2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities.
📘CompTIA CySA+ (CS0-003)
1. What Are Identification and Authentication Failures?
Identification = Claiming who you are
- Example: entering a username like
admin
Authentication = Proving who you are
- Example: entering a password, fingerprint, or code
👉 A failure happens when:
- The system does not properly verify identity
- Weak or broken authentication allows attackers to gain access
2. Why This Is Important for the Exam
This topic is part of security vulnerabilities and is closely related to:
- Unauthorized access
- Privilege escalation
- Data breaches
👉 In exam scenarios, you must:
- Recognize weak authentication systems
- Recommend proper controls to fix them
3. Common Types of Identification and Authentication Failures
3.1 Weak Passwords
Problem:
- Users choose simple passwords like:
123456passwordadmin
Risk:
- Easily guessed using brute force or dictionary attacks
Control:
- Enforce strong password policies:
- Minimum length (e.g., 12+ characters)
- Mix of uppercase, lowercase, numbers, symbols
- Avoid common passwords
3.2 Default Credentials
Problem:
- Systems use default usernames/passwords:
admin/adminroot/password
Risk:
- Attackers already know these credentials
Control:
- Change default credentials immediately
- Disable unused default accounts
3.3 Lack of Multi-Factor Authentication (MFA)
Problem:
- Only password is used
Risk:
- If password is stolen, attacker gains full access
Control:
- Implement Multi-Factor Authentication (MFA)
Types of factors:
- Something you know → Password
- Something you have → Token, mobile app
- Something you are → Biometrics
3.4 Poor Session Management
Problem:
- Sessions do not expire
- Tokens are reused or predictable
Risk:
- Session hijacking
Control:
- Set session timeout
- Use secure session tokens
- Regenerate session IDs after login
3.5 Credential Stuffing
Problem:
- Attackers reuse stolen usernames/passwords from other systems
Risk:
- Users reuse passwords across systems
Control:
- Enforce unique passwords
- Use MFA
- Monitor login attempts
3.6 Brute Force Attacks
Problem:
- Attackers try many password combinations
Risk:
- Weak passwords get cracked
Control:
- Account lockout after failed attempts
- Rate limiting
- CAPTCHA
3.7 Improper Access Controls
Problem:
- Users can access systems without proper verification
Risk:
- Unauthorized access
Control:
- Use Role-Based Access Control (RBAC)
- Apply least privilege principle
3.8 Insecure Credential Storage
Problem:
- Passwords stored in plain text
Risk:
- If database is compromised, all passwords exposed
Control:
- Store passwords using:
- Hashing
- Salting
- Secure algorithms (e.g., bcrypt)
3.9 Broken Authentication Logic
Problem:
- Flaws in login system:
- Skipping authentication steps
- Accepting invalid tokens
Risk:
- Attackers bypass login
Control:
- Proper authentication flow validation
- Secure coding practices
- Regular testing
3.10 Lack of Account Monitoring
Problem:
- Suspicious login attempts not detected
Risk:
- Attacks go unnoticed
Control:
- Enable logging and monitoring:
- Failed login attempts
- Unusual login locations
- Use SIEM tools
4. Key Security Controls to Mitigate These Failures
4.1 Strong Authentication Mechanisms
- Use MFA everywhere possible
- Use secure authentication protocols
4.2 Password Policies
- Enforce complexity and length
- Prevent reuse of old passwords
- Expire passwords when needed
4.3 Account Lockout Policies
- Lock account after multiple failed attempts
- Temporary lockouts reduce brute force attacks
4.4 Secure Credential Storage
- Hash and salt passwords
- Never store plain-text passwords
4.5 Identity and Access Management (IAM)
- Centralized authentication system
- Control user roles and permissions
4.6 Monitoring and Logging
- Track login activity
- Detect anomalies
4.7 Session Security
- Use HTTPS only
- Secure cookies
- Timeout inactive sessions
4.8 Regular Security Audits
- Test authentication systems
- Identify weaknesses early
5. Signs of Identification and Authentication Failures (Exam Clues)
Watch for phrases like:
- “Users can log in without password”
- “Default credentials still enabled”
- “No MFA configured”
- “Multiple failed login attempts”
- “Password stored in plain text”
- “Users accessing unauthorized resources”
👉 These indicate authentication weaknesses.
6. Best Practices (Exam Summary)
- Always use MFA
- Enforce strong passwords
- Disable default accounts
- Use least privilege
- Monitor login activity
- Secure session handling
- Store credentials securely
7. Quick Exam Revision Table
| Issue | Risk | Control |
|---|---|---|
| Weak passwords | Easy to guess | Strong password policy |
| Default credentials | Known to attackers | Change defaults |
| No MFA | Account takeover | Enable MFA |
| Brute force | Password cracking | Lockout policies |
| Credential reuse | Unauthorized access | Unique passwords |
| Plain-text passwords | Data breach | Hash + salt |
| Poor session control | Session hijacking | Timeout + secure tokens |
Final Exam Tip
👉 If the question involves:
- Login issues
- Unauthorized access
- Weak password systems
➡️ The answer is usually:
- Implement MFA
- Strengthen authentication controls
- Secure credential handling
