Weak Authentication

Authentication is the process of verifying the identity of a given user or client.

Weak Authentication refers to any situation in which the authentication mechanism's strength is insufficient in comparison to the importance of the assets being secured. It also covers situations where the authentication function is faulty or insecure.

Most vulnerabilities in authentication mechanisms arise in one of two ways:

• The authentication mechanisms are weak because they fail to adequately protect against brute-force attacks.
• Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely by an attacker. This is sometimes referred to as "broken authentication".

Practices To Avoid Weak Authentication

Practices to Avoid Weak Authentication vulnerabilities include:

• Adopting a strong Password Policy and enforcing it consistently in all applications
• Using Two-Factor or Multi-Factor Authentication.
• Integrating an industry standard authentication framework.
• Adding Risk-based Authentication and escalating challenges as circumstances warrant.
• Ensuring that authentication is a pre-condition to access all application resources.
• Keeping the authentication token secure and limited in lifetime.