The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public.
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs: In the case that the administrator failed to specify an Access Control List (ACL) for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application.
CAPEC-36: Using Unpublished Interfaces: An adversary searches for and invokes interfaces that the target system designers did not intend to be publicly available. If these interfaces fail to authenticate requests the attacker may be able to invoke functionality they are not authorized for.
CAPEC-115: Authentication Bypass: An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.
CWE-287: Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-306: Missing Authentication for Critical Function: The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
ISO 27001:2013. Annex A - 9.4.2: Whenever the access control policy requires it, access to systems and applications should be controlled using a secure entry process.
NERC CIP-003-8. Attachment 1. Section 3 - 3.2: Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber System(s), per Cyber Asset capability.
NERC CIP-005-5. B. Requirements and measures. R1.4: Where technically feasible, perform authentication when establishing Dial-up Connectivity with applicable Cyber Assets.
NERC CIP-007-6. B. Requirements and measures. R5.1: Have a method(s) to enforce authentication of interactive user access, where technically feasible.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP Top 10 A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.9): Verify that wireless communications are mutually authenticated.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.2): Verify that communications between application components, including APIs, middleware and data layers are authenticated. Components should have the least necessary privileges needed.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.3): Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.
OWASP-ASVS v4.0.1 V3.7 Defenses Against Session Management Exploits.(3.7.1): Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
OWASP-ASVS v4.0.1 V9.2 Server Communications Security Requirements.(9.2.3): Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated.
OWASP-ASVS v4.0.1 V14.5 Validate HTTP Request Header Requirements.(14.5.4): Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.1.1: Assign all users a unique ID before allowing them to access system components or cardholder data.