Insecure Authentication

Fixing Insecure Authentication

About Insecure Authentication

What is improper authentication?

Improper authentication is a security weakness that occurs when a system does not properly verify the identity of users or entities attempting to access it. Improper authentication can occur in various forms, such as no password, weak or easily guessed passwords, absence of multi-factor authentication, lack of session timeouts, etc.

Inadequate authentication mechanisms can allow unauthorized users to gain access to a system, potentially leading to data breaches, data loss, or unauthorized access to sensitive resources.

Examples of improper authentication vulnerabilities include:

• No authentication: When there is no authentication for a critical function, then attackers get unrestricted access easily.
• Weak passwords: When users choose weak passwords, it makes it easier for attackers to guess or crack them.
• Lack of multi-factor authentication: Multi-factor authentication, such as using a password and a one-time code sent to a user's mobile device, can provide an extra layer of security. If multi-factor authentication is not used, an attacker who has obtained a user's password can gain access to the system.
• Lack of session timeouts: When users do not log out of the system, the session may remain active, allowing an attacker to hijack the session and gain access to the system.

Check out this video for a high-level explanation:

What is the impact of improper authentication?

Improper authentication can lead to various security threats, such as:

• Data breaches: Improper authentication can allow unauthorized users to gain access to sensitive data, leading to data breaches, data loss, or unauthorized access to confidential information.
• Unauthorized access to resources: Attackers can exploit improper authentication to gain unauthorized access to resources, such as servers, databases, and applications.
• Impersonation of legitimate users: Attackers can use stolen or weak credentials to impersonate legitimate users and perform actions on their behalf.
• Account takeover: Attackers can use improper authentication to take over user accounts and gain access to sensitive data or resources.
• Compliance violations: Improper authentication can lead to violations of regulatory compliance requirements, such as data protection regulations.
• Reputation damage: A successful attack exploiting improper authentication can lead to loss of customer trust and reputational damage for the organization.

How to prevent improper authentication?

To prevent improper authentication vulnerabilities, it is essential to implement secure authentication mechanisms that verify the identity of users and entities attempting to access the system.

Here are some measures that can help prevent improper authentication:

• Strong passwords: Implement password policies that require users to choose strong, unique, and complex passwords. This can include length requirements, character complexity requirements, and password expiration policies.
• Multi-factor authentication: Use multi-factor authentication to provide an extra layer of security. This can include using a password and a one-time code sent to a user's mobile device or using biometric authentication.
• Session timeouts: Implement session timeouts to ensure that users are automatically logged out of the system after a certain period of inactivity. This can help prevent unauthorized access to the system through hijacked sessions.
• Access controls: Implement access controls that restrict access to sensitive resources and data based on user roles and permissions. This can help prevent unauthorized access to sensitive information or systems.
• User education: Educate users about the importance of strong passwords, multi-factor authentication, and other best practices for secure authentication. This can include regular reminders, training, and awareness campaigns.
• Regular security audits: Regularly audit your system for security vulnerabilities, including improper authentication vulnerabilities. Use automated tools and manual testing to identify potential issues and fix them before they can be exploited.

References

Taxonomies

• OWASP Top 10 - A07 Identification and Authentication Failures
• CWE-287: Improper Authentication

Explanation & Prevention

• OWASP: Session Hijacking Attack
• OWASP: Authentication Cheat Sheet

Related CVEs

• CVE Details: CWE-287

Training

• Secure Code Warrior: Improper Authentication

Biometric-based authentication is available via two options:

1. The LocalAuthentication framework: Less suitable for high-risk apps such as banking, because the framework is defined outside of Secure Enclave and susceptible to interception on jail-broken devices.
2. The Keychain Services: Suitable for high-risk apps because it can interact with securely with the on-device Keychain through dedicated APIs.

Rule-specific references:

• Synopsys - TouchID integration guide
• SecAccessControlCreateFlags - SWIFT
• SecAccessControlCreateFlags - Objective-C

Option A: Leverage Keychain Services

1. Go through the issues that GuardRails identified in the PR/MR

2. Identify the following patterns:

   LAContext *context = [[LAContext alloc] init];  
   NSError *error = nil;  
   NSString *reason = @"Please authenticate using TouchID.";
   if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) {  
     [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
         localizedReason:reason
             reply:^(BOOL success, NSError *error) {
                 if (success) {
                     NSLog(@"Auth was OK");
                 } 
                 else {
                     //You should do better handling of error here but I'm being lazy
                     NSLog(@"Error received: %d", error);
                 }
       }];
   } 
   else {  
     NSLog(@"Can not evaluate Touch ID");
   }

   or:

   if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
     let reason = "Please authenticate yourself"
   
     context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) {
         [unowned self] success, authenticationError in
      
         DispatchQueue.main.async {
             if success {
                 DVIAUtilities.showAlert(title: "Success", message: "Authentication Successful", viewController: self)
             } else {
                 DVIAUtilities.showAlert(title: "Error", message: "Authentication Failed", viewController: self)
             }
         }
     }
   } else {
     DVIAUtilities.showAlert(title: "Touch ID not available", message: "Your device doesn't support Touch ID or you haven't configured Touch ID authentication on your device", viewController: self)
   }

3. Confirm that the lower level of security is acceptable for your app. Otherwise, consider leveraging the KeyChain Services instead

4. Test it and ensure the functionality works as expected

5. Ship it 🚢 and relax 🌴