STRIDE Walkthrough — Customer Authentication System
Table of contents
Open Table of contents
Overview
This walkthrough demonstrates every step of the threat modelling workflow using a realistic example: a customer authentication service for an e-commerce platform.
By the end you will have a complete threat model with scored threats, documented mitigations, residual risk scores, and formal security requirements — ready to export as a PDF or JSON.
System: Customer Authentication Service
Scope: User registration, login, password reset, and session management
Data classification: Confidential (credentials, session tokens, PII)
Regulations in scope: UK GDPR, PCI-DSS (card-holder data adjacent)
Step 1 — Application Info
Fill in the Application Info step to establish the identity and context of the model.
| Field | Value |
|---|---|
| Application name | Customer Auth Service |
| Version | 2.1 |
| Owner | Platform Security Team |
| Participants | Backend Lead, Security Architect, Privacy Officer |
| Reviewers | Head of Engineering, CISO |
| Description | Handles user registration, login, password reset, and session management for the e-commerce platform. Processes credentials and personal data for all customers. |
Step 2 — Scope & Decomposition
Trust Levels
Define who and what can interact with the system, and how much they are trusted.
| # | Name | Description |
|---|---|---|
| 1 | Unauthenticated User | Any internet user who has not yet logged in |
| 2 | Authenticated Customer | A user who has successfully logged in |
| 3 | Internal Service | Backend microservices within the private network |
| 4 | Administrator | Privileged internal staff with system access |
| 5 | Third-Party Service | External providers (email, CAPTCHA) |
Threat Agents
| Agent | Motivation | Capability |
|---|---|---|
| Opportunistic attacker | Credential theft, account takeover | Low |
| Organised criminal | Bulk credential harvesting, fraud | High |
| Malicious insider | Unauthorised data access | Medium |
External Dependencies
| Dependency | Security Assumption |
|---|---|
| SendGrid (email) | API key stored in secrets manager; not in source code |
| Redis (sessions) | Accessible only from private VPC; auth enabled |
| PostgreSQL | Accessed via parameterised ORM; principle of least privilege applied |
| reCAPTCHA v3 | Used to distinguish bots from humans on login/register |
Business Context
Business criticality: Critical — authentication is a prerequisite for all customer activity
Data classification: Confidential — stores password hashes, session tokens, email addresses
Step 3 — System & Data Flow Diagram
Components
| Component | Type | Trust Level |
|---|---|---|
| Web Browser | External Entity | Unauthenticated User (1) or Authenticated Customer (2) |
| Auth API | Web Application | Internal Service (3) |
| PostgreSQL | Data Store | Internal Service (3) |
| Redis Session Store | Data Store | Internal Service (3) |
| SendGrid | Service | Third-Party Service (5) |
| reCAPTCHA | Service | Third-Party Service (5) |
Data Flows
| Flow | From | To | Data | Encrypted | Authenticated | Crosses Boundary |
|---|---|---|---|---|---|---|
| Login request | Web Browser | Auth API | Email + password | Yes (HTTPS) | No | Yes |
| Session token | Auth API | Web Browser | HttpOnly cookie | Yes (HTTPS) | Yes | Yes |
| Credential lookup | Auth API | PostgreSQL | Email, bcrypt hash | Yes (TLS) | Yes | No |
| Session read/write | Auth API | Redis | Session ID + data | Yes (TLS) | Yes | No |
| Password reset email | Auth API | SendGrid | Reset token + email | Yes (TLS/API) | Yes (API key) | Yes |
| CAPTCHA verification | Auth API | reCAPTCHA | Browser token | Yes (HTTPS) | Yes (secret key) | Yes |
Trust boundary crossings to flag: Login request and session token both cross the public internet boundary. Password reset email crosses into a third-party service we do not control.
Step 4 — Threat Identification
Apply STRIDE to each component and trust boundary crossing. Below are the key threats identified.
Spoofing
S1 — Credential Stuffing
Target: Auth API — Login endpoint
Using automated tools and leaked credential databases, an attacker submits thousands of known username/password pairs. Even a 0.5% hit rate against 1M accounts yields 5,000 takeovers.
S2 — Session Hijacking
Target: Session token (Browser → Auth API data flow)
An attacker obtains a valid session cookie via XSS or network interception and replays it to impersonate the victim without knowing their password.
S3 — Password Reset Token Abuse
Target: Auth API — Password reset endpoint
Reset tokens sent by email are short-lived but predictable if generated with a weak PRNG. An attacker who can also read the victim’s email (compromised inbox) completes an account takeover silently.
Tampering
T1 — SQL Injection
Target: PostgreSQL via Auth API
If user-supplied input reaches database queries without parameterisation, an attacker can modify or delete user records, bypass authentication, or extract the full user table.
T2 — Redis Session Poisoning
Target: Redis Session Store
If Redis is reachable without authentication (a common misconfiguration), an attacker with network access can write arbitrary session data — effectively issuing themselves a valid admin session.
Repudiation
R1 — Missing Authentication Audit Trail
Target: PostgreSQL — Audit log table
Without immutable logging of login successes, failures, and password changes, it is impossible to establish a timeline after a breach. Attackers can deny activity; victims cannot be notified.
Information Disclosure
I1 — Username Enumeration
Target: Auth API — Login and reset endpoints
Different error responses for valid vs invalid email addresses allow attackers to silently build a list of registered users, which is then used for targeted phishing or credential stuffing.
I2 — Password Hash Exposure
Target: PostgreSQL
A SQL injection or misconfigured database backup exposes password hashes. If hashes use MD5 or unsalted SHA-1, an attacker can crack them offline using rainbow tables or GPU brute-force within hours.
I3 — Verbose Error Messages
Target: Auth API
Unhandled exceptions return stack traces, framework versions, or raw database errors to the client — disclosing the technology stack and potentially exposing internal file paths.
Denial of Service
D1 — Targeted Account Lockout
Target: Auth API — Login endpoint
An attacker deliberately triggers failed login attempts against a known account to lock it out, denying service to the legitimate user without needing to know their password.
D2 — Login Endpoint Flood
Target: Auth API
A volumetric attack exhausts available CPU and connection pool resources on the login endpoint, making the system unavailable to all users.
Elevation of Privilege
E1 — Mass Assignment on Profile Update
Target: Auth API — User update endpoint
If the profile update endpoint accepts arbitrary JSON fields, a crafted request including "role": "admin" or "is_verified": true can elevate privileges without authorisation.
Step 5 — Risk Assessment
Score each threat on a 5×5 Likelihood × Impact matrix.
| ID | Threat | Likelihood | Impact | Score | Level |
|---|---|---|---|---|---|
| S1 | Credential Stuffing | 5 | 4 | 20 | Critical |
| T1 | SQL Injection | 3 | 5 | 15 | High |
| E1 | Mass Assignment | 3 | 4 | 12 | High |
| D2 | Login Flood | 4 | 3 | 12 | High |
| S2 | Session Hijacking | 3 | 4 | 12 | High |
| I2 | Hash Exposure | 2 | 5 | 10 | Medium |
| I1 | Username Enumeration | 4 | 2 | 8 | Medium |
| D1 | Account Lockout Abuse | 4 | 2 | 8 | Medium |
| T2 | Redis Session Poisoning | 2 | 4 | 8 | Medium |
| S3 | Reset Token Abuse | 2 | 4 | 8 | Medium |
| R1 | Missing Audit Trail | 3 | 2 | 6 | Medium |
| I3 | Verbose Errors | 4 | 1 | 4 | Low |
Step 6 — Countermeasures
Document controls for each threat. The residual risk score is re-assessed after mitigations are applied.
S1 — Credential Stuffing (Critical → residual: Low)
| Control | Type | Status | Owner |
|---|---|---|---|
| Rate limiting: max 5 attempts per IP per minute with exponential backoff | Preventive | Planned | Backend Engineering |
| CAPTCHA after 3 failed attempts | Preventive | Planned | Backend Engineering |
| Breach password checking on login (HaveIBeenPwned API) | Detective | Planned | Backend Engineering |
| Login velocity alert: >10 failures on one account in 24h | Detective | Planned | Security Operations |
| Enforce MFA for all accounts | Preventive | In Progress | Backend Engineering |
Residual likelihood: 1 Residual impact: 3 Residual score: 3 — Low
T1 — SQL Injection (High → residual: Info)
| Control | Type | Status | Owner |
|---|---|---|---|
| Parameterised queries via ORM throughout — no raw SQL | Preventive | Implemented | Backend Engineering |
| SAST in CI pipeline (Semgrep rules for injection) | Detective | Implemented | Platform Engineering |
| DB user has SELECT + INSERT only — no DROP/ALTER/TRUNCATE | Preventive | Implemented | Platform Engineering |
| Penetration test of all endpoints prior to launch | Detective | Planned | Security Team |
Residual likelihood: 1 Residual impact: 1 Residual score: 1 — Info
E1 — Mass Assignment (High → residual: Low)
| Control | Type | Status | Owner |
|---|---|---|---|
| Explicit allowlist of updatable fields in the user update endpoint | Preventive | Planned | Backend Engineering |
| Role changes handled via dedicated admin endpoint with separate auth | Preventive | Planned | Backend Engineering |
| Integration tests asserting that role cannot be set via the public API | Detective | Planned | QA Engineering |
Residual likelihood: 1 Residual impact: 2 Residual score: 2 — Low
S2 — Session Hijacking (High → residual: Low)
| Control | Type | Status | Owner |
|---|---|---|---|
| HttpOnly, Secure, SameSite=Strict on all session cookies | Preventive | Implemented | Backend Engineering |
| 24-hour idle timeout, 7-day absolute session limit | Preventive | Implemented | Backend Engineering |
| Re-authentication required for sensitive actions (password change, payment) | Preventive | Planned | Backend Engineering |
| CSP headers to reduce XSS attack surface | Preventive | Implemented | Platform Engineering |
Residual likelihood: 2 Residual impact: 2 Residual score: 4 — Low
I2 — Password Hash Exposure (Medium → residual: Low)
| Control | Type | Status | Owner |
|---|---|---|---|
| bcrypt with work factor ≥12 for all password storage | Preventive | Implemented | Backend Engineering |
| Database backups encrypted at rest (AES-256) | Preventive | Implemented | Platform Engineering |
| DB access logs monitored for bulk SELECT on users table | Detective | Planned | Security Operations |
Residual likelihood: 1 Residual impact: 2 Residual score: 2 — Low
Step 7 — Security Requirements
Formal requirements derived from the threats above. These can be linked to tickets in your backlog and used as acceptance criteria.
| # | Requirement | Priority | Linked Threats | Status |
|---|---|---|---|---|
| SR-1 | Login endpoint MUST enforce rate limiting of ≤5 attempts per IP per minute with exponential backoff | MUST | S1, D2 | Planned |
| SR-2 | All password storage MUST use bcrypt with work factor ≥12 or Argon2id | MUST | I2 | Implemented |
| SR-3 | All database queries MUST use parameterised statements; raw string concatenation in queries is prohibited | MUST | T1 | Implemented |
| SR-4 | Session cookies MUST have HttpOnly, Secure, and SameSite=Strict attributes | MUST | S2 | Implemented |
| SR-5 | The user profile update endpoint MUST validate against an explicit allowlist of permitted fields | MUST | E1 | Planned |
| SR-6 | All authentication events (login success, login failure, password change, logout) MUST be logged to an immutable audit store | MUST | R1 | Planned |
| SR-7 | Login and password reset endpoints MUST return identical error messages for valid and invalid email addresses | SHOULD | I1 | Planned |
| SR-8 | API error responses MUST NOT include stack traces, framework internals, or database error details | MUST | I3 | Planned |
| SR-9 | Redis MUST require authentication and MUST NOT be accessible from outside the private VPC | MUST | T2 | Implemented |
| SR-10 | MFA SHOULD be available for all accounts and MUST be enforced for administrator accounts | MUST | S1, S3 | In Progress |
Step 8 — Report
After completing all steps, the Report step gives you:
- A full threat register with all 12 threats, scores, and statuses
- Mitigation progress summary (3 Implemented, 2 In Progress, 7 Planned)
- Residual risk comparison table showing risk reduction per threat
- Security requirements list ready to paste into your backlog
Use Download PDF to generate an audit-ready report, or Export JSON to save the model and share it with your team.
Key Takeaways
Credential stuffing is the single highest risk for any consumer authentication system. It is trivially easy to execute (tools are freely available) and has a high impact rate. Rate limiting, CAPTCHA, and MFA together reduce this from Critical to Low.
Mass assignment is a silent privilege escalation vector. It rarely shows up in automated scans but is catastrophic if exploited. A simple allowlist on the update endpoint eliminates it entirely.
Residual risk after mitigations tells the real story. This model starts with one Critical and four High threats. After applying the planned controls, every threat drops to Medium or below — giving the team a clear picture of what to build before launch.
Export this model as JSON and share it with your security team for review, or use the PDF export for inclusion in a pre-launch security sign-off document.