See 4.3.11 for a description of this threat.

OPC UA protects user credentials sent over the network by encryption as described in 5.2.5.

When using an AuthorizationService for identity verification then securing the user identity is out of scope for OPC UA. It is essential that the CSMS take AuthorizationServices into account. OPC UA depends upon the site CSMS to protect against other attacks to gain user credentials, such as password guessing or social engineering.

The risk from a compromised AuthorizationService can be minimized by restricting Server access in additional manners, such as from specific applications (Clients) or at specific times.