OWASP API2:2019 — What Is Broken Authentication and Why It’s Important
One of the biggest API security risks is broken authentication, according to OWASP. So, what is broken authentication and why is it such a big problem?
Why Is Strong API Authentication So Critical?
Over the past two decades, more and more companies have built modern APIs. Oftentimes, these APIs were developed in a shift from large, monolithic applications; to apps built from a variety of microservices that needed to talk to each other. And voila! New APIs were built to facilitate this dialog.
Possibly the most famous example of exposing APIs internally is Jeff Bezos’s 2002 “API Mandate.” Bezos made a rule for every team at Amazon that they must build an API for their service; so when any other team needed to interface with their service, the only way to do so would be through the API. No workarounds. No back door hacks. No pinging a friend on another team in AIM (well, it was 2002 after all).
Eventually, these internal APIs were exposed to external partners and developers. External partners could integrate core Amazon functionality like Amazon Payments and Amazon warehousing and inventory management services by leveraging these APIs. In fact, this API-first strategy became the genesis of AWS, which has become the primary economic engine of Amazon as a company.
This path has become very common — APIs that were originally developed for internal purposes are found to have their own business value, and they can become their own products and services, which accelerates the entire company.
But, often in the rush to externalize existing APIs, authentication is not updated. This can lead to a lot of problems. If authentication is weak or nonexistent, a bad actor can easily impersonate a customer and take actions on their behalf, like placing fradulent orders or exfiltrating financial data.
How to Enforce Strong Authentication
If your APIs are available without any authentication at all, make sure they do not disclose any personal data. Create separate APIs for customer or user data that requires authentication.
Ensure passwords are strong and complex, and make sure that they are hashed, encrypted, and stored appropriately. Weak passwords can be broken in a matter or seconds. Password re-use is endemic, so assume that your users are re-using passwords, and that password has been breached on another service.
Support other authentication mechanisms beyond passwords, like 2FA and passwordless options. These are increasingly accepted by end users, and are considered essential for developers. Many developers have company rules that prohibit them from using services that don’t support modern authentication.
Implement an access token (like a JWT), and validate those tokens. Also, make sure that tokens are short-lived so the resource must be re-authenticated at a sensible interval. If a token lives forever, and the device is compromised, any bad actor can access your internal resources.
Rate limit authentication requests. Authentication requests happen much less than other data requests — typically only at the beginning of a session. So, if a user is trying to authenticate 10 times in 30 seconds, there is a good chance they are trying to do something they shouldn’t.
How to Monitor for Broken Authentication
The easiest first step is to ensure that no personally identifiable information (PII) is shared over unauthenticated APIs. By running a quick validation to ensure that common PII like names, emails, and mailing addresses are not in your unauthenticated API results, you avoid the most common error that development teams make.
Once that check is in place, reviewing password requirements and shortening the time-to-live settings of your tokens are effective steps to limit your exposure.
Originally published at bycontxt.com on Oct 15, 2022.
