ECB is considered to be insecure when used for confidentiality because identical plaintext result with identical ciphertext. But what if we use ECB for authentication?
Assume A wants to transmit an authenticated message X to B. A and B have a shared key. What if A encrypts the plaintext X using AES-ECB and outputs Y as the ciphertext and appends it next to the plaintext X as a MAC? Would that be secure?
Confidentiality is not of importance here. We only need to authenticate the data.
It is not secure, because an attacker can "mix and match" the output blocks from different authentication tags on different input messages, or repeat output blocks for repeated input blocks.
For example, if the attacker knows the tag $F_k(m)$ for a one-block message $m$, then it can forge the correct tag $F_k(m) \mid F_k(m)$ for the two-block message $m \mid m$.
Another attack: suppose the attacker learns the tag $F_k(m_1) \mid F_k(m_2)$ for the message $m=m_1 \mid m_2$, and the tag $F_k(n_1) \mid F_k(n_2)$ for the message $n=n_1 \mid n_2$. Then it can forge the correct tag $F_k(m_1) \mid F_k(n_2)$ for the message $m_1 \mid n_2$. More generally, it can forge a correct tag for any message that is made by arbitrarily concatenating blocks from $m$ and $n$.
The other answer is correct in general. However, if your messages are all exactly one block long (or all one block after padding), ECB is a secure MAC.
A PRP looks like a PRF up to half its bit length, i.e. up to $2^{64}$ blocks for AES. A secure PRF is a secure MAC of the same size. Thus, AES ECB used on 128-bit messages is a secure MAC as long as you use a key for (significantly) fewer than $2^{64}$ messages.
