View this document as: a single page | multiple pages.

Threats and Security Considerations

This section is informative.

Authenticator Threats

An attacker who can gain control of an authenticator will often be able to masquerade as the authenticator’s owner. Threats to authenticators can be categorized based on attacks on the types of authentication factors that comprise the authenticator:

This document assumes that the subscriber is not colluding with an attacker who is attempting to falsely authenticate to the verifier. With this assumption in mind, the threats to the authenticators used for digital authentication are listed in Table 3, along with some examples.

Table 3 Authenticator Threats

Authenticator Threat/Attack Description Examples
Assertion Manufacture or Modification The attacker generates a false assertion Compromised CSP asserts identity of a claimant who has not properly authenticated
  The attacker modifies an existing assertion Compromised proxy that changes AAL of an authentication assertion
Theft A physical authenticator is stolen by an Attacker. A hardware cryptographic device is stolen.
    An OTP device is stolen.
    A look-up secret authenticator is stolen.
    A cell phone is stolen.
Duplication The subscriber’s authenticator has been copied with or without their knowledge. Passwords written on paper are disclosed.
    Passwords stored in an electronic file are copied.
    Software PKI authenticator (private key) copied.
    Look-up secret authenticator copied.
    Counterfeit biometric authenticator manufactured.
Eavesdropping The authenticator secret or authenticator output is revealed to the attacker as the subscriber is authenticating. Memorized secrets are obtained by watching keyboard entry.
    Memorized secrets or authenticator outputs are intercepted by keystroke logging software.
    A PIN is captured from a PIN pad device.
    A hashed password is obtained and used by an attacker for another authentication (pass-the-hash attack).
  An out-of-band secret is intercepted by the attacker by compromising the communication channel. An out-of-band secret is transmitted via unencrypted Wi-Fi and received by the attacker.
Offline Cracking The authenticator is exposed using analytical methods outside the authentication mechanism. A software PKI authenticator is subjected to dictionary attack to identify the correct password to use to decrypt the private key.
Side Channel Attack The authenticator secret is exposed using physical characteristics of the authenticator. A key is extracted by differential power analysis on a hardware cryptographic authenticator.
    A cryptographic authenticator secret is extracted by analysis of the response time of the authenticator over a number of attempts.
Phishing or Pharming The authenticator output is captured by fooling the subscriber into thinking the attacker is a verifier or RP. A password is revealed by subscriber to a website impersonating the verifier.
    A memorized secret is revealed by a bank subscriber in response to an email inquiry from a phisher pretending to represent the bank.
    A memorized secret is revealed by the subscriber at a bogus verifier website reached through DNS spoofing.
Social Engineering The attacker establishes a level of trust with a subscriber in order to convince the subscriber to reveal their authenticator secret or authenticator output. A memorized secret is revealed by the subscriber to an officemate asking for the password on behalf of the subscriber’s boss.
    A memorized secret is revealed by a subscriber in a telephone inquiry from an attacker masquerading as a system administrator.
    An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker.
Online Guessing The attacker connects to the verifier online and attempts to guess a valid authenticator output in the context of that verifier. Online dictionary attacks are used to guess memorized secrets.
    Online guessing is used to guess authenticator outputs for an OTP device registered to a legitimate claimant.
Endpoint Compromise Malicious code on the endpoint proxies remote access to a connected authenticator without the subscriber’s consent. A cryptographic authenticator connected to the endpoint is used to authenticate remote attackers.
  Malicious code on the endpoint causes authentication to other than the intended verifier. Authentication is performed on behalf of an attacker rather than the subscriber.
    A malicious app on the endpoint reads an out-of-band secret sent via SMS and the attacker uses the secret to authenticate.
  Malicious code on the endpoint compromises a multi-factor software cryptographic authenticator. Malicious code proxies authentication or exports authenticator keys from the endpoint.
Unauthorized Binding An attacker is able to cause an authenticator under their control to be bound to a subscriber account. An attacker intercepts an authenticator or provisioning key en route to the subscriber.

Threat Mitigation Strategies

Related mechanisms that assist in mitigating the threats identified above are summarized in Table 4.

Table 4 Mitigating Authenticator Threats

Authenticator Threat/Attack Threat Mitigation Mechanisms Normative References
Theft Use multi-factor authenticators that need to be activated through a memorized secret or biometric. 4.2.1, 4.3.1
  Use a combination of authenticators that includes a memorized secret or biometric. 4.2.1, 4.3.1
Duplication Use authenticators from which it is difficult to extract and duplicate long-term authentication secrets. 4.2.2, 4.3.2,
Eavesdropping Ensure the security of the endpoint, especially with respect to freedom from malware such as key loggers, prior to use. 4.2.2
  Avoid use of unauthenticated and unencrypted communication channels to send out-of-band authenticator secrets.
  Authenticate over authenticated protected channels (e.g., observe lock icon in browser window). 4.1.2, 4.2.2, 4.3.2
  Use authentication protocols that are resistant to replay attacks such as pass-the-hash. 5.2.8
  Use authentication endpoints that employ trusted input and trusted display capabilities.,
Offline Cracking Use an authenticator with a high entropy authenticator secret.,,,,
  Store centrally verified memorized secrets in a salted, hashed form, including a keyed hash., 5.2.7
Side Channel Attack Use authenticator algorithms that are designed to maintain constant power consumption and timing regardless of secret values. 4.3.2
Phishing or Pharming Use authenticators that provide phishing resistance. 5.2.5
Social Engineering Avoid use of authenticators that present a risk of social engineering of third parties such as customer service agents.,
Online Guessing Use authenticators that generate high entropy output.,,
  Use an authenticator that locks up after a number of repeated failed activation attempts. 5.2.2
Endpoint Compromise Use hardware authenticators that require physical action by the subscriber. 5.2.9
  Maintain software-based keys in restricted-access storage.,,
Unauthorized Binding Use AitM-resistant protocols for provisioning of authenticators and associated keys. 6.1

Several other strategies may be applied to mitigate the threats described in Table 3:

Authenticator Recovery

The weak point in many authentication mechanisms is the process followed when a subscriber loses control of one or more authenticators and needs to replace them. In many cases, the options remaining available to authenticate the subscriber are limited, and economic concerns (e.g., cost of maintaining call centers) motivate the use of inexpensive, and often less secure, backup authentication methods. To the extent that authenticator recovery is human-assisted, there is also the risk of social engineering attacks.

To maintain the integrity of the authentication factors, it is essential that it not be possible to leverage an authentication involving one factor to obtain an authenticator of a different factor. For example, a memorized secret must not be usable to obtain a new list of look-up secrets.

Session Attacks

The above discussion focuses on threats to the authentication event itself, but hijacking attacks on the session following an authentication event can have similar security impacts. The session management guidelines in Sec. 7 are essential to maintain session integrity against attacks, such as XSS. In addition, it is important to sanitize all information to be displayed [OWASP-XSS-prevention] to ensure that it does not contain executable content. These guidelines also recommend that session secrets be made inaccessible to mobile code in order to provide extra protection against exfiltration of session secrets.

Another post-authentication threat, cross-site request forgery (CSRF), takes advantage of users’ tendency to have multiple sessions active at the same time. It is important to embed and verify a session identifier into web requests to prevent the ability for a valid URL or request to be unintentionally or maliciously activated.