Tricking user to reveal his authentication credentials through phising attack that poses a real looking web page to solicit user's access credentials. This could be created through
DNS manipulation
Cross site scripting
Inappropriate insertion of content in legitimate site
Containment of legitimate site in illegitimate frame
See also PII version of threat: T108-PhishPII.
Social Engineering, talking users to revealing access credentials.
See also PII version of threat: T109-SocEngPII.
Network eavesdropping to record credentials.
Keyboard logger or other malware to record credentials.
Credential theft, e.g. copy private key, using malware.
Physical credential theft.
Dictionary attack on password
Brute force attacks of simply trying out all credentials.
Cookie replay attack. Use previously recorded cookie in context where authentication did not happen. Also arises if expired session cookie is allowed as a factor in authentication, resulting stronger factor not being demanded.
Luring users to do stupid things like
Visit web sites that phish or contain malware
Install malware and troians
Voluntarily give out credentials or PII