Identification, Authentication and Kenny Loggins and Logouts: What I’ve Learned On My Journey Into Application Security

“Previously known as Broken Authentication, this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures.” (OWASP)

Kenny Loggins is a famous singer and songwriter spanning multiple decades. If you’re not familiar with his work, just think of Footloose, Caddyshack, or Top Gun, just to name a few. I celebrate his entire collection.

Let’s briefly review the basics of identification and authentication. Identification is how we recognize a user. Authentication is how we verify the user’s identity. Basically, identification: “Who are you?” and authentication: “Are you really who you say you are?”

I was recently gifted an autographed Kenny Loggins guitar for my birthday from my husband. It’s a pretty sweet guitar! But how do I really know it was his guitar? What proof do I have? Well, I have an autograph (username) and a Beckett certificate of authenticity (credentials). Right? Proof enough?

We can identify a user with a name, email address, phone number, or username. But to authenticate, we have to require something that a person knows, has, or is. That can be something they know: a password or security question. Something they have: a token, smartcard, ID card, cryptographic key. Or, something a person is: biometric data (fingerprints, retinal scanner, facial recognition). (OKTA) That’s some high-tech stuff right there. Who knows, maybe his fingerprints are still on the guitar! Then there’s authorization…what you’re really allowed access to. Don’t touch my guitar!

Identification alone is not enough to grant access to a system or service. In most cases, its best to rely on multi-factor authentication (MFA) which is more than one way to authenticate and hopefully hold off those bad actors! What we don’t want is authentication and session management weaknesses.

You might think that I have not gone to school on you, baby like it or not I ain’t nobody’s fool…(Because I follow ‘Zero Trust’ doo da da da doo)

I think when Kenny Loggins was working on the songs for Top Gun, he wrote something about Zero Trust…”Never Trust, Always Verify.” Wasn’t that a soundtrack song? No, it was Danger Zone. Sounded close, didn’t it? (Aaaaand for the record, it was Stephen Paul Marsh in his doctoral thesis on computer security that coined the phrase ‘Zero Trust’). But seriously…How can we enhance our identification and authentication to align more closely with a zero trust model? Consider these questions as you work on improving our current implementation (and these are just a few):

• Does it permit default, weak, or well-known passwords?

• Does it use weak or ineffective credential recovery and forgot-password processes?

• Does it use plain text, encrypted, or weakly-hashed password data stores?

• Is it missing or has ineffective MFA?

What can happen? Bad stuff! Credential stuffing, for one. That’s when a bad actor takes a stolen/leaked database of credentials from, oh, say, a recent security breach, and tries again and again to gain access to a system/resource. Another are brute force attacks. Trying every possible combination for a password to guess it, and usually works on those short but sweet passwords.

You’re playing so cool obeying every rule…password rule?

Passwords are considered the weakest form of authentication. They are easily guessable and frankly some of us are lazy with our passwords like “Loggins123”. Whoops. A stronger password would be “L0gg!ns123”. A threat actor can also get password information by means of social engineering attacks (phishing, spoofing, spamming). Now you all know that I am a Kenny Loggins fan and I have readily given you a potential password.

What are the strongest forms of authentication? Logging in with your credentials plus a secondary authentication approach with a one-time passcode (OTP) or a push notification. That’s just one example. There are many ways we can prevent identification and authentication failures. A simple Google search on the topic will yield many results.

So there you have it. My brief foray into Identification and Authentication and how to identify if your web application is weak and how you can prevent such failures. As for me, to quote the great Kenny Loggins, “I’m alright (I’m alright) Don’t nobody worry ‘bout me.” I’ll go change my passwords right away!