Stealth mode authentication (zero information leakage and DoS prevention)

With stealth mode, we denote a security feature of 2-factor authentication schemes providing the following extra security:

  • No information about users or authentication tokens is leaked to adversaries (no user enumeration).
  • An adversary cannot obtain information about the correct password (not even for trying a few frequently used passwords).
  • This only applies if the simulation of the second factor cannot be distinguished from the real second factor.

Stealth mode is applicable for 2-factor authentication schemes performed in 2 steps:

  1. Usually username/password authentication.
  2. Authentication token such as SMS, OTP, grid card etc. An authentication method may be selected based on user data (see also Selection of authentication method (mixing multiple token-types)).

Potential information leakage without stealth mode

Consider the following typical 2-factor authentication scheme:

Username and password

  • Without the special security measures the following information can be gained from the above authentication process:
  • "Username + password correct": because the system shows an input field for a token, the attacker knows that the provided password is correct and the user exists
  • "User unknown": If the system responds differently for existing and non-existing users, an attacker may learn which users exist.
  • "User locked": If the system tells unauthenticated users that an account has been locked, an attacker may learn usernames and that denial-of-service is possible.
  • "Username/password wrong": Depending on the reaction of the system, an attacker may learn that a user exists and that a tried password was wrong.

Configure Stealth Mode in the Main Authenticator plugin

The Stealth Mode is part of the Main Authenticator plugin and configured in the plugin. Please refer to the plugin property documentation for further information.