/6.2.2 |
Contents
6.2 Root Cause & Mitigation
6.2.1 Strict Identifier Verification
The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.
This applies directly to the service itself (as illustrated by the Classic-Federated Merge, Unexpired Session, Trojan Identifier, and Unexpired Email Change Attacks), as well as to the IdP (see Non-verifying IdP Attack).
Although many services do perform this type of verification, they often do so asynchronously, allowing the user to use certain features of the account before the identifier has been verified. Although this might improve usability (reduces user friction during sign up), it leaves the user vulnerable to pre-hijacking attacks.
On the other hand, all of the above attacks could be mitigated if the service or IdP sent a verification email to the user-provided email address and required the verification to be successfully completed before allowing any further actions associated with the account. A similar approach could be used to verify ownership of other types of identifiers, such as using text messages or automated voice calls to confirm ownership of phone numbers.
If the service relies on the IdP to perform verification, it should require a strong guarantee from the IdP that this verification has been performed.
Alternatively, the service could perform its own additional verification, but this adds further friction and negatively effect usability.