AD01 Broken Authentication
| Context | Someone interacts with a cloud application |
| Problem | No authentication or broken (weak) authentication by the cloud application |
| Solution | Apply access-token authentication; Apply password-based authentication; Apply certificate-based authentication; Ensure no use of default passwords; Ensure security of credentials, avoid placement into source code; Apply credentials rotation policy; Apply strong passwords policy; Apply weak-password checks; Apply failed password delay; Apply failed password block by host; Apply multi-factor authentication; Apply mutual authentication; Apply social identity authentication; Apply Single-Sign-On; |
| References | Broken Authentication [OWASP10]; Insufficient Identity, Credential, Access and Key Management [CSA10]; Multi-Factor Authentication, Federation (Single Sign-On), Access Token, Mutual Authentication [Rath]; |
| Type | ns:type_ThreatPattern |
| Victim | su:comp_CloudApplication |
| Aggressor | su:comp_CloudApplication; su:comp_ExternalService; su:comp_RemoteUser |
| Aggr. role | ns:role_Client |
| STRIDE | ns:STRIDE_Spoofing |
| Threat | ns:threat_txAbuseOfWeakAlgorithm; ns:threat_txPasswordAttacks; ns:threat_txUseOfDefaultCredentials |