Skip to main content

IAM Antipatterns

(Compiled from AWS, Azure, Google and and other community sources)

The following are antipatterns to avoid:

OWASP Top Authentation Failures

  1. Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
  2. Permits brute force or other automated attacks.
  3. Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
  4. Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.
  5. Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures).
  6. Has missing or ineffective multi-factor authentication.
  7. Exposes session identifier in the URL.
  8. Reuse session identifier after successful login.
  9. Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.

Authentication Antipatterns

Avoid:

  • Allowing weak passwords, or passwords that are too easily guessed, for user authentication.
  • Storing user passwords in clear text on the cloud server.
  • Not using encryption for transmitted authentication data.
  • Not using two-factor authentication for cloud services.
  • Relying entirely on cloud-based authentication solutions, rather than supplementing with on-premise authentication solutions.
  • Using a single authentication mechanism for all cloud services, without considering the different levels of security and authentication requirements of each service.
  • Not properly monitoring access logs and audit trails for suspicious activity.
  • Not enforcing strong password policies, such as password complexity and expiration.
  • Not using federated identity and access management solutions to manage user identities across multiple cloud services.
  • Not properly configuring user roles and permissions for the cloud services, leading to security vulnerabilities.
  • Not using single sign-on (SSO) solutions to simplify user authentication.
  • Not using a central identity provider to manage user accounts across multiple cloud services.
  • Not implementing multi-factor authentication (MFA) solutions to improve security.
  • Not using biometric authentication solutions as an additional layer of protection.
  • Relying on common username/password combinations for authentication.
  • Not using automated tools to detect suspicious activity in the cloud.
  • Not using secure authentication protocols such as OAuth or OpenID Connect.
  • Not using third-party authentication services to verify user identities.
  • Not using account lockout policies to prevent brute-force attacks.
  • Not using role-based authentication to control access to cloud services.
  • Not using identity protection services to detect and prevent identity theft.
  • Not regularly updating authentication protocols and software to protect against security vulnerabilities.
  • Not regularly training users on proper authentication procedures.
  • Not using physical tokens or smart cards for two-factor authentication.
  • Overly complex authentication and authorization schemes: It's important to keep authentication and authorization as simple as possible, while still providing adequate security. Overly complex schemes can lead to confusion, inefficiency, and potential security vulnerabilities.
  • Over-reliance on third-party identity providers: While using third-party identity providers can simplify authentication, over-reliance on a single provider can lead to vendor lock-in and a lack of control over your own authentication infrastructure.
  • Insufficient security measures: Proper security measures, such as strong encryption and multi-factor authentication, are critical for protecting user data and ensuring secure access to cloud services. Failing to implement these measures can result in data breaches and other security incidents.
  • Inadequate user provisioning and de-provisioning: Properly managing user access to cloud services is critical for maintaining security and compliance. Failing to de-provision users who no longer need access or to provision users with the appropriate permissions can lead to security issues.
  • Failure to implement auditing and monitoring: Auditing and monitoring are critical for detecting and responding to security incidents. Failing to implement these measures can leave your organization vulnerable to attacks and can make it difficult to identify and mitigate security issues.
  • Over-reliance on traditional network-based security controls: Cloud SSO and authentication services require a different approach to security than traditional network-based security controls. Failing to adapt to this new paradigm can lead to security vulnerabilities and other issues