Authentication Attacks and Countermeasures

This section introduces the authentication attacks considered within this Guidance and briefly discusses other countermeasures.

Authentication attacks

Table 2 below lists generic attacks against authentication keys and the authentication exchange. Attacks against the initial enrolment process, management of authentication keys, etc., are not considered in this Guidance. The list of attacks in Table 2 is not limited to the authentication key, as some authentication keys can also be used for protecting the communication channel.

It is important to note that Table 2 is not intended to be complete, but does cover the major attacks the authentication keys considered here can counter. Readers may prefer to just briefly review the listed attacks now and refer back to Table 2 as required. The listed attacks are not distinct, for example shoulder surfing attacks are a type of social engineering attack.

Table 2 – Authentication attacks

Attack Description

Customer fraud attacks

Where the customer deliberately compromises his or her authentication key or computing environment to enable them to deny subsequent authentication events.

Eavesdropper attacks

Where an attacker obtains information from an authentication exchange and recovers data, such as authentication key values, which then may be used to authenticate.
Insider attacks Where verifiers or systems managers deliberately compromise the authentication system or steal authentication keys or related data.

Key logger attacks

Malicious code or hardware attacks that capture keystrokes of a customer with the intention of obtaining any password typed in by the customer or other manually entered authentication key data. Screen logger attacks are variants that capture keystrokes along with display information to circumvent screen-based security protections.

Malicious code attacks

Attacks that are generally aimed at the customer’s computing environment. They vary in their sophistication from simple key loggers to advanced Trojan programs that can gain control of the customer’s computer. Malicious code attacks may also be aimed at verifier systems.

Man-in-the-middle attacks

Where an attacker inserts himself between the customer and the verifier in an authentication exchange. The attacker attempts to authenticate by posing as the customer to the verifier and the verifier to the customer.

Password discovery attacks

This covers a variety of attacks, such as brute force, common password and dictionary attacks, which aim to determine a password. The attacker may try to guess a specific customer’s password, try a few commonly used passwords (such as “Pa$$word”) against all customers, or use a pre-composed list of passwords to match against the password file (if they can recover it), in their attempt to discover a legitimate password.

Phishing attacks

Social engineering attacks that use forged web pages, emails, or other electronic communications to convince the customer to reveal their password or other sensitive information to the attacker.

Replay attacks 

Where the attacker records the data of a successful authentication and replays this information to attempt to falsely authenticate to the verifier.

Session hijacking attacks

Where the attacker takes over (hijacks) a session following successful authentication.

Shoulder-surfing attacks

Social engineering attacks specific to password systems where the attacker covertly observes the password when the customer enters it.

Social engineering attacks

Attacks that are aimed at obtaining authentication keys or data by fooling the customer into using an insecure authentication protocol, or into loading malicious code onto the customer’s computer. Attacks may also be aimed at the verification process, for example by trying to trick help desk staff into accepting a false story.

Verifier impersonation attacks

Where the attacker impersonates the verifier to the customer to obtain authentication keys or data, which then may be used to authenticate falsely to the verifier.


It is possible to implement a range of countermeasures to the authentication

attacks described above. While the choice of authentication key is important,

the use of an authentication key alone is not sufficient. Other measures, both

technical and non-technical, need to be in place:

  • Some relate to managing the authentication key – including policies and procedures for distribution, lifecycle and storage protection, etc.
  • Others are completely separate of authentication key considerations – such as anomaly detection, customer education, enrolment procedures, etc.

Such countermeasures are important, but are not discussed in detail in this Guidance.

Government agencies are required to comply with Security in the Government Sector. Annex A of that manual refers to the minimum standards for Internet security. Further standards and references include [4, 8-14]. Agencies should also refer to the NZ e-GIF authentication standards [2] for further requirements. General issues relating to the selection of multi-factor authentication keys are covered later in this Guidance.

How countermeasures relate to the authentication key can depend on the authentication key used. For example, the cryptographic keys of software and hardware tokens can be used to support additional protections, whereas passwords do not offer such support.

Page last updated: 13/09/2016