Overview
Broken authentication is a broad class of weakness that arises when the mechanisms an application uses to verify user identity or manage authenticated sessions are insufficiently robust. Flaws in this category allow attackers to bypass login controls entirely, impersonate legitimate users, or persist access beyond an intended session lifetime. It has consistently ranked among the most critical web application security risks and is formally classified under OWASP A07:2021 – Identification and Authentication Failures.
Common manifestations include: absence of brute-force protection, acceptance of weak or default credentials, insecure password storage, predictable or long-lived session tokens, missing or bypassable multi-factor authentication (MFA), and flawed password-reset workflows.
How it works
Attackers exploit authentication weaknesses through several well-documented techniques:
- Credential Stuffing: Automated replay of username/password pairs leaked from other breaches. Effective where password reuse is common and no rate-limiting or anomaly detection exists.
- Brute Force / Password Spraying: Systematic trial of passwords against one or many accounts. Password spraying tests a single common password (e.g.,
Spring2024!) across many accounts to avoid per-account lockout thresholds. - Default or Weak Credentials: Applications or infrastructure left with vendor-supplied default credentials (e.g.,
admin/admin) or policies that allow trivially guessable passwords. - Session Token Weaknesses: Predictable token generation (low entropy), tokens transmitted over HTTP rather than HTTPS, missing
HttpOnlyorSecurecookie flags, excessively long session lifetimes, or failure to invalidate tokens on logout (CWE-613). - Session Fixation (CWE-384): An attacker supplies a known session identifier before authentication; if the application does not rotate the session ID on successful login, the attacker's pre-planted identifier becomes valid.
- Insecure Password Reset: Reset flows that rely on guessable security questions, tokens with insufficient entropy, tokens that do not expire, or that disclose whether an account exists (user enumeration).
- Insecure Password Storage: Storing passwords as plaintext, with reversible encryption, or with weak hashing algorithms (MD5, SHA-1 without salt), enabling mass credential recovery if the database is compromised.
- MFA Bypass: Flaws in MFA implementation such as predictable OTP seeds, absence of OTP replay protection, or fallback mechanisms that entirely circumvent the second factor.
Business impact
Successful exploitation of broken authentication vulnerabilities can lead to full account takeover of individual users or, in the case of administrative accounts, complete system compromise. Specific consequences include:
- Data breach: Unauthorised access to personal, financial, or health data, triggering regulatory obligations under GDPR, HIPAA, PCI DSS, and similar frameworks.
- Financial fraud: Attackers can initiate transactions, exfiltrate payment data, or monetise compromised accounts directly.
- Privilege escalation: Access to an ordinary user account can serve as a pivot to administrative interfaces if role separation is weak.
- Reputational damage: Publicised account takeovers erode customer trust and may drive users to competitors.
- Regulatory fines: Failure to implement adequate authentication controls is explicitly cited in GDPR Article 32 and PCI DSS Requirement 8 as an area requiring technical safeguards.
- Service disruption: Credential stuffing campaigns generate substantial traffic that can degrade performance for legitimate users.
How to fix it
- Enforce strong password policies: Require a minimum length of at least 12 characters. Check new passwords against lists of known-breached passwords (e.g., using the HaveIBeenPwned API or a local blocklist). Avoid complexity rules that are easily gamed (e.g.,
P@ssw0rd). Follow NIST SP 800-63B guidance, which favours length over complexity. - Implement multi-factor authentication (MFA): Require MFA for all accounts, especially privileged ones. Prefer TOTP (RFC 6238) or FIDO2/WebAuthn hardware keys over SMS OTP, which is susceptible to SIM-swapping. Ensure MFA cannot be bypassed through fallback flows.
- Rate-limit and lock out authentication attempts: Apply progressive delays or temporary lockouts after a configurable number of failed attempts (e.g., 5–10). Implement CAPTCHA challenges for automated request patterns. Log and alert on anomalous login activity. Avoid revealing whether the lockout is due to account existence vs. wrong password.
- Store passwords with a strong adaptive hash: Use bcrypt, scrypt, Argon2id, or PBKDF2 with a sufficient work factor and a unique per-user salt. Never store plaintext or use MD5/SHA-1 for password hashing.
- Manage sessions securely: Generate session identifiers with at least 128 bits of entropy using a cryptographically secure pseudorandom number generator (CSPRNG). Set cookies with
HttpOnly,Secure, andSameSite=StrictorLaxattributes. Regenerate the session ID upon successful authentication to prevent session fixation. Enforce absolute and idle session timeouts appropriate to the application's risk profile. - Invalidate sessions on logout and password change: Ensure server-side session destruction on logout, not merely client-side cookie deletion. Invalidate all active sessions when a password is changed or an account is compromised.
- Secure password reset flows: Use high-entropy, single-use, time-limited tokens (at least 128 bits, expiry ≤ 15 minutes) delivered to a verified channel. Do not reveal account existence in error messages. Invalidate the token immediately after use.
- Eliminate default credentials: Require credential change on first login for all system accounts. Scan infrastructure and third-party components for known default credentials before deployment.
- Implement account takeover detection: Monitor for login from new geographies, devices, or IP ranges. Notify users of successful logins from unfamiliar contexts and provide a mechanism to report unauthorised access.
- Adopt an established authentication framework: Wherever feasible, delegate authentication to a well-audited identity provider (IdP) using OpenID Connect or SAML 2.0 rather than building bespoke authentication logic.
Sensagraph automatically detects common broken authentication indicators such as missing lockout controls, insecure cookie attributes, and exposed default credentials.
References
- OWASP Top 10 A07:2021 – Identification and Authentication Failures
- OWASP Web Security Testing Guide – Authentication Testing
- OWASP Authentication Cheat Sheet
- OWASP Session Management Cheat Sheet
- OWASP Password Storage Cheat Sheet
- MITRE CWE-287: Improper Authentication
- MITRE CWE-307: Improper Restriction of Excessive Authentication Attempts
- MITRE CWE-384: Session Fixation
- NIST SP 800-63B – Digital Identity Guidelines: Authentication and Lifecycle Management
- RFC 6238 – TOTP: Time-Based One-Time Password Algorithm
- W3C Web Authentication (WebAuthn) Level 2