What Is Broken Authentication?

Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate legitimate users online. Broadly, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials.

Attackers employ a wide variety of strategies to take advantage of these weaknesses, ranging from huge credential stuffing attacks to highly targeted schemes aimed at gaining access to a specific person’s credentials.

In recent years, broken authentication attacks have accounted for many of the worst data breaches, and security experts sound the alarm about this underrecognized threat. The Open Web Application Security Project (OWASP) has included it in its “Top 10” list of the biggest web application security risks since 2017. By 2020, broken authentication had climbed to the number two spot.

Below, we’ll explain what weaknesses are associated with broken authentication and how businesses can guard against them.

Session Management Flaws Open the Door to Attacks

Session management is part of broken authentication, but the two terms are often listed side by side so people don't assume that “authentication” refers only to usernames and passwords. Since web applications use sessions and credentials to identify individual users, attackers can impersonate them using either mechanism.

Session Management Basics

A web session is a sequence of network transactions associated to the same user within a period of time. Let’s say you go to a social media website and browse for a while before logging in to your account. You find an interesting post where you want to comment, which requires you to log in. Once you leave a few comments, you log out and close the web browser window or tab. Everything you did from the moment you arrived to the website was a session. Web applications can track sessions before and after authentication.

Web applications issue every user a unique session ID for each visit, which allows the web app to communicate with the user as they move through the site. These session IDs commonly take the form of cookies and URL parameters.

Session management concerns how you define the parameters of that session. For instance, how long can a session last before you automatically log a user out? How do you issue and revoke session IDs? How securely are they linked to a user’s IP address?

Auth0’s long-lived sessions can help you improve user experience and reduce password reset costs. Learn how to balance user experience and security to retain customers.

It's important to note that a user establishes an authenticated session with the web application once the user logs in. Consequently, OWASP states that the session ID of an authenticated session is temporarily equivalent to the strongest authentication method used by the application, such as username and password. A hijacked session ID is as strong as a stolen login credential.

Session Management Attacks

Session Hijacking

Without appropriate safeguards, web applications are vulnerable to session hijacking, in which attackers use stolen session IDs to impersonate users’ identities. The most straightforward example of session hijacking is a user who forgets to log out of an application and then walks away from their device. A hacker can then continue their session.

Session ID URL Rewriting

Another common avenue for session hijacking is “URL rewriting.” In this scenario, an individual’s session ID appears in the URL of a website. Anyone who can see it (such as via an unsecured Wi-Fi connection) can piggyback into the session. This is how Zoombombing happened.

Session Fixation

One commonly overlooked best practice is to rotate session IDs after a user logs in, instead of giving a user the same ID before and after authentication. Web applications that fail to do this are vulnerable to a session fixation attack, which is a variation of session hijacking.

According to Troy Hunt, the main idea behind a session fixation attack is that the attacker predetermines the session ID the victim will use. The attacker then may send the victim a link that contains the predetermined session ID. The link will point to a resource that requires the victim to log in.

If the web application persists the authentication state of the victim in the session, the attacker can use that predetermined session ID to impersonate the victim after the victim logs in. Whether the attacker or the victim present that session ID to the server, the server will establish that the session ID corresponds to an authenticated session and grant access to protected resources.

Developers can prevent the attacker from following the victim by making the web application issue the legitimate user a new session ID after logging in. When the web application rotates the session ID, the predetermined session ID becomes useless.

Attackers Exploit Weak and Compromised Credentials

In recent years, attackers have discovered that the easiest way to access off-limits systems is to log in with someone else’s credentials. According to Verizon’s 2020 Data Breach Report, phishing and using stolen credentials are now the two most common mechanisms to execute a data breach. They report that “hacking and even breaches in general... are driven by credential theft.”

Malicious actors use various methods to steal, guess, or trick users into revealing their passwords.

Credential Stuffing

When attackers access a database filled with unencrypted emails and passwords, they frequently sell or give away the list for other attackers to use. These attackers then use botnets for brute-force attacks that test credentials stolen from one site on different accounts. This tactic often works because people frequently use the same password across applications.

There are currently billions of compromised credentials available to attackers. Most of the time, users don’t even know that the password they’ve been using since high school just became a skeleton key for all their accounts.

Password Spraying

Password spraying is a little like credential stuffing, but instead of working off a database of stolen passwords, it uses a set of weak or common passwords to break into a user’s account. A 2019 survey by the UK's National Cyber Security Centre (NCSC) found that 23.2 million accounts used “123456” as their password, while millions more used sports names, curse words, and the ever-popular “password".

Password spraying is a type of brute-force attack, but it often slips by automatic lockouts that block IP addresses after too many failed login attempts. It does this by trying the same password, one user at a time, rather than trying password after password on a single user.

Phishing Attacks

Attackers typically phish by sending users an email pretending to be from a trusted source and then tricking users into sharing their credentials or other related information. It can be a broad-based attempt that hits everyone at an organization with the same phony email, or it can take the form of a “spear phishing” attack tailored to a specific target.

Spear phishing can be particularly useful to attackers. They can use that attack technique to manipulate someone’s emotions based on their personal information. For example, an email with the subject line “pictures of your sister” is much more effective if it mentions your sister’s name.

The 2020 CrowdStrike Services Report found that 35% of successful network breaches started with a spear phishing attack in 2019. Attackers had different mechanism to lure their victims through spear phishing: 19% used attachments, 15% included a malicious link, and 1% employed spear phishing via a service.

By now, most organizations are familiar with phishing attacks and warn their customers not to open suspicious emails. Despite that, the 2017 Phishing Resiliency and Defense Report by Cofense found that “organizational susceptibility” to phishing was still around 5%. If you have 20 employees, one of them might still click a phishing email.

How to Fix Broken Authentication in Your Organization

Broken authentication attacks are devastating and common, but they are also highly preventable. By putting a few safeguards in place, you can make your organization a much less appealing target for attackers.

Update Session Management

Control Session Length

Every web application automatically ends sessions at some point, either after logout, a period of no activity, or a certain length of time. Tailor your session length to the type of user and the application they’re using.

A streaming-video service might want their sessions to be weeks long, so users can navigate straight to Netflix without having to log in every time. But a banking app should automatically log users out after a few minutes since the risk of a hijacked session is much higher.

Rotate and Invalidate Session IDs

As we discussed, the best way to prevent session fixation is to issue a user with a new session ID after login. Similarly, sessions and authentication tokens must be immediately invalidated after a session ends, so attackers can’t reuse them.

Don’t Put Session IDs in URLs

There are so many ways that URL rewriting can end up exposing session IDs, so your safest bet is not to go that route. Use cookies generated by a secure session manager.

Tighten Password Policies

Implement Multi-Factor Authentication (MFA)

OWASP’s number one tip for fixing broken authentication is to “implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks.”

Given how vulnerable passwords are to credential stuffing and password spraying, it’s clear that they are no longer adequate to secure an account. MFA provides an extra level of security by demanding an additional credential that’s harder for attackers to fake, such as a biometric scan or one-time code.

Don’t Permit Weak Passwords

When designing your application’s login page, OWASP recommends following NIST guidelines on password length and complexity. They also advise automatically rejecting any of the most common passwords on the web.

Use an identity and access management (IAM) platform that helps you create and implement a password strategy easily. The platform should also provide you with login and signup pages with forms that enforce your password policies. Auth0 Universal Login offers you that secure login infrastructure to authenticate your users to your apps.

Don’t Store Passwords in Cleartext

A strong password storage strategy is critical to mitigate data breaches that put the reputation of any organization in danger. Hashing is the foundation of secure password storage. The premise of hashing is simple: given arbitrary input, output a random string of a specific length.

What's important to highlight is that the hashing operation is irreversible. An attacker cannot determine the original password by looking at the hashed password. However, if two users choose the same password, the hash will be the same. You can add random data to the password to guarantee that the output of the hashing process is unique. This random data is known as a "salt".

Due to the properties of hashing mentioned above, you don't need to encrypt the hashed password before you store it in the database. When a user attempts to log in, your web application uses the supplied password as input to a hashing function and compares the output to the database value. If the password hashes match, the login is successful.

Hashing with salts can protect you against different attack vectors, such as rainbow table attacks, while slowing down dictionary and brute-force attacks.

Use an identity and access management (IAM) platform that helps you prevent critical identity data from falling into the wrong hands. Auth0 never stores passwords in cleartext. Passwords are always hashed and salted using bcrypt, an industry-grade and battle-tested algorithm. Additionally, Auth0 encrypts both data at rest and in motion. All network communication uses TLS with at least 128-bit AES encryption. Auth0 built state-of-the-art security into its platform to protect your business and your users.

Use Breached Password Protection

Use an identity and access management (IAM) platform with breached password protection. When the platform discovers a compromised credentials cache, it will notify you if any of your users were compromised. Those users will be locked out until they change their passwords, so attackers can't use their compromised passwords against you in a credential stuffing attack.

Guard Against Attacks

Conduct Workplace Phishing Training

Teaching your workforce how to spot malicious emails is a project you must take seriously and update frequently. As phishing attacks get more sophisticated, they become harder to spot, and the only way to combat this threat is to keep your staff informed.

Implement Brute-Force Protection

Attacks involving broken authentication can compromise not only your data but also crash your site. Traffic can spike by 180x during a credential stuffing attack, so brute-force protection is an absolute must to stay online. It works by limiting the number of times a specific IP address can attempt to log in, so bots can’t flood your system.

Employ anomaly detection

A sophisticated IAM system doesn’t look at just logins and session IDs to determine whether a user is legitimate or malicious. It should also flag other types of suspicious behavior. Anomaly detection will alert you if, for instance, an employee logs off at 10 p.m. in North America and logs back on at 3 a.m. in Bangladesh.

Address Broken Authentication, Discourage Attackers

Web applications will become more attractive to attackers as companies move more valuable and sensitive data to the cloud. Broken authentication has made it relatively easy for motivated attackers to slip by because even companies with big security budgets often overlook these basic security flaws. It’s a little like barring every window in your home while leaving the front door wide open.

Fortunately, you can deter attackers by putting the protocols we’ve discussed in place. To quote Verizon’s report: “Attackers prefer short paths and rarely attempt long paths. It means anything you can easily throw in their way to increase the number of actions they have to take is likely to decrease their chance of fleeing with the data significantly.”

To learn about how a dedicated IAM platform can help you address broken authentication, reach out to the team at Auth0.