Skip to main content

Make authentication options equally secure


All of the system's authentication pathways and identity management APIs must be equally secure.


Some systems offer more than one option to authenticate their users or verify their identity. All of these options must have the same security control strength, so that there is no weaker alternative.


  • CAPEC-114: Authentication Abuse: An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

  • CAPEC-115: Authentication Bypass: An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

  • CAPEC-151: Identity Spoofing: Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content.

  • CWE-287: Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  • CWE-306: Missing Authentication for Critical Function: The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  • OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.4): Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.

  • OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.7): Verify that if OTP or multi-factor authentication factors are lost, evidence of identity proofing is performed at the same level as during enrollment.

  • OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.1): Verify the application will only process business logic flows for the same user in sequential step order and without skipping steps.

  • OWASP-ASVS v4.0.1 V14.5 Validate HTTP Request Header Requirements.(14.5.4): Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application.

  • PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.