Glen Thomas

Software / Platform Engineer

3 minute read Security

Welcome back to this deep dive into the OWASP Top 10. Today we’re looking at something fundamental: authentication.

Your app can have perfect logic, great encryption, and secure infrastructure — but if anyone can impersonate a legitimate user, none of it matters.

This OWASP category focuses on weaknesses in how users are identified, authenticated, and managed. It’s all about the front door — and how attackers break in when it’s not properly locked.

Full series:

  1. A01: Broken Access Control
  2. A02: Cryptographic Failures
  3. A03: Injection Attacks
  4. A04: Insecure Design
  5. A05: Security Misconfiguration
  6. A06: Vulnerable and Outdated Components
  7. A07: Identification and Authentication Failures (you are here)
  8. A08: Software and Data Integrity Failures
  9. A09: Security Logging and Monitoring Failures
  10. A10: Server-Side Request Forgery (SSRF)

What Is an Identification and Authentication Failure?

This category includes:

  • Broken or missing authentication logic
  • Predictable or weak credentials
  • Brute-force vulnerabilities
  • Poor session handling
  • Misuse of authentication protocols

The goal of authentication is simple: prove someone is who they claim to be. When that fails, attackers can:

  • Log in as another user
  • Elevate privileges (e.g., from user to admin)
  • Hijack sessions or tokens
  • Bypass login flows entirely

Common Vulnerabilities

  1. Weak Password Policies

Short, simple passwords (e.g., password123) still work — because many systems still allow them.

  1. No Rate Limiting on Login

An attacker can try thousands of credentials using a brute-force or credential stuffing attack.

  1. Session Fixation or Hijacking

If session IDs are predictable or reused across logins, attackers can hijack valid sessions.

  1. Improper MFA Implementation

Implementing 2FA but only applying it to some users or actions. Or worse, allowing fallback to SMS with no lockout.

  1. Exposed Authentication Endpoints

APIs that return verbose error messages (“Invalid password” vs. “User not found”) can leak valid usernames.

How Attackers Exploit This

Credential Stuffing

Attackers use usernames and passwords leaked from other sites to log in to yours — because people reuse passwords all the time.

Business Logic Failures

Some flows allow password resets or email changes without reauthentication. Others might let users stay logged in after a password change.

JWT Abuse

Improperly signed or weakly protected JSON Web Tokens (JWTs) can be manipulated, especially if the algorithm is set to none or uses a public key for verification.

How Engineers Can Defend Against This

Authentication is high-risk. Treat it accordingly. Here’s how:

  1. Enforce Strong Passwords
    • Minimum length (e.g. 12+)
    • Check against known breached passwords (use services like HaveIBeenPwned)
    • Consider passphrases over complex symbols
  2. Enable MFA Everywhere
    • Don’t make it optional for sensitive roles
    • Prefer app-based MFA (TOTP) over SMS
    • Secure the recovery flows (MFA backup codes, secure reset processes)
  3. Use Rate Limiting and Lockout
    • Throttle failed logins
    • Lock accounts temporarily after X failed attempts
    • Use CAPTCHAs for public-facing forms
  4. Secure Sessions
    • Regenerate session IDs after login
    • Expire sessions on logout and after inactivity
    • Store session tokens securely with HttpOnly, Secure, and SameSite flags
  5. Don’t Build Your Own Auth
    • Use hardened identity providers (e.g., Auth0, Okta, Firebase Auth)
    • If you must implement your own, follow OWASP’s Authentication Cheat Sheet

auth checklist

Real-World Case: Broken Auth, Broken Business

An ecommerce platform implemented a password reset flow that allowed users to reset a password without verifying the reset token’s expiration.

An attacker found a way to reuse old reset links from inboxes of compromised email accounts — gaining full control of customer profiles and payment methods.

It wasn’t a code bug — just an incomplete authentication flow.

Final Thoughts

Authentication isn’t just a login screen. It’s an entire lifecycle:

  • Registration
  • Login
  • Session management
  • Logout
  • Password reset
  • MFA and recovery

Each part is a chance to get security right — or dangerously wrong.

Next up: A08: Software and Data Integrity Failures → We’ll look at how unsigned updates, insecure pipelines, and tampered packages can undermine everything your users trust.

Leave a comment

You may also enjoy