Broken authentication refers to weaknesses in how an application handles login, session establishment, password reset, account recovery, multifactor authentication, or related identity checks. The issue is not a single exploit pattern but a broad category of failures that let attackers impersonate users or utilise functionality that they should not have access to.
Some examples of broken authentication include a weak password policy, missing rate limiting, flawed password reset flows, predictable one-time tokens, broken MFA enforcement, insecure session handling, and login logic that leaks whether an account exists. In modern applications, the problem may also involve misconfigured identity providers, such insecure OAuth flows, or trust placed in client-side authentication state.
Authentication flaws are especially dangerous because they sit at the entrance to the application, and if the identity layer is insecure then other controls are often irrelevant.
This is a core review area in web application penetration testing and API penetration testing , where we look for weaknesses in the entire authentication and session management process, including any supporting infrastructure such as identity providers, single sign-on, and password reset mechanisms.