Index · Interview talking points

1 min read
20 min read
Rapid overview

Interview talking points

  • Authentication is a security-critical primitive — use vetted libraries and identity providers, never roll your own; this is the single highest-leverage A07 decision.
  • The core password rule: slow, salted, memory-hard hashing (Argon2id / bcrypt / scrypt), never fast general-purpose hashes (MD5/SHA-256) — and tune the cost factor over time.
  • Defend the login endpoint as a whole: rate limiting + breached-password checks + MFA + generic errors, not any single control.
  • Phishing-resistant MFA (WebAuthn/passkeys) > TOTP > SMS — and SMS is a fallback, not a primary factor.
  • Session security is about the whole lifecycle: high-entropy IDs, Secure/HttpOnly/SameSite cookies, rotation on login (fixation defense), idle + absolute timeouts, and real server-side logout.
  • For JWTs, name the classic pitfalls unprompted: alg:none, algorithm confusion, weak secret, missing/long exp, localStorage XSS exposure, and no clean revocation — and the short-access-token + revocable-refresh-token mitigation.
  • Prevent account enumeration everywhere it leaks (login, registration, reset) with uniform responses and uniform timing.
  • For federated login, say "OIDC, Authorization Code flow with PKCE, validate state/nonce/iss/aud/signature" — and know OAuth (authz) vs OIDC (authn).
  • Tie it back: A07 (authentication) sits next to A01 Broken Access Control (authorization) and A02 Cryptographic Failures (how the hashing/tokens are actually protected).

See also