Validate credential ownership
Summary
The system must validate that the given credentials (email, phone number, etc.) actually belong to the user that claimed ownership of them.
Description
The requirement to validate that given credentials belong to the user claiming ownership is essential to maintain the integrity of user authentication processes and to prevent unauthorized access.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- CWE™-287. Improper authentication
- CAPEC™-654. Credential Prompt Impersonation
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_2. Logical and physical access controls
- MITRE ATT&CK®-M1043. Credential access protection
- SANS 25-13. Improper authentication
- POPIA-3A_23. Access to personal information
- PDPO-S1_4. Security of personal data
- CMMC-IA_L1-3_5_2. Authentication
- HITRUST CSF-10_c. Control of internal processing
- FERPA-D_31_c. Conditions of prior consent required to disclose information
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- MVSP-2_4. Application design controls - Password policy
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- CWE TOP 25-287. Improper authentication
- OWASP ASVS-4_3_1. Other access control considerations
- CASA-2_10_1. Service Authentication
- CASA-4_3_1. Other Access Control Considerations
- OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- NIST CSF-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
Vulnerabilities
- 103. Insufficient data authenticity validation - APK signing
- 327. Insufficient data authenticity validation - Images
- 355. Insufficient data authenticity validation - Checksum verification
- 377. Insufficient data authenticity validation - Device Binding
- 382. Insufficient data authenticity validation - Front bypass
- 389. Insufficient data authenticity validation - JAR signing
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.