Broken authentication is an umbrella term for several vulnerabilities that hackers exploit to impersonate legitimate users. Broadly, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue — hijacked session IDs or stolen login credentials — to masquerade as a user.
Hackers employ a wide variety of strategies to take advantage of these weaknesses, ranging from huge credential-stuffing attacks to highly targeted schemes aimed at gaining access to a specific person’s credentials.
In recent years, broken authentication attacks have accounted for many of the worst data breaches, and security experts sound the alarm about this underrecognized threat. The Open Web Application Security Project (OWASP) has included it in its “Top 10” list of the biggest web application security risks since 2017. By 2020, broken authentication had climbed to the number two spot.
Below, we’ll explain what weaknesses are associated with broken authentication and how businesses can guard against them.
Session Management Flaws Open the Door to Attacks
Session management is part of broken authentication, but the two terms are often listed side by side, lest people assume that “authentication” refers only to usernames and passwords. But because web applications use sessions and credentials to identify individual users, hackers can also impersonate those users.
Session Management Basics
A session describes all the ways users interact with applications during a set period. Let’s say you go to the New York Times website and browse for a while before logging in to your account, doing a crossword puzzle, and then logging out and closing the tab. Everything you did from the moment you arrived was a session.
Web applications issue every user a unique session ID for each visit, which allows the app to communicate with the user as they move through the site. These session IDs commonly take the form of cookies and URLs.
Session management concerns how you define the parameters of that session. For instance, how long can a session last before you automatically log a user out? How do you issue and revoke session IDs? How securely are they linked to a user’s IP address?
Session Management Attacks
Without appropriate safeguards, web applications are vulnerable to session hijacking, in which hackers use stolen session IDs to impersonate users’ identities. The most straightforward example of session hijacking is a user who forgets to log out of an application and then walks away from their device. A hacker can then continue their session.
Session ID URL Rewriting
Another common avenue for session hijacking is “URL rewriting.” In this scenario, an individual’s session ID appears in the URL of a website. Anyone who can see it (such as via an unsecured Wi-Fi connection) can piggyback into the session. (This is how Zoombombing happened)
One commonly overlooked best practice is to rotate session IDs after a user logs in, instead of giving a user the same ID pre- and post-authentication. Applications that fail to do this are vulnerable to session-fixation attacks. In this variation on session hijacking, an attacker takes a legitimate session ID and then tricks a victim into logging in with it. Once the victim has logged in, the attacker copies the ID to impersonate the victim. If the application issues the legitimate user a new session ID after logging in, the attacker couldn’t follow them.
Hackers Exploit Weak and Compromised Credentials.
In recent years, hackers have discovered that the easiest way to access off-limits systems is to log in with someone else’s credentials. According to Verizon’s 2020 Data Breach Report, phishing and using stolen credentials are now the two most common types of breaches. They report that “hacking and even breaches in general... are driven by credential theft.”
Malicious actors use various methods to steal, guess, or trick users into revealing their passwords.
When hackers access a database filled with unencrypted emails and passwords, they frequently sell or give away the list for other hackers to use. These hackers then use botnets for brute-force attacks that test credentials stolen from one site on different accounts. And because people frequently use the same password over and over, this tactic often works.
There are currently billions of compromised credentials available to hackers. Most of the time, users don’t even know that the password they’ve been using since high school just became a skeleton key for all their accounts.
Password spraying is a little like credential stuffing, but instead of working off a database of stolen passwords, it uses a set of weak or common passwords to break into a user’s account. (A 2019 study found that 23.2 million accounts used “123456” as their password, while millions more used sports names, curse words, and the ever-popular “password.”)
Password spraying is a type of brute-force attack, but it often slips by automatic lockouts that block IP addresses after too many failed login attempts. It does this by trying the same password, one user at a time, rather than trying password after password on a single user.
Hackers typically phish by sending users an email pretending to be from a trusted source and then tricking users into sharing their credentials or other related information. It can be a broad-based attempt that hits everyone at an organization with the same phony email, or it can take the form of a “spear phishing” attack tailored to a specific target. Spear phishing can be particularly useful since it can be used to manipulate someone’s emotions based on their personal information. (An email with the subject line “pictures of your sister” is much more effective if it mentions your sister’s name.)
By now, most organizations are familiar with phishing attacks and warn their customers not to open suspicious emails. Despite that, a recent study found that “organizational susceptibility” to phishing was still around 5% (so if you have 20 employees, one of them might still click that email).
How to Fix Broken Authentication in Your Organization
Broken authentication attacks are devastating and common, but they are also highly preventable. By putting a few safeguards in place, you can make your organization a much less appealing target for hackers.
Update Session Management
Control Session Length
Every web application automatically ends sessions at some point, either after logout, a period of no activity, or a certain length of time. Tailor your session length to the type of user and the application they’re using.
A streaming-video service might want their sessions to be weeks long, so users can navigate straight to Netflix without having to log in every time. But a banking app should automatically log users out after a few minutes since the risk of a hijacked session is much higher.
Rotate and Invalidate Session IDs
As we discussed, the best way to prevent session fixation is to issue a user with a new session ID after login. Similarly, sessions and authentication tokens must be immediately invalidated after a session ends, so hackers can’t reuse them.
Don’t Put Session IDs in URLs
Tighten Password Policies
Implement Multi-Factor Authentication (MFA)
OWASP’s number one tip for fixing broken authentication is to “implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks.”
Given how vulnerable passwords are to credential stuffing and password spraying, it’s clear that they are no longer adequate to secure an account. MFA provides an extra level of security by demanding an additional credential that’s harder for hackers to fake, such as a biometric scan or one-time code.
Don’t Permit Weak Passwords
When designing your application’s login page, OWASP recommends following NIST guidelines on password length and complexity. They also advise automatically rejecting any of the most common passwords on the web.
Don’t Store Plain-Text Passwords
If your password database is illegible, it’s of no value to hackers. Encryption makes your organization a much less appealing target, and it ensures that if a breach does happen, it won’t be used against users in a future credential-stuffing attack. One caveat is that it is essential to stay up-to-date on the latest hashing and encryption protocols for this method to work.
Use Breached Password Protection
Use an identity and access management (IAM) platform with breached password protection. When a compromised credentials cache is discovered, it will notify you if any of your users was compromised. Those users will be locked out until they change their passwords, so they can’t be used against you in a credential-stuffing attack.
Guard Against Attacks
Conduct Workplace Phishing Training
Teaching your workforce how to spot malicious emails is a project you must take seriously and update frequently. As phishing attacks get more sophisticated, they become harder to spot, and the only way to combat this threat is to keep your staff informed.
Implement Brute-Force Protection
Attacks involving broken authentication can compromise not only your data but also crash your site. Traffic can spike by 180x during a credential-stuffing attack, so brute-force protection is an absolute must to stay online. It works by limiting the number of times a specific IP address can attempt to log in, so bots can’t flood your system.
Employ anomaly detection
A sophisticated IAM system doesn’t look at just logins and session IDs to determine whether a user is legitimate or malicious. It should also flag other types of suspicious behavior. Anomaly detection will alert you if, for instance, an employee logs off at 10 p.m. in North America and logs back on at 3 a.m. in Bangladesh.
Address Broken Authentication, Scare Off Hackers
Web applications will become more attractive to hackers as companies move more valuable and sensitive data to the cloud. Broken authentication has made it relatively easy for motivated attackers to slip by because even companies with big security budgets often overlook these basic security flaws. (It’s a little like barring every window in your home while leaving the front door wide open.)
Fortunately, you can deter hackers by putting the protocols we’ve discussed in place. To quote Verizon’s report: “Attackers prefer short paths and rarely attempt long paths. It means anything you can easily throw in their way to increase the number of actions they have to take is likely to decrease their chance of fleeing with the data significantly.”
To learn about how a dedicated IAM platform can help you address broken authentication, reach out to the team at Auth0.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and development teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.