aaronpk
commented
1 week ago Credential stuffing attacks usually require automation to be successful, so the theory is that authentic apps can't be automated, which is why that phrase is there.
Open yaronf opened 3 months ago
aaronpk
commented
1 week ago Credential stuffing attacks usually require automation to be successful, so the theory is that authentic apps can't be automated, which is why that phrase is there.
Sec. 9.3: this section is worded a bit strange, in particular the phrase "if additional measures are not taken to ensure the authenticity of the application." Since we're discussing authentication attempts, the mitigating controls are those used as a standard, such as throttling and monitoring. I'm not sure the measures that ensure the application itself is authentic significantly affect the risk.