Summary
Authentication is fairly self explanatory. It is the way in which we are able to prove who we are to get access to the digital tools and assets that we use for our day to day lives. The ability to bypass these mechanisms to gain access is a problem of itself but once we have access we could possibly chain vulnerabilities together to gain further access into the system in which the application runs or be able to harvest data on the users who use the application.
There are three main types of authentication
- Something you know, like a password aka “Knowledge factors”
- Something you have, these are “possession factors” like a mobile phone or a yubi key
- Something you are or do, these are “inherence factors” things like biometrics.
It is common for people to confuse authentication and authorization. It is important to note that Authentication is the process of verifying someone is who they say they are. Authorization is is verifying is a user has the ability to do something. For example an ID authenticates that I am Alex but the C Class on my ID authorizes me to legal drive a car.
Two major weaknesses that can lead to authentication vulnerabilities
- Fail to prevent from brute force attacks
- Logic flaws