The system must notify, upon any access attempt, that access to the system is only available for authorized users.
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. Whenever a non-authenticated actor attempts to access those resources, the system must notify them that the resources are only available to authorized users.
CWE-287: Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-306: Missing Authentication for Critical Function: The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.2): Verify that communications between application components, including APIs, middleware and data layers are authenticated. Components should have the least necessary privileges needed.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.3): Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.