AffirmedID
Affirmed Identity Authenticator and Identity Service Privacy Policy

Gaps in Authentication

Gaps in authentication refer to weaknesses or vulnerabilities in how a system verifies the identity of a user or device. These gaps can allow unauthorized access, leading to security breaches. Common gaps include weaknesses in passwords, lack of multi-factor authentication, vulnerabilities in biometric systems, outdated authentication protocols, misuse of authenticators, and omission.

  • Weak Passwords are easily cracked or guessed, introducing high risk when not augmented by a second factor.
  • Single-Factor Authentication such as Passwordless Push, FIDO2, or Passkey relies on a human gesture without verification of their identity.
  • Biometric Authentication Gaps:
    • Spoofing and Impersonation, fooled by AI generated synthetic versions of biometric traits, like fake fingerprints or high-quality facial images.
    • False Acceptance and Rejection Rates, can incorrectly grant access to unauthorized users (false acceptance) or deny access frustrating legitimate users (false rejection).
    • Storage and Transmission Vulnerabilities: stored secrets, and biometric data, password, or PIN code templates on cell phones need careful protection against unauthorized access or breaches during storage or transmission.
    • Excessive redirects in the authentication process, especially off device redirects, create opportunity for session hijacking.
  • Incomplete or Misconfigured MFA: risk circumvention by attackers, especially in privileged accounts, to gain escalated access.
  • Outdated and Insecure Authentication Protocols, like NTLM and Kerberos, while still used in some environments, do not meet modern security standards in mind and introduce vulnerabilities that attackers can exploit.
  • Lacking Seamless Session Monitoring: leaves a gap between one form of authentication and another and risks hijacking the session even in the case where authentication is 100% proper.
  • Autonomous Session Monitoring not only forces a gap between authentication and monitoring but does so without benefit of continuous authentication, thereby opening the door to several attack vectors, any of which can lead to hijacking the authenticated session.
Clarifications
  • Some FIDO2 and most Passkey implementations include a User Verification feature. When supported, it allows the authenticator to verify the user's identity upon the request of the relying party. The authentication challenge response encompasses the results of the verification process. This method doesn't meet NIST's MFA definition, but it is effective and might one day be recognized as MFA compliant.
  • The push to require MFA has led to some authentication service providers having to overhaul their existing single-factor solutions. The result is complex processes with multiple, sometimes as many as five (5), off-device redirects causing user frustration and increased risk of attack. Perhaps these are temporary measures while the redesign is done? Perhaps not? Regardless, caution is advised if using any of these convoluted solutions.

How it Works


An error has occurred. This application may no longer respond until reloaded. Reload 🗙