Authenticated Attackers

  • 30 March 2023
  • 1 reply

Userlevel 4

Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat: 

Authentication does not prevent attack!

Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated. 

A vast majority (78%) of attacks were authenticated!

If what's behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up. 


  • Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers)
  • Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack
  • A billion cracked passwords readily available

#threatmodeling must account for authenticated, likely authorized attackers

(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)

1 reply

Userlevel 1
Badge +1

Interesting number here 78%, but the least privilege should lift off the major impact isn’t it ? When privileged access needs a minimum MFA authentication implementation based on security by design principles should help. I am open for suggestions and feedback / advice.