What is Broken Authentication?
Broken authentication refers to a weakness in the design or implementation of access controls inherent in an online platform or application.
What scenarios can cause broken authentication?
Some common risk factors contributing to broken authentication linked to either poor session management or poor credential management are:
- Predictable login credentials
- User authentication credentials that are not protected when stored
- Session IDs exposed in the URL (e.g., URL rewriting)
- Session IDs vulnerable to session fixation attacks
- Session value that does not time out or get invalidated after logout
- Session IDs that are not rotated after successful login
- Passwords, session IDs, and other credentials sent over unencrypted connections
How do you resolve broken authentication?
The OWASP broken authentication recommendations state that a session ID issued to a logged-in user is temporarily equivalent to the user’s original login credentials. If misconfigured, session IDs can easily be used to impersonate the user on the application, therefore, must be carefully managed to prevent any weaknesses or loopholes from being manipulated by attackers.
If you like this blog post, find more content in our Glossary.