Authentication Vulnerabilities - Password Based

Authentication Vulnerabilities - Multi Factor

Authentication Vulnerabilities - Other Mechanisms

OAuth Authentication Vulnerabilities

Authentication - Authenticate - Auth-N : kon kya hai

Authorization - Authorize - Auth-Z : kon kya kar sakta hai

three main types:

• Something you know, such as a password or the answer to a security question
• Something you have, This is a physical object such as a mobile phone or security token
• Something you are or do. For example, your biometrics or patterns of behavior.

OAuth - authorization framework, giving limited access to a user's account on another application.

No exposing of login creds

Users can fine tune, which data to share instead of giving everything

OAuth 2.0 is written from scratch, not developed directly from OAuth 1.0. both are very different.

OAuth Flows or Grant Types:

The exact sequence of steps that are involved in the process

Many grant types are there with varying levels of complexity and security considerations

OAuth grant types | Web Security Academy

Imagine you're at a club and you want to check your coat. Instead of giving you a direct pass to your coat, the coat check gives you a ticket. You show this ticket later to claim your coat. OAuth works a bit like this but for online apps wanting to access your info.

• OAuth Grant Type: This is like choosing between getting a ticket stub or a wristband at the coat check. It's the method apps use to ask for and get permission to grab your stuff (data).
• Authorization Code Grant Type: This is the ticket stub method. It’s a bit roundabout but safer. The app asks for a code, then trades this code for a pass (token) to get your data.
• Implicit Grant Type: This is the wristband method. It's quicker but riskier. The app gets a direct pass (token) without swapping a code first.
• Scopes: Imagine if your coat check ticket could also let you grab a drink. Scopes are like permissions on the ticket telling what the app can and can’t grab from your stuff (like reading your email but not sending one).

How It Works:

1. Asking for Permission: The app tells the service what it wants to do (like checking your coat) and what it wants access to (like just the coat or the coat and a drink).
2. Your OK Needed: You get asked if the app can access your stuff. If you say yes, the service gives the app a way to access it (like a ticket or wristband).
3. App Gets the Goods: With your permission, the app uses its pass (token) to get the data it asked for.
4. Using the Data: The app uses this data to do what it promised, like logging you in with your social media account without needing a new password.