# Authentication

**What is Authentication?**

Authentication is the process of verifying that a person, device, or system is truly who they claim to be.\
Its main goal is to confirm identity before granting access to resources or services.

***Example***

You are a student and try to enter the staff room to access professor’s resources.\
The system asks for a staff ID and password.\
You enter your student credentials instead.\
The system recognizes that you are not a staff member and denies access.

Authentication failed. ❌

#### Goal of Authentication

* Verifying identity before access is granted.
* Ensuring only authorized users can log in or access protected resources.

<br>

## Proving Identity: Authentication Factors

Identity is usually verified using one or more of the following authentication factors:

#### 1. Something You Know

This factor is based on information only the user should know.

Examples:

* Username and password
* PIN codes
* Security questions

#### **2. Something You Have** <a href="#user-content-2-something-you-have" id="user-content-2-something-you-have"></a>

* **Examples:** A physical device, a mobile phone, a hardware token.
* **Mechanism:** You receive a notification or code on a physical object you possess to approve the login.

#### **3. Something You Are** <a href="#user-content-3-something-you-are" id="user-content-3-something-you-are"></a>

* **Examples:** Biometrics (Fingerprint, Retina scan, Face ID).
* **Context:** often used in high-security physical locations (e.g., data centers) or modern mobile apps.

### **Multi-Factor Authentication (MFA/2FA)** <a href="#user-content-multi-factor-authentication-mfa2fa" id="user-content-multi-factor-authentication-mfa2fa"></a>

For MFA (or 2FA) to be valid, it must utilize **at least two different types** of the factors listed above.

* **Invalid MFA:** Password + Security Question. (Both are "Something You Know").
* **Valid MFA:** Password ("Something You Know") + SMS Code to Phone ("Something You Have").

**Common Implementation:**

1. User enters Username/Password.
2. User receives a 6-digit code via SMS or Email.
3. User enters the code to finalize access.

### **Attacking Credentials** <a href="#user-content-attacking-credentials" id="user-content-attacking-credentials"></a>

There are several methods for attacking the credentials used for authentication.

**1. Brute Force vs. Password Spraying**

**2. Default Credentials**

### Attacking Authentication Logic<br>

Beyond stealing credentials, you can attack the logic of how the application handles the authentication process.<br>

#### 1. **User Enumeration**

The goal is to determine which usernames exist in the database. If you can build a list of valid users, you have 50% of the credentials needed and can then target those specific users with password spraying.

**Vectors for Enumeration:**

* **Login Page:**
  * *Invalid User:* "Username and password are incorrect."
  * *Valid User:* "Password is incorrect."
  * *Analysis:* Different error messages leak the existence of a user.
* **Registration Page:**
  * Attempting to register with an existing name returns: "This username already exists."
* **Password Reset Page:**
  * Entering a valid email triggers a "Email sent" notification, whereas an invalid email triggers "User not found."

#### **2. MFA Vulnerabilities** <a href="#user-content-2-mfa-vulnerabilities" id="user-content-2-mfa-vulnerabilities"></a>

* **Lack of MFA:** Any modern web app should enforce or offer MFA. Its absence is a vulnerability.
* **Weak MFA:**
  * **Short Codes:** 4-digit codes are easily brute-forced. Secure apps use 6+ alphanumeric characters.
  * **Lack of Expiry:** Codes should expire after a short time window.
  * **Replay Attacks:** Codes should be "burn on use" (invalidated immediately after one successful use).

\
\ <br>

### **Defensive Measures** <a href="#user-content-defensive-measures-blue-team" id="user-content-defensive-measures-blue-team"></a>

* **CAPTCHA:** Properly configured CAPTCHAs prevent automated brute force and enumeration tools.
  * *Strategy:* Enforce CAPTCHA after 3 failed attempts to stop mass enumeration.
* **Generic Error Messages:** Applications should return consistent messages regardless of whether the user exists (e.g., "Invalid Login Credentials" for both cases).
* **MFA Complexity:** Enforce 6-digit (or alphanumeric) codes with short expiration times.

<br>

<br>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/web-application-pentesting/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.