Make authentication options equally secure
Summary
All of the systems authentication pathways and identity management APIs must be equally secure.
Description
Some systems offer more than one option to authenticate their users or verify their identity. All of these options must have the same security control strength, so that there is no weaker alternative.
Supported In
This requirement is verified in following services:
Plan | Supported |
---|---|
Machine | 🟢 |
Squad | 🟢 |
References
- CAPEC™-114. Authentication abuse
- CAPEC™-115. Authentication bypass
- CAPEC™-151. Identity spoofing
- CWE™-287. Improper authentication
- CWE™-306. Missing authentication for critical function
- CWE™-862. Missing authorization
- CWE™-1390. Weak Authentication
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP-M TOP 10-M4. Insecure authentication
- NYDFS-500_12. Multi-factor authentication
- PA-DSS-8_3. Operation of two-factor authentication technologies for secure remote access
- SANS 25-14. Improper Authentication
- ISO/IEC 27002-5_17. Authentication information
- ISO/IEC 27002-8_5. Secure authentication
- ISA/IEC 62443-IAC-1_5. Authenticator management
- ISA/IEC 62443-CR-1_1-RE_1. Unique identification and authentication
- OSSTMM3-9_5_4. Wireless security (access verification) - Authentication
- OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
- OSSTMM3-11_5_3. Data networks security (access verification) - Authentication
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASP SCP-5. Access control
- BSAFSS-SI_1-3. Avoid architectural weaknesses of authentication failure
- CWE TOP 25-287. Improper authentication
- OWASP ASVS-3_7_1. Defenses against session management exploits
- PCI DSS-8_5_1. Multi-factor authentication (MFA) systems are configured to prevent misuse
- SIG Core-I_1_20. Application security
- OWASP ASVS-4_3_1. Other access control considerations
- ISO/IEC 27001-5_17. Authentication information
- ISO/IEC 27001-8_5. Secure authentication
- CASA-2_10_1. Service Authentication
- CASA-3_7_1. Defenses Against Session Management Exploits
- CASA-4_3_1. Other Access Control Considerations
- Resolution SB 2021 2126-Art_27_11. Security in Electronic Channels
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
Vulnerabilities
- 006. Authentication mechanism absence or evasion
- 015. Insecure authentication method - Basic
- 056. Anonymous connection
- 081. Lack of multi-factor authentication
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 388. Insecure authentication method - NTLM
- 397. Insecure authentication method - LDAP
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.