercriminal manages to steal the user’s password, they will not be able to access the account without the second factor.
Another measure to prevent password-related attacks is to hash and salt the passwords. Hashing is the process of converting the password into a random string of characters, known as a hash value while salting is adding random data, known as a salt, to the password before it’s hashed.
This makes it harder for attackers to crack the password because they need to know the salt value to reverse the process. OWASP has recommended a few hashing algorithms best for storing passwords such as Argon2id, scrypt, bcrypt, and PBKDF2.
An important measure is to use a cryptographically strong password hashing algorithm that converts the password into a non-reversible string of characters. A strong algorithm hash and salts the passwords so that even if hackers get access to the authentication servers, they won't be able to get the password in clear text.
You can also create strong password policies to make it harder for attackers to guess or brute force their way into user accounts. Some of the measures you can take include:
The goal is to eliminate weak passwords that attackers can easily guess.
Dealing with all these security measures can be quite time-consuming and there’s always a chance for developers to neglect a few steps that can lead to broken authentication. Your team should focus on developing core features instead of worrying about broken authentication.
By integrating your applications with Authgear, you can easily protect your users from the aforementioned cyberattacks. On the portal, you can design strong password policies to minimize the risk of stolen credentials on the portal without writing a single line of code. Furthermore, Authgear also hashes and salts the passwords in your applications to ensure that users’ passwords aren’t stored in plain text.
Authgear equips your applications with all security features and authentication mechanisms to ensure stronger security and an enhanced user experience. Sign up to Authgear for free, or contact us to learn more about how you can use Authfear to grow your user base.
Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.
