OWASP Tip: A07:2021 – Identification and Authentication Failures

Don't get confused with authorisation, we're talking authENTICation this week.

OWASP Tip: A07:2021 – Identification and Authentication Failures

Greetings my friends! We’re counting down to the end of our OWASP Top 10 series, only 4 more to go! 😲 I hope you’ve been learning as much about the OWASP Top 10 as I have, writing these for all of you. This week we’re looking at A07:2021 – Identification and Authentication Failures, which I believe will be well served through a checklist, like we did with A02:2021 – Cryptographic Failures.

Before we get to the checklist, I’m excited to announce that I’m building a self-paced interactive Laravel Security course! It’s called Practical Laravel Security, and you can find more details here: practicallaravelsecurity.com.1

Given what’s happening on Twitter right now, if you’re looking to find me in other places on the internet, you can find me on Mastodon as @valorin@infosec.exchange, or on LinkedIn, if that’s your thing2. (I’ll still be on Twitter as @valorin, if you’re sticking around.)

👉 If you’ve been thinking about a Laravel Security Audit, I current have one slot left in December (but you’ll need to hurry!). Next April/May is filling up quickly, so reach out to lock in a time now! 🕵️

Looking to learn more?
Security Tip #9: security.txt
▶️ In Depth #3: Escaping Output Safely

A07:2021 – Identification and Authentication Failures

The seventh risk in the OWASP Top 10 is A07:2021 – Identification and Authentication Failures, which was previously known as Broken Authentication and sat in the second position. It’s awesome to see it’s dropped down the list, but it’s still incredibly important, hence why it didn’t drop off completely.

One of the huge benefits of using a framework like Laravel is that it comes with multiple strong authentication scaffolding options. This makes it trivial for developers of all skill levels to build apps with robust authentication. As a result, you’ll notice our checklist for how to avoid authentication failures seems familiar…

Avoiding Authentication Failures Checklist

  1. Securely hash passwords.
    Passwords should always be hashed using a modern algorithm (i.e. Bcrypt and Argon2), to prevent them being exposed in data breaches, or to rogue employees.
    Laravel provides this out-of-the-box. 😁
  2. Use secure password reset features.
    Use tools like Signed URLs and Magic Emails to keep your password reset features secure. Don’t rely on secret questions/answers to authenticate password resets!
    Laravel provides this out-of-the-box. 😁
  3. Enable rate limiting.
    Rate limiting is essential for preventing brute-force and credential stuffing attacks. If an attacker can only send a small number of requests, they will be significantly limited in how many accounts they can test and compromise.
    Laravel provides this out-of-the-box. 😁
  4. Block compromised (pwned) passwords.
    Preventing users from using known compromised (pwned) passwords significantly lowers the risk of a credential stuffing attack being successful and compromising user accounts. Laravel provides an easy validation rule to do this, but be careful with non-technical users!
  5. Implement Multi-Factor Authentication (MFA).
    MFA is a fantastic way to stop automated attacks against user accounts and prevent weak passwords from being used to compromise accounts.

Invalidate Tokens on login.

If your app uses Tokens for session authentication, ensure you invalidate old tokens to prevent them being exposed and reused.

  1. Be careful of Impersonate features.
    Always rely on trusted packages for impersonation features, or if you build your own, have someone review the code carefully. A vulnerable impersonation feature can potentially expose admin level access.

That’s it! Easy, right? Ha!

Ok, so a lot of that stuff Laravel can take care of for us. Even if you’re building your own authentication system, the Laravel scaffolding code is an excellent place to learn how to securely implement these features. So check it out.

  1. One of my aims for Practical Laravel Security is to keep it very different from LSID. We’ll continue to do our deep dives into specific topics here, look at recent attacks, security updates, and Laravel changes on LSID, while Practical Laravel Security will be a structured program of the common topics you need to learn. I want them to compliment each other, so you can learn from both.

    I'll share brief updates on my progress in my weekly LSID emails, and you can subscribe to the mailing list on the website for more details. 🙂 I'm hoping to have the website updated this week too, with all of the main details you need.

  2. I must admit I find LinkedIn hard to use, so if it’s your thing, please send me some pointers!