EXMARaLDA

Authentication -

| Attack | Mechanism | Mitigation | | :--- | :--- | :--- | | | Fake login page steals credentials | WebAuthn, password managers (they won't auto-fill wrong domain), user training | | Credential Stuffing | Automated login using breached username/password pairs | Block known-breached passwords, rate-limit, require MFA | | Man-in-the-Middle (MITM) | Attacker intercepts or proxies traffic | TLS everywhere, certificate pinning, mutual TLS | | Session Hijacking | Steals session cookie after login | Short session lifetimes, rotate session IDs, bind session to IP/device fingerprint | | Pass-the-Hash (Windows) | Attacker uses NTLM hash without cracking | Disable NTLM, use Kerberos with armour, Credential Guard | | Biometric Spoofing | Fake fingerprint, photo of face | Liveness detection (blink, movement, heat), multi-modal fusion | | MFA Fatigue | User approves a push they didn't trigger | Require number matching or transaction-specific confirmation |

No server-side session storage. The server issues a signed token (e.g., JWT) containing the user's identity and claims. The client stores it (localStorage or cookie) and sends it each time. The server verifies the signature. Advantages: scalability, cross-domain support. Risks: token theft, no built-in revocation (short expiration + refresh tokens help). authentication

A Review on Secure Authentication Mechanisms for Mobile Security | Attack | Mechanism | Mitigation | |

After login, the server issues a signed session ID (cookie). The browser sends it with each request. Stateless on the client, but the server must store session state. Vulnerable to session hijacking if cookies are not HttpOnly , Secure , and SameSite . The server verifies the signature

But technology alone cannot solve the human factor. The most sophisticated MFA is useless if a user approves a push for a login they didn't request, or if a support desk resets a password over the phone without verification. Authentication is a sociotechnical system. Build for resilience, test against real attacks, and always assume that the gatekeeper will be tested.