What Is Broken Authentication and How to Prevent Your Company From It

Broken authentication is one of the most common entries on the OWASP Top 10 for a reason. It accounts for a disproportionate share of real-world breaches because it is easy to get wrong and the consequences are immediate: an attacker becomes a legitimate user, with all the access that role implies.

This post walks through what broken authentication actually means, the patterns that produce it, and the controls that prevent it.

What broken authentication is

Broken authentication is a category of flaws that let an attacker impersonate a legitimate user. The flaws can live anywhere in the authentication flow: registration, login, session management, password reset, MFA, or account recovery. The common thread is that the attacker ends up holding a valid session or credential they should not have.

The patterns that produce it

1. Weak password requirements

No minimum length, no breach check, no rate limiting. The result is accounts that fall to dictionary or stuffing attacks in seconds.

2. Predictable session tokens

Tokens that are short, sequential, or based on guessable user data. An attacker can iterate the token space and stumble into valid sessions.

3. Session tokens in the URL

Tokens passed as query parameters end up in server logs, in browser history, and in HTTP referer headers leaking to third-party scripts.

4. Missing or weak MFA

Password-only authentication is vulnerable to credential stuffing, phishing, and breach leakage. Weak MFA (knowledge questions, SMS only) is vulnerable to the next tier of attacks.

5. Broken password reset

Reset tokens that are predictable, do not expire, or are sent over insecure channels. Reset flows that ask only for information available in any data broker. Reset emails that link to the wrong domain.

6. Session that survives password change

The user changes their password because they suspect compromise; the attacker's existing session keeps working.

7. Account recovery as the soft underbelly

Heavy investment in login security paired with a reset flow that asks for a birthday and mother's maiden name.

8. Verbose error messages

"User not found" versus "wrong password" tells an attacker which usernames are valid. Account enumeration is the start of every credential-stuffing campaign.

The controls that prevent it

Strong passwords, the modern way

• Minimum length, no maximum length cap.
• No mandatory complexity rules that produce predictable patterns.
• Breached-password detection at registration, login, and rotation.
• No forced periodic rotation absent a reason.

Strong session management

• Tokens that are long, random, and generated with a cryptographically secure RNG.
• Tokens in HttpOnly, Secure, SameSite cookies. Never in URLs.
• Tokens bound to the device or session context that minted them.
• Idle and absolute session timeouts. All sessions terminated on password change.

MFA done well

• Available on every account, mandatory on privileged ones.
• Phishing-resistant factors (passkeys, hardware keys) for high-value roles.
• Step-up authentication for sensitive actions, not just for login.

Hardened account recovery

• Time-limited, single-use reset tokens.
• Reset emails sent to verified addresses only.
• MFA challenge required on reset for accounts that have it enabled.
• Notification to the user on every reset attempt, regardless of outcome.

Defensive responses

• Generic error messages that do not leak account existence.
• Rate limiting per account and per IP.
• Soft lockouts that require MFA to recover, not hard lockouts that enable denial-of-service.
• Risk-based authentication that adapts to context.

Monitoring and response

• Alerts on bulk failed logins, impossible travel, new-device sign-ins, and security-setting changes.
• Audit trail of every authentication event.
• A runbook for credential compromise and session revocation.

The cultural piece

Broken authentication often slips in because authentication is built once and rarely revisited. Build periodic review into the security calendar. Run penetration tests against the full authentication flow, not just the login form. Treat every reset, recovery, and MFA-enrolment flow as a potential entry point, because attackers do.

The bottom line

Authentication is the most-attacked surface of any consumer or enterprise application. The controls that prevent broken authentication are well-established, well-documented, and well-supported by modern frameworks and identity providers. The companies that get breached on this category are almost always the ones that built it once, years ago, and never came back. Do not be one of them.