In Depth: Five Ways to Fail at Authentication
[In Depth #32] Let's explore 5 different "Authentication Fails" that I've come across, as a reminder for why it's so important to get authentication right.
Let's talk about authentication, which means the act of verifying who the user is! Now this is not to be confused with authorisation, the act of verifying what the user is allowed to do (even if they have annoyingly similar names), but rather relates specifically to the user's identify in some way. It is critical to the security of your applications that you get authentication right - otherwise some hacker will show up and break into your user's accounts.
I come across a lot of different authentication failures in my security audits, which isn't surprising given the number of moving parts in a typical authentication flow - even with Laravel's authentication starter kits like Breeze and Jetstream.
So today I want to take you on a bit of a tour of my Top 5 "Authentication Fails", so you can learn from others mistakes, and ensure your apps don't have the same weaknesses.
Note, all names and details have been carefully changed to protect the guilty.
As a side note, Q1 is almost fully-booked, and Q2 is starting to fill up, so book in your Laravel Security Audit and Penetration Test now! 😉
What Makes Secure Authentication?
Before we dive into my examples, let's start by outlining what actually makes secure authentication flow. This will help us review each example and identify the weaknesses found in each.
A security authentication flow requires:
