Authentication

Contribute

Authentication mechanisms are grouped within the three subcategories listed below. Note that individual credential and token types are not broken into their own categories and are instead included within one of these three categories.

User to Device: Mechanisms used by a user to authenticate with a mobile device, such as use of passwords, fingerprints, or voice recognition. This is most often local authentication to a device's lockscreen.

User or Device to Remote Service: Mechanisms used by a user, or a distinct non-person entity (NPE), to remotely authenticate to an external process, service, or device.

User or Device to Network: Mechanisms used by a user, mobile device, or peripheral to authenticate to a network (e.g., Wi-Fi, Cellular). This commonly includes proving possession of a cryptographic token.

Threat List

User to Device

• AUT-1: Unauthorized Information Disclosure via Lockscreen
• AUT-2: PIN/password Brute Force
• AUT-3: Inferring PIN/password from Recordings
• AUT-4: Inferring PIN/password from Screen Smudges
• AUT-5: Inferring PIN/password from Sensor Information
• AUT-6: Android Smartlock Device Spoofing
• AUT-7: Biometric Spoofing

User or Device to Remote Service

• AUT-0: Use of Stolen Credentials
• AUT-8: Man-in-the-middle Malicious Website Substitution
• AUT-9: Phishing Websites
• AUT-10: Capturing Credentials
• AUT-11: Stolen Credentials

User or Device to Network

• AUT-12: Insecure Credential Storage