Index · Interview talking points
1 min readRapid overview
Interview talking points
- Authentication is a security-critical primitive — use vetted libraries and identity providers, never roll your own; this is the single highest-leverage A07 decision.
- The core password rule: slow, salted, memory-hard hashing (Argon2id / bcrypt / scrypt), never fast general-purpose hashes (MD5/SHA-256) — and tune the cost factor over time.
- Defend the login endpoint as a whole: rate limiting + breached-password checks + MFA + generic errors, not any single control.
- Phishing-resistant MFA (WebAuthn/passkeys) > TOTP > SMS — and SMS is a fallback, not a primary factor.
- Session security is about the whole lifecycle: high-entropy IDs,
Secure/HttpOnly/SameSitecookies, rotation on login (fixation defense), idle + absolute timeouts, and real server-side logout. - For JWTs, name the classic pitfalls unprompted:
alg:none, algorithm confusion, weak secret, missing/longexp, localStorage XSS exposure, and no clean revocation — and the short-access-token + revocable-refresh-token mitigation. - Prevent account enumeration everywhere it leaks (login, registration, reset) with uniform responses and uniform timing.
- For federated login, say "OIDC, Authorization Code flow with PKCE, validate
state/nonce/iss/aud/signature" — and know OAuth (authz) vs OIDC (authn). - Tie it back: A07 (authentication) sits next to A01 Broken Access Control (authorization) and A02 Cryptographic Failures (how the hashing/tokens are actually protected).