# Authentication

### **What is Authentication?**

Authentication is the process of verifying the identity of a user or client, ensuring they are who they claim to be.

#### **Three Authentication Factors**

1. **Knowledge Factors**:
   * Something you know, such as:
     * A password.
     * The answer to a security question.
2. **Possession Factors**:
   * Something you have, such as:
     * A mobile phone.
     * A hardware security token.
3. **Inherence Factors**:
   * Something you are or do, such as:
     * Biometric data (e.g., fingerprints, facial recognition).
     * Behavioral patterns.

***

### **Authentication vs Authorization**

1. **Authentication**:
   * Verifies a user's identity.
   * Answers: *"Who are you?"*
2. **Authorization**:
   * Verifies if a user has permission to perform specific actions or access certain resources.
   * Answers: *"What are you allowed to do?"*

***

### **How Do Authentication Vulnerabilities Arise?**

1. **Weak Authentication Mechanisms**:
   * Insufficient protection against brute-force attacks.
   * Inadequate validation of session tokens or credentials.
2. **Logic Flaws**:
   * Poorly designed workflows allow attackers to bypass authentication or force unexpected behavior.
3. **Coding Issues**:
   * Vulnerabilities such as broken authentication mechanisms arise due to improper implementation.

***

### **Impact of Vulnerable Authentication**

* **Account Compromise**:
  * An attacker can access all the data and functionality available to the compromised account.
* **Privilege Escalation**:
  * Compromising a high-privileged account (e.g., admin) could lead to full control of the application or even access to internal infrastructure.
* **Sensitive Data Exposure**:
  * Even low-privileged accounts might provide access to commercially sensitive information or additional attack surfaces.

***

### **Vulnerabilities in Password-Based Authentication**

#### **1. Brute-Force Attacks**

Attackers repeatedly guess usernames and passwords to gain access.

**Indicators of Vulnerability**

* **Username Enumeration**:
  * Different website behaviors reveal whether a username exists.
    * **Status Codes**: Different HTTP status codes for valid vs. invalid usernames.
    * **Error Messages**: Distinct error messages for incorrect username vs. incorrect password.
    * **Response Times**: Slight delays when verifying a valid username.
* **Flawed Brute-Force Protection**:
  * Weak account lockout policies (e.g., allowing DoS attacks via lockouts).
  * Rate limiting based solely on IP addresses, which can be bypassed with headers like `X-Forwarded-For`.

#### **2. Password Reset Mechanisms**

* **Email-Based Password Reset**:
  * If emails are not secured, attackers can intercept or manipulate reset links.
* **Resetting via URL**:
  * Attackers might modify hidden fields in requests to target other users or brute-force tokens.

***

### **Vulnerabilities in Multi-Factor Authentication (MFA)**

#### **1. Bypassing Two-Factor Authentication**

* **Improper Flow Handling**:
  * Users might effectively be logged in after completing only the first authentication step (e.g., entering a password) without verifying the second step.
  * Test if protected pages can be accessed directly (forced browsing).
* **Flawed Two-Factor Logic**:
  * Verify if the second step properly validates the same user from the first step.
    * Example: An attacker changes the `account` cookie in the second step to impersonate another user.

#### **2. Brute-Forcing OTPs**

* **No Rate Limiting**:
  * Test if OTPs can be brute-forced without restrictions.
* **Bypassing IP Blocks**:
  * Use headers like `X-Forwarded-For` to evade IP-based rate limits.
  * Alternate between incorrect and correct credentials to bypass timed blocks.

#### **3. OTP Reusability**

* Check if:
  * The same OTP can be reused multiple times.
  * OTPs remain valid after their expiration time.
  * OTPs generated for one user work for another user.

#### **4. Tokens or OTPs in Responses**

* Analyze if tokens or OTPs are exposed in API responses, allowing interception or reuse.

***

### **Broken Login Logic**

#### **Forced Browsing**

* Test if users can skip authentication steps (e.g., OTP pages) and access protected pages directly.

#### **Response Timing**

* If the server hashes passwords after validating usernames, response times might vary with the username's validity.

***

### **Session and Token Validation**

#### **1. Session Binding**

* Check if tokens are tied to a specific session or user.
* Test if one user's token can be used for another user's session.

#### **2. Token Manipulation**

* Attempt to remove tokens entirely to see if authentication is bypassed.
* Test token reusability by attempting to use the same token multiple times.

***

### **Best Practices to Mitigate Authentication Vulnerabilities**

1. **Secure Password Mechanisms**:
   * Enforce strong password policies and hash passwords with a secure algorithm.
2. **Rate Limiting and Lockout Policies**:
   * Limit login attempts per IP and user account.
3. **Secure MFA**:
   * Validate that all steps in the authentication flow are tied to the same user session.
4. **Generic Error Messages**:
   * Use consistent, generic error messages to prevent enumeration.
5. **Secure Tokens**:
   * Tie tokens to specific sessions and ensure they are not exposed in API responses.
6. **Implement Role-Based Access Control (RBAC)**:
   * Limit account access based on the principle of least privilege.