Auth Failures
OWASP Top 10
Course 1 · Chapter 7 · A07: Identification & Authentication Failures
This is a homecoming for anyone who did the Authentication & Session Security course — A07 is that entire course's subject, compressed into one Top 10 slot. So this chapter's job is the map: what the category spans, why it ranks where it does, and where each piece links back to the depth you already have.
A07: Identification & Authentication Failures
This category covers failures in confirming a user's identity and managing their session securely — everything from weak passwords to broken session handling to flawed account recovery. Note the deliberate naming: it was previously "Broken Authentication," renamed in 2021 to also emphasize identification (establishing who someone claims to be) alongside authentication (proving it). It dropped from #2 to #7 — not because it's less serious, but because frameworks and managed identity providers now handle a lot of it correctly out of the box.
What the Category Spans (and Where It's Covered)
| Failure | Example | Auth-course deep-dive |
|---|---|---|
| Weak password storage | plaintext / fast-hash passwords | Auth Ch. 2 |
| Credential brute force / stuffing | no rate limit; reused breached passwords work | Auth Ch. 3 |
| Weak / no MFA | password-only on high-value accounts | Auth Ch. 6 |
| Session management flaws | predictable IDs, no rotation, fixation | Auth Ch. 4–5 |
| Exposed / mishandled tokens | session/JWT in URLs, no invalidation | Auth Ch. 5, 7 |
| Weak account recovery | security questions; guessable reset tokens | Auth Ch. 9 |
| Default / weak credentials | admin/admin (also A05) | Auth Ch. 3 |
In other words: A07 ≈ the whole Auth course. Rather than re-teach it, this chapter pulls out the through-line that ties all those failures together.
The Unifying Idea: Protect One Secret Across Its Life
The Highest-Leverage Defences
If A07 is the Auth course condensed, here are the controls that matter most — in rough order of impact:
- Multi-factor authentication — the single highest-leverage control; a guessed or stuffed password alone is no longer enough (Auth Ch. 6).
- Strong password storage — slow, salted hashes (Argon2id/bcrypt), never fast hashes or "encryption" (Auth Ch. 2; also A02).
- Defend the login — rate limiting (IP + account), breach-password checks, generic responses + uniform timing (no enumeration) (Auth Ch. 3).
- Secure sessions — high-entropy IDs, regenerate at login (anti-fixation), idle + absolute timeouts, server-side logout,
HttpOnly/Secure/SameSitecookies (Auth Ch. 4–5). - Secure recovery — single-use, expiring, hashed reset tokens; re-authenticate sensitive changes; no security questions (Auth Ch. 9).
- Don't roll your own — use vetted auth libraries / managed identity providers (which is largely why A07's rank fell).
Identification vs Authentication — the Rename's Point
The 2021 addition of "Identification" highlights a subtle layer: identification is the claim ("I'm user philip"), authentication is the proof (the password/passkey checks out). Failures can occur at the identification layer too — e.g. allowing account enumeration (confirming which identities exist), weak identity proofing during registration, or letting one identity be confused with another. Getting identity right is the precondition for getting authentication right.
Hands-On Exercises
A07 spans many failures. For each, name the stage of the credential/session lifecycle it breaks and the primary defence: (a) plaintext passwords; (b) no login rate limit; (c) the same session ID after login; (d) password reset via security questions. Then state the one unifying idea behind all of them.
📄 View solutionExplain why "authentication is only as strong as its weakest path," using the recovery flow as the example. Then show how A07 interlocks with A01, A02, A03, and A05 — give one concrete way each of those categories can undermine authentication.
📄 View solutionExplain why A07 dropped from #2 to #7 and what the "Identification" rename adds. Then prioritize the top defences (MFA, password storage, login defence, sessions, recovery, don't-roll-your-own) and justify why MFA tops the list.
📄 View solutionChapter 7 Quick Reference
- A07 Identification & Authentication Failures — failures confirming identity & managing sessions; ≈ the whole Auth course; renamed from "Broken Authentication," dropped #2 → #7 (frameworks/IdPs help)
- Spans: weak password storage · brute force/stuffing · weak/no MFA · session flaws (predictable IDs, fixation) · exposed tokens · weak recovery · default creds
- Unifying idea: protect one secret (credential → session) across its life — store (hash) · prove (session) · don't let it be guessed/stolen/hijacked/bypassed
- Top defences: MFA (highest leverage) · slow salted hashing · login rate-limit + no enumeration · secure sessions (regenerate at login, cookie flags, timeouts) · secure recovery · don't roll your own
- Weakest-path rule: recovery is the #1 takeover vector — strong login + weak reset = weak; XSS steals sessions ("fix XSS first")
- Interlocks with A01 (authz), A02 (crypto/hashing), A03 (XSS session theft), A05 (default creds)
- Deep-dive: the entire Authentication & Session Security course
- Next chapter: A08 Software & Data Integrity Failures — deserialization, unsigned updates, CI/CD integrity