This article focuses on the authentication aspect of access controls as they are reflected in software designs, implementations and the management of software development lifecycles. Some sources include both authentication and authorization as aspects of access control. These are closely related but separate concepts and are managed through different processes.
ISO 27000:2014 defines authentication as provision of assurance that a claimed characteristic of an entity is correct.
U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53 (SP800-53) defines authentication as verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
The Information Security Forum Standard of Good Practice (2014) refers to authentication as an element of Identity and Access Management controls and as a component of Access Management.
ISACA defines authentication as the act of verifying identity. Alternatively, the ISACA glossary suggests the act of verifying the identity of a user and the user’s eligibility to access computerized information (authorization). Additionally, they suggest that authentication can refer to the correctness of a piece of data.
All of these standards are frequently referenced sources of good guidance on authentication controls.
The definition given by NIST appears to be the most precise, while concisely encompassing the most complete range of cases. We note, however, that where authentication of the originator of a process or data set is performed, it also serves the purpose of verifying data integrity; e.g. authenticating the digital signature on a file.
Based on the guidance of such standards and common usage in the field, the following definition is proposed:
Authentication is the act of verifying the identity of a user, process, or device.
Risk factors related to authentication, as with other risks, are based upon the Threat modeling. Authentication features may create attack surface that needs to be considered within the threat model. Likewise, the data and business processes being protected and the ability of threat agents to establish contact with the software (i.e. is it exposed directly to the internet?) need to be included within the threat model. In relation to the STRIDE threat model:
- Spoofing - authentication systems may be subject the identity spoofing;
- Tampering - attackers will attempt to tamper with authentication mechanisms;
- Repudiation - authentication is intended to enable non-repudiation;
- Information disclosure - if authentication failures are not properly handled, account information could be disclosed;
- Denial of service - consider the impact a DoS attack against the authentication system would have on the organization or associated processes;
- Elevation of privilege - this is more related to the authorization aspect of access controls.
Examples of Authentication Controls in Software:
- Establishment and enforcement of requirements over authenticator content, such as username and password construction;
- Mechanisms for strong authentication, such as token-based or biometric two-factor authentication;
- Re-authentication or step-up authentication for access to more sensitive data or functions;
- Use of centralized authentication systems, such as identity and access management technologies (IAM) or single sign-on (SSO);
- Protection of the confidentiality of credentials in transit, as with encryption;
- Protection of the confidentiality of credentials in storage, as with hashing;
- Handling login failures with error messages that do not permit account enumeration;
- Use of account lockout features for invalid authentication attempts
- Features to assist users with forgotten passwords;
- Login notification of last access success or failure;
- Prevention of use for default accounts and credentials;
- Use of cryptographic signatures to authenticate data;
- Use of cryptographic certificates or keys to validate a claimed identity;
- Use of token-based authentication protocols;
The MITRE Corporation Common Attack Pattern Enumeration and Classification database (CAPEC) lists the following main categories of attacks against authentication:
- CAPEC-112: Brute force
- CAPEC-114: Authentication abuse
- CAPEC-115: Authentication bypass
- CAPEC-151: Identity spoofing
The MITRE Corporation Common Weakness Enumeration database (CWE) lists the following weakness categories as children of node CWE-898 Authentication:
- CWE-947: Authentication bypass
- CWE-948: Digital Certificate
- CWE-949: Faulty endpoint authentication
- CWE-950: Hardcoded sensitivity database
- CWE-951: Insecure authentication policy
- CWE-952: Missing authentication
- CWE-953: Missing endpoint authentication
- CWE-954: Multiple binds to the same port
- CWE-955: Unrestricted authentication
- Authorization / Access control;
- Audit and monitoring of access and privilege use;
- Protection of data in transit and at rest;
- Data integrity protection methods;
- Administrative-level controls.
- Joint Task Force Transformation Initiative. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53 revision 4. (2013) U.S. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-53r4
- Joint Technical Committee 1, Information Technology, Subcommittee 27, IT Security Techniques. Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary. ISO/IEC. (2014). http://standards.iso.org/ittf/PubliclyAvailableStandards/c063411_ISO_IEC_27000_2014.zip
- The Standard of Good Practice for Information Security. Information Security Forum. (2014). https://www.securityforum.org/shop/p-71-173
- DSS06 within Cobit 5: Enabling Processes. ISACA. (2012). http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
- Common Attack Pattern Enumeration and Classification (CAPEC). MITRE Corporation. Retrieved from https://capec.mitre.org/index.html on 23 May 2015.
- Software Fault Pattern Clusters in Common Weakness Enumeration (CWE). MITRE Corporation. Retrieved from http://cwe.mitre.org/data/graphs/888.html on 23 May 2015.
- Hernan, S., Lambert, S., Ostwald, T., and Shostack, A. Uncover Security Design Flaws Using the STRIDE Approach in MSDN Magazine. Microsoft. (2006). Retrieved from https://msdn.microsoft.com/en-us/magazine/cc163519.aspx on 23 May 2015.
- OWASP Authentication Cheat Sheet
- OWASP Guide to Authentication