Pre-Authentication vs Post-Authentication Attacks
The more we interact with systems that affect the real world using online accounts, the more important it is to secure those accounts. There are two kinds of attacks, as outlined in this article. Pre-authentication attacks attempt to take over or gain access to users’ accounts, via phishing or credential stuffing, among other attacks. Post-authentication attacks exploit weaknesses in applications after the user has logged in.
Customer identity and access management software often focuses on preventing pre-authentication attacks. Efforts to do so include password hashing to prevent credential stuffing, multi-factor authentication (MFA) to add additional layers of security to online access, and integrating solutions like CAPTCHA to slow down bot attacks. All of these make it more difficult for nefarious users to gain access to user accounts.
CSRF attacks trick a user into submitting a request provided by an attacker. This request is done as the user, including sending session tokens. This opens up a channel of attack, such as changing an email address.
