Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A07: Identification and authentication failures

Is your login system actually secure?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

Bad login systems are why so many account takeovers happen. The classic mistakes: no rate limiting on failed logins, predictable password resets, sessions that never expire, MFA missing.

Questions to ask yourself

  • Does our customer portal allow weak passwords?
  • Does it lock accounts after repeated failed attempts?
  • Do password reset emails expire quickly?
  • Do we offer or require MFA?
  • How long do sessions stay alive?

For owners — questions to ask your developer

Questions to ask your developer

Authentication is a solved problem — if you use solved tools.

  • 01“Are we using a recognised authentication provider (Auth0, Microsoft Entra ID, AWS Cognito, Okta, Clerk) — or did we build the login system from scratch?” Self-built auth is a red flag.
  • 02“Is MFA required for any customer account that handles money or personal data? If not, can we make it the default for new accounts?”
  • 03“Walk me through our password rules — length, complexity, lockout, reset token expiry. How are passwords hashed?”