Authentication Failures
Authentication Failures occur when applications fail to properly verify user identities or manage sessions securely. These vulnerabilities allow attackers to compromise passwords, session tokens, or exploit implementation flaws to assume other users' identities, often leading to complete account takeover.
What Are Authentication Failures?
Authentication Failures (formerly known as "Broken Authentication" in OWASP 2017) represent a class of vulnerabilities where an application's authentication or session management functions are implemented incorrectly. This allows attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users' identities temporarily or permanently. When authentication mechanisms are weak or improperly configured, they become the primary target for attackers seeking unauthorized access.
These vulnerabilities arise from several root causes: weak password policies that allow easily guessable credentials, missing or ineffective multi-factor authentication, session management flaws such as predictable session IDs or missing session expiration, credential stuffing attacks enabled by lack of rate limiting, and insecure password storage using weak hashing algorithms or plain text. The attack surface extends beyond just login forms to include session cookies, API tokens, password reset mechanisms, and "remember me" functionality.
Authentication Failures are ranked as A07 in the OWASP Top 10 2021 edition, reflecting their critical role in application security. Despite widespread awareness of authentication best practices, these vulnerabilities remain prevalent due to the complexity of implementing secure authentication systems and the constant evolution of attack techniques. According to the Verizon Data Breach Investigations Report, over 80% of hacking-related breaches involve compromised credentials, making authentication security one of the most critical defensive priorities.
How It Works
The attacker performs reconnaissance to identify potential authentication weaknesses. This includes testing for missing rate limiting, checking password complexity requirements, analyzing session token patterns, and identifying whether multi-factor authentication is enforced. Automated tools can quickly probe login endpoints to detect these vulnerabilities.
With weak or absent rate limiting, attackers can attempt thousands of login combinations. Credential stuffing uses leaked credentials from other breaches, exploiting password reuse. Brute force attacks systematically try common passwords or dictionary words. Default credentials (admin/admin) are also frequently tested against administrative interfaces.
Once authenticated (or sometimes before), attackers exploit session weaknesses. This includes session fixation (forcing a known session ID), stealing predictable session tokens, hijacking sessions due to missing HTTP-only or Secure flags on cookies, or exploiting sessions that never expire. XSS vulnerabilities can also be used to steal session tokens.
Through compromised credentials or session tokens, the attacker successfully authenticates as the victim user. The application cannot distinguish between the legitimate user and the attacker. The attacker now has access to all data and functionality available to that user account, including personal information, financial data, or administrative controls.
Once inside, attackers often attempt privilege escalation to gain administrative access. They may create backdoor accounts, modify password reset mechanisms, or exfiltrate data. Persistent access is maintained by creating additional authentication tokens, modifying account recovery options, or installing malware that captures future credentials.
Vulnerable Code Example
@RestController
public class AuthController {
@Autowired
private UserRepository userRepository;
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest req,
HttpSession session) {
// VULNERABLE: No rate limiting - allows brute force attacks
// VULNERABLE: Plain text password comparison
User user = userRepository.findByUsername(req.getUsername());
if (user == null || !user.getPassword().equals(req.getPassword())) {
return ResponseEntity.status(401).body("Invalid credentials");
}
// VULNERABLE: Predictable session management
// Session ID might be sequential or easily guessable
session.setAttribute("userId", user.getId());
session.setAttribute("username", user.getUsername());
// VULNERABLE: No session timeout configured
// VULNERABLE: No secure cookie flags (HTTPOnly, Secure)
return ResponseEntity.ok(Map.of(
"message", "Login successful",
"sessionId", session.getId() // Exposing session ID
));
}
}
// Issues:
// 1. No rate limiting - unlimited login attempts
// 2. Plain text password storage and comparison
// 3. Predictable session tokens
// 4. Missing session expiration
// 5. Session ID exposed in response
// 6. No account lockout mechanism
// 7. No multi-factor authenticationSecure Code Example
@RestController
public class AuthController {
@Autowired
private UserRepository userRepository;
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@Autowired
private RateLimiter rateLimiter;
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest req,
HttpServletRequest request,
HttpSession session) {
String clientIp = request.getRemoteAddr();
// SECURE: Rate limiting prevents brute force attacks
if (rateLimiter.isBlocked(clientIp)) {
return ResponseEntity.status(429)
.body("Too many login attempts. Try again later.");
}
User user = userRepository.findByUsername(req.getUsername());
// SECURE: BCrypt password hashing with constant-time comparison
if (user == null ||
!passwordEncoder.matches(req.getPassword(), user.getPasswordHash())) {
rateLimiter.recordFailedAttempt(clientIp);
// SECURE: Account lockout after N failed attempts
if (user != null) {
user.incrementFailedAttempts();
if (user.getFailedAttempts() >= 5) {
user.setLocked(true);
}
userRepository.save(user);
}
return ResponseEntity.status(401).body("Invalid credentials");
}
// SECURE: Check if account is locked
if (user.isLocked()) {
return ResponseEntity.status(403)
.body("Account locked. Contact support.");
}
// Reset failed attempts on successful login
user.setFailedAttempts(0);
userRepository.save(user);
// SECURE: Regenerate session ID to prevent fixation
session.invalidate();
session = request.getSession(true);
session.setAttribute("userId", user.getId());
session.setAttribute("username", user.getUsername());
// SECURE: Session timeout configured (in web.xml or config)
session.setMaxInactiveInterval(1800); // 30 minutes
return ResponseEntity.ok(Map.of(
"message", "Login successful",
"requiresMfa", user.isMfaEnabled()
));
}
}
// Additional security configurations:
// - HTTPOnly and Secure flags on session cookies
// - CSRF protection enabled
// - Strong password policy enforced
// - Multi-factor authentication supported
// - Audit logging for all authentication eventsTypes of Authentication Failures
Credential-Based Attacks
These attacks directly target user credentials through various methods. Brute force attacks systematically attempt all possible password combinations, while credential stuffing leverages credentials leaked from other breaches, exploiting users who reuse passwords across services. Default credentials attacks target systems where administrators fail to change factory-set usernames and passwords (admin/admin, root/root). Without rate limiting and strong password policies, these attacks can succeed within minutes.
Session Management Flaws
Vulnerabilities in how applications create, manage, and destroy user sessions. Session fixation allows attackers to force a known session ID onto a victim's browser before they log in, then hijack the session after authentication. Missing session expiration means sessions remain valid indefinitely, allowing stolen tokens to be used long after. Predictable session tokens with sequential or easily guessable patterns can be brute-forced. Missing HTTPOnly and Secure cookie flags expose sessions to XSS and man-in-the-middle attacks.
Multi-Factor Authentication Bypass
Weaknesses in second-factor authentication mechanisms that should provide additional security beyond passwords. Missing MFA enforcement allows users to opt-out or skip MFA setup entirely. Weak MFA implementation includes SMS-based codes vulnerable to SIM swapping attacks, backup codes stored insecurely, or MFA that can be bypassed by direct URL manipulation. SIM swapping attacks convince mobile carriers to transfer a victim's phone number to an attacker's device, intercepting SMS-based authentication codes. Time-based one-time passwords (TOTP) and hardware security keys provide stronger alternatives to SMS.
Impact
Successful exploitation of authentication failures can result in complete compromise of user accounts and, in cases involving administrative credentials, entire systems. The consequences extend far beyond technical security to include legal, financial, and reputational damage.
Attackers gain complete control over victim accounts, accessing personal information, financial data, and communication history. They can impersonate the victim to commit fraud, send phishing messages to contacts, or make unauthorized transactions. In cases involving privileged accounts, attackers can create backdoors, elevate permissions, and maintain persistent access.
Compromised authentication provides attackers access to confidential business information, customer data, intellectual property, and trade secrets. This data can be exfiltrated for sale on dark web markets, used for competitive advantage, or held for ransom. Healthcare and financial institutions face particularly severe consequences due to the sensitivity of protected health information (PHI) and financial records.
When attackers compromise authentication systems, they often gain access to password databases. Weakly hashed or plain text passwords can be cracked and used for further attacks against other services. Breached credentials are frequently sold or published, enabling widespread credential stuffing campaigns that affect millions of users across multiple platforms.
Organizations that fail to implement adequate authentication controls face severe regulatory consequences. GDPR, PCI DSS, HIPAA, and other frameworks mandate specific authentication and access control measures. Non-compliance can result in fines reaching millions of dollars, legal action from affected users, and mandatory breach notifications that damage customer trust and brand reputation.
Prevention Checklist
Require MFA for all users, especially for administrative and privileged accounts. Use time-based one-time passwords (TOTP) or hardware security keys rather than SMS-based codes when possible. Enforce MFA at the application level and provide users with backup recovery codes stored securely. MFA significantly reduces the risk of account takeover even when passwords are compromised.
Require passwords with minimum length (at least 12 characters), complexity requirements (mix of uppercase, lowercase, numbers, symbols), and prevent common passwords using a dictionary check. Implement password strength meters to guide users. Check passwords against breach databases like Have I Been Pwned to prevent use of compromised credentials. Require password changes after suspected compromise, but avoid forced periodic changes which encourage weak patterns.
Never store passwords in plain text or using weak hashing algorithms like MD5 or SHA1. Use bcrypt, Argon2, scrypt, or PBKDF2 with appropriate work factors that balance security and performance. These algorithms are designed to be computationally expensive, making brute force attacks on stolen password hashes infeasible. Always use unique salts per password and never implement custom cryptography.
Limit login attempts per IP address and per username to prevent brute force and credential stuffing attacks. Implement progressive delays or CAPTCHA challenges after failed attempts. Lock accounts temporarily after a threshold of failed login attempts (typically 5-10), with unlock mechanisms that verify user identity. Monitor for distributed attacks that rotate IP addresses and implement behavioral analysis to detect anomalous login patterns.
Generate cryptographically random session tokens with sufficient entropy. Regenerate session IDs after login to prevent session fixation. Set appropriate session timeouts (15-30 minutes for sensitive applications). Use HTTPOnly and Secure flags on session cookies to prevent XSS and man-in-the-middle attacks. Implement SameSite cookie attribute to mitigate CSRF risks. Invalidate sessions on logout and provide users with visibility into active sessions with the ability to revoke them.
Log all authentication events including successful logins, failed attempts, password changes, MFA enrollment, and session creation/destruction. Monitor logs for suspicious patterns such as login attempts from unusual locations, multiple failed attempts, or access to multiple accounts from the same IP. Alert users to suspicious activity through email or push notifications. Implement Security Information and Event Management (SIEM) solutions to correlate authentication events with other security data for comprehensive threat detection.
Real-World Examples
Uber Data Breach
Attackers compromised credentials for Uber's GitHub account, accessing source code repositories containing AWS credentials. This led to unauthorized access to Uber's Amazon S3 storage, exposing personal information of 57 million riders and drivers. Uber initially attempted to conceal the breach and paid hackers $100,000 to delete the stolen data, resulting in a $148 million settlement and highlighting the importance of secure credential management.
Equifax Credential Misuse
While the initial Equifax breach exploited an Apache Struts vulnerability, investigators discovered that attackers gained access to additional systems using weak default credentials on internal portals and administrative interfaces. Multiple servers used credentials like "admin/admin", enabling lateral movement across Equifax's network. The breach exposed data of 147 million people and resulted in a $700 million settlement, demonstrating cascading failures from poor authentication practices.
Colonial Pipeline Ransomware
The Colonial Pipeline ransomware attack, which disrupted fuel supplies across the U.S. East Coast, began with a compromised VPN password. The attackers used a single leaked password (found in a batch of leaked credentials) to access the company's VPN system, which lacked multi-factor authentication. This single authentication failure led to a $4.4 million ransom payment and triggered a federal emergency declaration, demonstrating how weak authentication can have critical infrastructure implications.
Okta Compromise
The Lapsus$ hacking group compromised an Okta customer support engineer's account, gaining access to internal tools and customer data. The breach affected multiple Okta customers and demonstrated vulnerabilities in third-party authentication providers. While Okta is an identity and authentication service itself, the incident showed that even security-focused companies can suffer authentication failures. The compromise affected approximately 366 customers and damaged trust in identity-as-a-service providers.
Ready to Test Your Knowledge?
Put what you have learned into practice. Try identifying and fixing Authentication Failures in our interactive coding challenges, or explore more security guides to deepen your understanding.