Index · TL;DR

1 min read
20 min read
Rapid overview

TL;DR

Identification and Authentication Failures (OWASP Top 10 A07:2021, previously "Broken Authentication") cover every way an application fails to reliably confirm who a user is and to keep that confirmation safe for the life of a session. The headline risks are weak or fast password hashing, no defense against credential stuffing and brute force, missing or weak multi-factor authentication, and sloppy session management — predictable or non-rotated session IDs, insecure cookies, no timeouts, and broken logout. Get it right by storing passwords with a deliberately slow, salted, memory-hard hash (Argon2id, bcrypt, or scrypt — never MD5/SHA-256), checking credentials against known-breached lists, rate-limiting and locking accounts, offering phishing-resistant MFA (WebAuthn/passkeys over TOTP over SMS), issuing high-entropy session IDs in Secure; HttpOnly; SameSite cookies that rotate on privilege change, and delegating federated login to battle-tested OAuth 2.0 / OIDC (authorization code + PKCE) instead of rolling your own. The unifying principle: authentication is a security-critical primitive — use vetted libraries, fail safely, and never leak whether an account exists.

See also