Authentication and Its Types

What is Authentication?

The process of confirming a user’s or system’s identity prior to allowing access to resources or services is known as authentication.  Authentication helps stop fraud, data breaches, illegal access, and other security risks by confirming identity.

 

The following are a few kinds of mechanisms of authentication:

1. BASIC AUTHENTICATION
2. FORM-BASED AUTHENTICATION
3. MULTI-FACTOR AUTHENTICATION
4. TOKEN-BASED AUTHENTICATION
5. SINGLE-SIGN-ON AUTHENTICATION

BASIC AUTHENTICATION AND FORM-BASED AUTHENTICATION

These are the two distinct web application authentication procedures.

Basic authentication involves users entering their password and username, which are subsequently base64 encoded and delivered to the HTTP protocol’s authorization headers in the request.

For example, a user can access online sites by entering credentials in a form-based authentication system, such as a username (test) and a password (Password@123).  Cookies are not utilized in basic authentication.

 

In contrast, form-based authentication involves a user sending the server their username and password, typically via an HTML form field and an HTTP GET/POST request.   The server then matches the credentials to the credentials stored in its database.   The session may provide something linked to an identifier when they match.

Form-based and simple authentication-based attacks:

MITM Attack	An MITM attack occurs when a third party intercepts a communication between two parties, usually with the intent to steal passwords or personal data. The attacker actively listens to the active connection or conversation between the victim and the authorized user while positioned between them.
BRUTE FORCE ATTACK	By methodically attempting various username and password combinations, attackers can undertake brute force attacks to guess legitimate credentials.  Because brute force attacks might attempt thousands and thousands of combinations, they are very deadly. They may quickly infiltrate a network and cause chaos once they discover the right combination.
DICTIONARY ATTACK	Dictionary attacks attempt to access the server by using a list of popular passwords or passwords that have already been hacked.  By employing easily accessible password cracking programs like Hydra, John the Ripper, etc., attackers may automate this procedure.

 

MITIGATION POINTS:

1. Use Strong Passwords: Urge users to come up with strong, one-of-a-kind passwords that are difficult to guess or utilize dictionaries. Educate users on password best practices and enforce password complexity guidelines.

• Utilizing both capital and lowercase letters.
• Adding special characters like @, #, and $
• Words from a password blacklist are prohibited.
• The addition of one or more numbers.

2. Account lockout: Put in place safeguards that restrict the number of unsuccessful authentication attempts in a certain period of time. Locking the account after a few failed tries stops the brute-force method.
3. Multi-Factor Authentication (MFA): Use multi-factor authentication, which requires users to supply extra authentication factors, such as unique codes, to offer an extra degree of protection.

MFA (MULTI-FACTOR AUTHENTICATION):

In order to confirm their identity, the user must supply two different kinds of authentication elements in MFA.  Usually, this entails combining the user’s knowledge with a verification code that is provided to their mobile device or apps.

 

ATTACKS AND BYPASS METHODS OF MFA

There are multiple methods to get around MFA authentication:

1. Response/ Status code manipulation:

If the response contains Success:false, change the value to Success:true, and it can bypass the 2FA.

If a status code like 403 or 401 unauthorized is changed to 200 (OK) successfully, then it will be a method of bypassing the MFA.

2. Brute forcing the 2FA:

By methodically attempting various combinations until the true code is discovered, an unauthorized user or someone else can brute force the 2FA.

3. OTP leak in response:

Examine the OTP page’s request and response, and determine whether or not the OTP is leaking in the latter.

MITIGATION OF MFA:

1. Authenticator apps: For obtaining the OTP or backup codes.
2. Backup codes: Create safe backup codes or backup codes.
3. Biometric 2FA: Use biometrics, such as facial recognition and fingerprints.

5 TOKEN-BASED AUTHENTICATION

For known users, token-based authentication streamlines the authentication procedure.  This kind of authentication uses tokens to confirm a user’s identity.  A token is a little piece of information that serves as a user’s identification representation.

Instead of having to enter their credentials again, users can utilize the provided token to access the website or application for as long as it is valid.

Ex. The user first submits a request with their login and password to the application server.  The values listed in its credentials database are used by the server to validate them.   The server will reply with an authentication token that is saved in the database if the credentials match those in the database.

 

ATTACKS IN AUTHENTICATION TOKEN-BASED

1. REPLAY ATTACK: The attacker purposefully uses a legitimate token to obtain unauthorized access to a system or resource. To verify a user’s or an entity’s identity, token-based authentication systems use tokens, which are usually temporary.
2. TOKEN-BASED MITM ATTACKS: In order to profit from the authentication tokens, the attacker in this attack intercepts communications between a client and a server. Tokens, which are frequently transient and act as authentication proof, can be vulnerable during transmission.

MITIGATION OF TOKEN AUTHENTICATION

1. TOKEN ENCRYPTION: Make sure that tokens are sent and kept in an encrypted format to avoid unwanted access or interception.
2. TOKEN EXPIRY: Establish a brief time limit for the token’s expiration or create a mechanism that will automatically renew it after a brief period of time.

Single sign-on authentication

Users may safely authenticate to numerous apps and websites with a single set of credentials thanks to single sign-on authentication. Every time you visit the website, you are not required to enter your credentials.

For example, you can access Google apps automatically after logging into your Google account. Google programs include Drive, Gmail, Docs, and more.

 

Some of the SSO (single sign-on authentication) benefits include the following:

1. Once customers have access to all related programs, they must log on to each one only once.
2. Users only need to enter the logging information once and save their login credentials.
3. Since user credentials are not stored in the website’s database, the danger associated with third-party websites is reduced.
4. It also aids a company by lowering expenses and organizing client identities and passwords.

Read More :

After Verifying Forged Documents Bank Manager Transfers Rs 29 Lakh during a Cyber Fraud in Ajmer

 

About Author