Please enable JavaScript.
Coggle requires JavaScript to display documents.
Web Security - Coggle Diagram
Web Security
Authentication
What?
know (knowledge factors)
have (possession factors)
are (inherece factors)
Authentication vs Authorization
Authentication: is who they claim to be
Authorization: is allowed to do something
How do authentication vulnerabilities arise?
The authentication mechanisms are weak
Logic flaws or poor coding in the implementation (broken authentication)
Vulnerabilities in authentication mechanisms
Vulnerabilities in password-based login
Brute-force attacks
Username enumeration
Status codes
Error messages
Response times
Flawed brute-force protection
Broken brute-force protection, IP block
Username enumeration via account lock
User rate limiting
The IP can only be unblocked
Manually by an administrator
Manually by the user after successfully completing a CAPTCHA
Automatically after a certain period of time has elapsed
Account locking due to being less prone to username enumeration and denial of service attacks.
The limit is based on the rate of HTTP requests sent from the user's IP address
Attack method: Broken brute-force protection, multiple credentials per request
HTTP basic authentication
Vulnerabilities in multi-factor authentication
Flawed two-factor verification logic
Brute-forcing 2FA verification codes
Bypassing two-factor authentication
Vulnerabilities in other authentication mechanisms
Keeping users logged in
Resetting user passwords
Sending passwords by email
Resetting passwords using a URL
Password reset poisoning
Changing user passwords
How to secure your authentication mechanisms
Take care with user credentials
Don't count on users for security
Prevent username enumeration
Implement robust brute-force protection
Triple-check your verification logic
Don't forget supplementary functionality