Background
Bad login systems are why so many account takeovers happen. The classic mistakes: no rate limiting on failed logins, predictable password resets, sessions that never expire, MFA missing.
Questions to ask yourself
- Does our customer portal allow weak passwords?
- Does it lock accounts after repeated failed attempts?
- Do password reset emails expire quickly?
- Do we offer or require MFA?
- How long do sessions stay alive?
For owners — questions to ask your developer
Questions to ask your developer
Authentication is a solved problem — if you use solved tools.
- 01“Are we using a recognised authentication provider (Auth0, Microsoft Entra ID, AWS Cognito, Okta, Clerk) — or did we build the login system from scratch?” Self-built auth is a red flag.
- 02“Is MFA required for any customer account that handles money or personal data? If not, can we make it the default for new accounts?”
- 03“Walk me through our password rules — length, complexity, lockout, reset token expiry. How are passwords hashed?”