What is Authentication?
Authentication is based on verifying the user integrity that tells the information i.e. data going to be displayed to a particular user, that is authorized to view it. When it comes to authentication it is a crucial mechanism used almost everywhere everyday. From logins on Instagram, to checking your bank balance on an ATM, everywhere is authentication.
Ways to authenticate…
There are a lot of factors on the basis of which one can authenticate that he is the correct owner for viewing/editing or even sometimes executing some operations. Some of the common factors are:
- Knowledge Factors — This kind of authentication is based on getting authorized with a use of password. This is the most common type of authentication you can see today.
- Possession Factors — This kind of authentication is based on getting authorization by use of security tokens or in simple instance getting a prompt on your phone. This type of authentication is second most common type used these days.
- Inherence Factors — This is a kind of authentication which is used to authorize user the access with some kind of bio-metric verification or observing some kind of pattern of behavior. To be brief a pattern here can be like the user to get access to this master card will be in black shirt or will be a mad man looking grumpy, I hope you get the idea.
- Location Factors — As the name suggest this type of authentication is based on location. Like for instance, at some point in time you might have noticed Instagram giving you a prompt that your device is getting logged in from somewhere else with this IP, that is where it concludes that it has found the authentication from somewhere else and asks you to confirm it was you.
Difference b/w authentication and authorization
This where many gets confused about what to bypass lul. So keeping it simple authenticity is a mechanism where one is verified before getting access to the data inside behind the lock, whereas authorization is to verify whether the that particular user on the server is allowed to access the information or not.
How authentication vulnerability arises?
- Brute-force: Simple, if the user or employee of the organization are not smart enough to choose a strong password. There are many password list that are easily available to crack such weak passwords. This type of vulnerable-ism is both client-side and server-side.
- Broken Authentication: This type of vulnerability is found in websites or servers with poorly coded applications, which contains logical flaws. This is a server side vulnerability. Exploiting this type of vulnerability requires some serious knowledge on how web works and good observation skills.
What is the impact of vulnerable authentication
- Once the attacker bypassed the authentication into the system, he has gotten its way into the system.
- Not by intention, think of a situation if he gains access to the system as a high privileged user. He has control over the entire system, and he can do whatever he wants.
- He can steal the data of the organization, its employees, and much more. This has become a data breach.
- Additionally: Even if he manages to gain shell even as a low priviledged user. He will get access to some internal pages and that can help him to enumerate more.
Vulnerabilities in authentication mechanisms
Website’s authentication system can be vulnerable in many contexts, some are broadly classifieds as follow, and some are more specific to the functionality provided.
- Vulnerabilities in password-based logins
- Vulnerabilities in multi-factor authentication
- Vulnerabilities in other authentication mechanisms