Authentication is supposed to be boring.
If it's noticeable, something is probably wrong.
Broken Authentication sits at API2:2023 in the OWASP API Security Top 10, and unlike some vulnerabilities, it doesn't rely on clever tricks or deep exploits. Most of the time, it comes from reasonable shortcuts taken under pressure.
Shortcuts that age badly.
What "Broken Authentication" Actually Means
At a high level, broken authentication happens when an API:
- doesn't reliably verify who the caller is
- fails to protect authentication credentials
- mishandles tokens, sessions, or reset flows
But that description is too abstract to be useful.
In practice, broken authentication shows up when identity stops being treated as a first-class security boundary.
Where Things Usually Go Wrong
1. Weak or Long-Lived Tokens
Tokens are meant to expire. That's the entire point.
Yet many APIs issue tokens that:
- live for days or weeks
- aren't rotated
- remain valid after password changes
If a token leaks once, it becomes a permanent key.
From an attacker's perspective, that's not authentication — that's ownership.
2. Tokens Treated Like IDs, Not Secrets
A token is not a user ID with extra characters.
It's a secret.
Common mistakes:
- sending tokens in URLs
- logging them in plain text
- storing them insecurely on the client
- reusing them across environments
Once tokens lose secrecy, authentication becomes a formality.
3. Password and Reset Flows That Leak Information
Password reset endpoints are often the softest part of the system.
Subtle differences like:
- "user not found" vs "email sent"
- response timing differences
- predictable reset tokens
These details feel harmless — but together they allow account enumeration and takeover.
Authentication doesn't fail loudly. It leaks quietly.
4. Missing or Inconsistent Rate Limiting
Authentication endpoints are attack magnets.
Login, reset, OTP, token refresh — all of them must assume abuse.
Without proper rate limiting:
- brute force becomes feasible
- credential stuffing becomes cheap
- automated attacks go unnoticed
If an endpoint controls identity, it must assume hostile traffic.
5. Rolling Your Own Auth Logic
This is the one everyone underestimates.
Custom authentication logic usually starts simple:
"We'll just add a few checks."
Over time, edge cases pile up:
- multiple login methods
- token refresh paths
- backward compatibility
- legacy behavior
Eventually, no one fully understands the system — including the people maintaining it.
That's when authentication breaks.
Why Broken Authentication Is So Common
Broken authentication isn't caused by ignorance.
It's caused by:
- time pressure
- business deadlines
- feature-first thinking
- assuming "we'll fix it later"
The problem is that auth mistakes compound. The longer they exist, the harder they are to unwind.
How Attackers Think About It
Attackers don't start by breaking crypto.
They start by asking simple questions:
- How long do tokens live?
- Can I reuse this token?
- Does logout actually invalidate anything?
- Can I automate this endpoint?
If answers aren't explicit, attackers find them experimentally.
How Builders Should Think About Fixing It
Instead of asking "Is our auth working?", better questions are:
- What happens if this token leaks?
- Can this token outlive its purpose?
- Is identity verified the same way everywhere?
- Are auth endpoints designed for abuse?
Good authentication systems are:
- boring
- predictable
- explicit
- hostile by default
Anything else is fragile.
Key Takeaway
Broken authentication isn't usually one big mistake.
It's ten small ones that no one revisits.
APIs don't get compromised because authentication is missing — they get compromised because authentication is trusted too much.
This is Day 2of documenting the OWASP API Security Top 10 (2023) — one vulnerability at a time, from a builder and application security perspective.
Next up: PI3:2023 Broken Object Property Level Authorization: