Overview

Weak login procedures could allow unauthorized users to access the app. Broken authentication occurs when attackers can compromise the identity of users, often through weak or flawed authentication mechanisms. This can happen due to poorly implemented login processes, weak password policies, session management flaws, or a lack of multi-factor authentication (MFA). Attackers can exploit broken authentication to impersonate users, potentially gaining access to sensitive data or administrative controls. In terms of mobile security, for example, such compromised authentication credentials may lead to insecure data storage on devices.

Risk factors

Weak or broken authentication can arise in these conditions:

  • Allowing users to create weak or easily guessable passwords.
  • Using automated scripts to try common passwords or previously leaked credentials.
  • Not requiring multi-factor authentication makes it easier for attackers to compromise user accounts.
  • Session IDs that are easily guessed, reused, or not properly invalidated when users log out.
  • Storing passwords in plaintext or using weak hashing algorithms.
  • Implementing insecure biometric authentication.

Consequences

If an attacker successfully exploits broken authentication, the following could happen:

  • Unauthorized access: Attackers can impersonate users and gain access to their accounts.
  • Account takeover: Once authenticated, attackers can change account details, lock out the original user, or perform transactions on their behalf.
  • Data theft: Attackers can access sensitive user data such as personal information, financial data, or private messages.
  • Reputation damage: Data breaches or account takeovers resulting from broken authentication can significantly damage user trust and the app provider’s reputation.

Solutions and best practices

To mitigate the risks associated with weak and broken authentication, organizations should implement the following security measures:

  • Strong password policies: Enforce strong passwords (e.g., a combination of letters, numbers, and symbols) and prevent the use of common or previously leaked passwords.
  • Multi-factor authentication (MFA): Implement MFA, especially for sensitive transactions or administrative functions.
  • Session management: Ensure that session IDs are unique, hard to guess, and properly invalidated after logout or inactivity.
  • Secure password storage: Store passwords using strong hashing algorithms like bcrypt, PBKDF2, or Argon2.

Get a free app security consultation
Schedule a call with our security experts to assess your app’s defenses and get tailored recommendations to protect your users and data. Take the first step toward a more resilient application.
Book a meeting

 

Further reading
Insecure direct object references (IDOR) Previous Cross-site scripting (XSS) Next