Auth Failures

OWASP Top 10

Course 1 · Chapter 7 · A07: Identification & Authentication Failures

This is a homecoming for anyone who did the Authentication & Session Security course — A07 is that entire course's subject, compressed into one Top 10 slot. So this chapter's job is the map: what the category spans, why it ranks where it does, and where each piece links back to the depth you already have.

A07: Identification & Authentication Failures

This category covers failures in confirming a user's identity and managing their session securely — everything from weak passwords to broken session handling to flawed account recovery. Note the deliberate naming: it was previously "Broken Authentication," renamed in 2021 to also emphasize identification (establishing who someone claims to be) alongside authentication (proving it). It dropped from #2 to #7 — not because it's less serious, but because frameworks and managed identity providers now handle a lot of it correctly out of the box.

What the Category Spans (and Where It's Covered)

FailureExampleAuth-course deep-dive
Weak password storageplaintext / fast-hash passwordsAuth Ch. 2
Credential brute force / stuffingno rate limit; reused breached passwords workAuth Ch. 3
Weak / no MFApassword-only on high-value accountsAuth Ch. 6
Session management flawspredictable IDs, no rotation, fixationAuth Ch. 4–5
Exposed / mishandled tokenssession/JWT in URLs, no invalidationAuth Ch. 5, 7
Weak account recoverysecurity questions; guessable reset tokensAuth Ch. 9
Default / weak credentialsadmin/admin (also A05)Auth Ch. 3

In other words: A07 ≈ the whole Auth course. Rather than re-teach it, this chapter pulls out the through-line that ties all those failures together.

The Unifying Idea: Protect One Secret Across Its Life

A07 is "protect the credential, then the session that stands in for it"
The Auth course's organizing principle is the map for this whole category: authentication establishes an identity (a credential), then a session stands in for that credential across many requests — and the entire category is about protecting that one secret through its whole life. Store it so a breach can't reverse it (hashing), prove it without resending it (sessions/tokens), stop it being guessed (rate limits, MFA), stolen (HttpOnly, HTTPS), fixated/hijacked (regenerate at login, high-entropy IDs), or bypassed via recovery (secure reset tokens). Every A07 failure is a gap in one of those stages.

The Highest-Leverage Defences

If A07 is the Auth course condensed, here are the controls that matter most — in rough order of impact:

  1. Multi-factor authentication — the single highest-leverage control; a guessed or stuffed password alone is no longer enough (Auth Ch. 6).
  2. Strong password storage — slow, salted hashes (Argon2id/bcrypt), never fast hashes or "encryption" (Auth Ch. 2; also A02).
  3. Defend the login — rate limiting (IP + account), breach-password checks, generic responses + uniform timing (no enumeration) (Auth Ch. 3).
  4. Secure sessions — high-entropy IDs, regenerate at login (anti-fixation), idle + absolute timeouts, server-side logout, HttpOnly/Secure/SameSite cookies (Auth Ch. 4–5).
  5. Secure recovery — single-use, expiring, hashed reset tokens; re-authenticate sensitive changes; no security questions (Auth Ch. 9).
  6. Don't roll your own — use vetted auth libraries / managed identity providers (which is largely why A07's rank fell).
Authentication is only as strong as its weakest path — including recovery
The recurring Auth-course lesson, stated at Top 10 level: an attacker attacks the weakest way in, not the strongest. Passkeys and MFA on the front door mean nothing if account recovery falls back to an SMS code or a security question (the #1 takeover vector). Likewise, perfect password hashing doesn't help if the session ID can be guessed, and strong sessions don't help if XSS can steal them (which is why "fix XSS first" recurs). A07 is a system property: every stage — storage, login, session, MFA, recovery — must hold, because account security is set by the weakest link across all of them, and it interlocks with A01 (authorization), A02 (crypto), A03 (XSS stealing sessions), and A05 (default creds).

Identification vs Authentication — the Rename's Point

The 2021 addition of "Identification" highlights a subtle layer: identification is the claim ("I'm user philip"), authentication is the proof (the password/passkey checks out). Failures can occur at the identification layer too — e.g. allowing account enumeration (confirming which identities exist), weak identity proofing during registration, or letting one identity be confused with another. Getting identity right is the precondition for getting authentication right.

Hands-On Exercises

Exercise 1

A07 spans many failures. For each, name the stage of the credential/session lifecycle it breaks and the primary defence: (a) plaintext passwords; (b) no login rate limit; (c) the same session ID after login; (d) password reset via security questions. Then state the one unifying idea behind all of them.

📄 View solution
Exercise 2

Explain why "authentication is only as strong as its weakest path," using the recovery flow as the example. Then show how A07 interlocks with A01, A02, A03, and A05 — give one concrete way each of those categories can undermine authentication.

📄 View solution
Exercise 3

Explain why A07 dropped from #2 to #7 and what the "Identification" rename adds. Then prioritize the top defences (MFA, password storage, login defence, sessions, recovery, don't-roll-your-own) and justify why MFA tops the list.

📄 View solution

Chapter 7 Quick Reference

  • A07 Identification & Authentication Failures — failures confirming identity & managing sessions; ≈ the whole Auth course; renamed from "Broken Authentication," dropped #2 → #7 (frameworks/IdPs help)
  • Spans: weak password storage · brute force/stuffing · weak/no MFA · session flaws (predictable IDs, fixation) · exposed tokens · weak recovery · default creds
  • Unifying idea: protect one secret (credential → session) across its life — store (hash) · prove (session) · don't let it be guessed/stolen/hijacked/bypassed
  • Top defences: MFA (highest leverage) · slow salted hashing · login rate-limit + no enumeration · secure sessions (regenerate at login, cookie flags, timeouts) · secure recovery · don't roll your own
  • Weakest-path rule: recovery is the #1 takeover vector — strong login + weak reset = weak; XSS steals sessions ("fix XSS first")
  • Interlocks with A01 (authz), A02 (crypto/hashing), A03 (XSS session theft), A05 (default creds)
  • Deep-dive: the entire Authentication & Session Security course
  • Next chapter: A08 Software & Data Integrity Failures — deserialization, unsigned updates, CI/CD integrity