Posts

Showing posts from November, 2017

When authentication is not really an authentication

When authentication is not really an authentication- just identity. We'll talk about a design flaw.
Identity is just identification of entities such as a person, object etc- who they are. But when it comes to prove that who they are, the entities must supply some sort of credentials, such as passwords, certificates etc to prove their identity claim.
Let's consider a hypothetical app which is thick client and 2-tier (which is never a good idea), but let's think about it. It has got following design:

1.The UI is protected by a login screen which requires AD (Windows) authentication of logged in user. The login screen is a separate exe.
2. Once the user is authenticated, a separate UI exe is launched with the logged in user's privilege.
3. The same login screen also provides details of the DB to be connected by this app once the authentication is successful.

What risks we see here apart from the traditional 2-tier risks such as decompiling, business logic at client side,…