July 17, 2026
Authentication Security Testing Checklist for Security Researchers
Authentication is one of the most important components of any web application. A single weakness in the authentication flow can lead to…
By Chilukavarshith
2 min read
Authentication is one of the most important components of any web application. A single weakness in the authentication flow can lead to account takeover, unauthorized access, or sensitive data exposure.
When assessing a web application, security researchers should look beyond simple functionality and focus on how securely each authentication feature is implemented. This checklist can be used during penetration tests, bug bounty assessments, and general security reviews.
Register
Input Validation
✓ Try entering special characters (' " < >) in all fields.
✓ Check if the application accepts very long inputs.
✓ Test for SQL Injection and XSS payloads.
✓ Verify that invalid data is rejected properly.✓ Try entering special characters (' " < >) in all fields.
✓ Check if the application accepts very long inputs.
✓ Test for SQL Injection and XSS payloads.
✓ Verify that invalid data is rejected properly.Account Security
✓ Try registering with an existing email.
✓ Test weak passwords such as 12345678.
✓ Check password complexity requirements.
✓ Verify whether email verification is required.✓ Try registering with an existing email.
✓ Test weak passwords such as 12345678.
✓ Check password complexity requirements.
✓ Verify whether email verification is required.Data Protection
✓ Check if the site uses HTTPS.
✓ Ensure passwords are masked.
✓ Verify passwords are not sent in URLs.
✓ Check responses for sensitive information leakage.✓ Check if the site uses HTTPS.
✓ Ensure passwords are masked.
✓ Verify passwords are not sent in URLs.
✓ Check responses for sensitive information leakage.Abuse Prevention
✓ Attempt multiple registrations quickly.
✓ Check for CAPTCHA or rate limiting.
✓ Test if automated account creation is possible.✓ Attempt multiple registrations quickly.
✓ Check for CAPTCHA or rate limiting.
✓ Test if automated account creation is possible.Email Verification
✓ Verify if the verification link expires.
✓ Try using the same verification link twice.
✓ Check if the account works before verification.
✓ Ensure verification tokens are unique.✓ Verify if the verification link expires.
✓ Try using the same verification link twice.
✓ Check if the account works before verification.
✓ Ensure verification tokens are unique.Login
Authentication
✓ Login with valid credentials.
✓ Login with invalid credentials.
✓ Check if error messages reveal usernames/emails.
✓ Test login using both username and email if supported.✓ Login with valid credentials.
✓ Login with invalid credentials.
✓ Check if error messages reveal usernames/emails.
✓ Test login using both username and email if supported.Password Security
✓ Verify password masking.
✓ Check if passwords appear in requests or URLs.
✓ Review browser storage behavior if applicable.✓ Verify password masking.
✓ Check if passwords appear in requests or URLs.
✓ Review browser storage behavior if applicable.Brute Force Protection
✓ Attempt multiple failed logins.
✓ Check for account lockout.
✓ Verify rate limiting.
✓ Look for CAPTCHA after repeated failures.✓ Attempt multiple failed logins.
✓ Check for account lockout.
✓ Verify rate limiting.
✓ Look for CAPTCHA after repeated failures.Session Management
✓ Check cookies after login.
✓ Verify Secure and HttpOnly flags.
✓ Logout and verify session invalidation.
✓ Test session timeout behavior.✓ Check cookies after login.
✓ Verify Secure and HttpOnly flags.
✓ Logout and verify session invalidation.
✓ Test session timeout behavior.MFA
✓ Enable MFA if available.
✓ Try bypassing the MFA step.
✓ Verify backup codes cannot be reused.✓ Enable MFA if available.
✓ Try bypassing the MFA step.
✓ Verify backup codes cannot be reused.Forgot Password
User Enumeration
✓ Request reset for an existing account.
✓ Request reset for a non-existing account.
✓ Compare responses for differences.✓ Request reset for an existing account.
✓ Request reset for a non-existing account.
✓ Compare responses for differences.Reset Token Security
✓ Inspect reset token length.
✓ Check token expiration.
✓ Try using the same token twice.
✓ Request multiple tokens and test old ones.✓ Inspect reset token length.
✓ Check token expiration.
✓ Try using the same token twice.
✓ Request multiple tokens and test old ones.Delivery Security
✓ Verify reset email reaches the correct account.
✓ Check if reset links use HTTPS.
✓ Review email for sensitive information.✓ Verify reset email reaches the correct account.
✓ Check if reset links use HTTPS.
✓ Review email for sensitive information.Abuse Prevention
✓ Send multiple reset requests.
✓ Check for rate limiting.
✓ Verify email flooding protection.✓ Send multiple reset requests.
✓ Check for rate limiting.
✓ Verify email flooding protection.Update Password
Authentication Verification
✓ Check if the current password is required.
✓ Verify MFA requirement if enabled.
✓ Try changing the password without re-authentication.✓ Check if the current password is required.
✓ Verify MFA requirement if enabled.
✓ Try changing the password without re-authentication.Password Policy
✓ Test weak passwords.
✓ Test previously used passwords.
✓ Verify complexity requirements.✓ Test weak passwords.
✓ Test previously used passwords.
✓ Verify complexity requirements.Session Security
✓ Change the password and check other sessions.
✓ Verify forced logout after password change.
✓ Check if a notification email is sent.✓ Change the password and check other sessions.
✓ Verify forced logout after password change.
✓ Check if a notification email is sent.Input Validation
✓ Test parameter tampering.
✓ Modify requests using Burp Suite.
✓ Verify only authorized password changes occur.✓ Test parameter tampering.
✓ Modify requests using Burp Suite.
✓ Verify only authorized password changes occur.Update Email
Identity Verification
✓ Check if password confirmation is required.
✓ Verify MFA requirement.
✓ Test email change without re-authentication.✓ Check if password confirmation is required.
✓ Verify MFA requirement.
✓ Test email change without re-authentication.Email Ownership Verification
✓ Change to a new email.
✓ Verify a confirmation email is sent.
✓ Check if the change occurs before verification.✓ Change to a new email.
✓ Verify a confirmation email is sent.
✓ Check if the change occurs before verification.Security Controls
✓ Try changing another user's email via request manipulation.
✓ Test duplicate email addresses.
✓ Verify proper authorization checks.✓ Try changing another user's email via request manipulation.
✓ Test duplicate email addresses.
✓ Verify proper authorization checks.Abuse Prevention
✓ Attempt multiple email changes.
✓ Check for rate limiting.
✓ Verify security notifications are sent.✓ Attempt multiple email changes.
✓ Check for rate limiting.
✓ Verify security notifications are sent.Session Security
✓ Check session behavior after email change.
✓ Verify security alerts are generated.
✓ Test access using old account information.✓ Check session behavior after email change.
✓ Verify security alerts are generated.
✓ Test access using old account information.