What Is Broken Authentication? Causes, Impact & Prevention

What Is Broken Authentication?

Broken authentication is a vulnerability class that lets attackers compromise user identities by exploiting weaknesses in how applications verify who you are and maintain that verified state. When login mechanisms, session management, or credential recovery processes contain flaws, attackers can impersonate legitimate users, escalate privileges, and access systems without authorization.

This vulnerability has appeared in every OWASP list since the project's early editions. OWASP has renamed and refined the category over time, reflecting broader coverage of authentication-related weaknesses rather than any loss of importance.

The scope of broken authentication extends well beyond simple password guessing. It encompasses credential stuffing, session fixation, MFA bypass, token forgery, hard-coded credentials, and missing authentication on critical functions. The root CWE for the entire category is CWE-287, with a broad set of related CWEs mapped into the category in newer OWASP classifications.

According to the DBIR report, credential abuse remains a leading initial access method in breaches. If you understand how broken authentication works, you can stop it more effectively.

How Does Broken Authentication Work?

Broken authentication exploits flaws across two distinct failure domains: authentication, which covers how applications verify who you are, and session management, which covers how they maintain that verified identity for the duration of your visit. Each domain presents different attack surfaces, but both lead to the same outcome: unauthorized access.

Authentication Failures

When an application fails to properly verify user identity, attackers gain entry through the front door. A credential stuffing attack submits stolen username and password pairs against your login endpoint. If your application lacks rate limiting or account lockout, the attacker can test credentials at scale until valid pairs are found.

The attack flow is straightforward. The attacker obtains credential dumps from previous breaches. They feed those pairs into automated tools targeting your login page. The application accepts each attempt without throttling, lockout, or CAPTCHA. When a valid pair matches, the attacker gains full account access.

Brute force follows a similar pattern but generates password combinations rather than replaying known credentials. Password spraying takes the inverse approach: testing a common password against many accounts at the same time to avoid per-account lockout thresholds.

Session Management Failures

Even after you authenticate correctly, flaws in session handling can hand that authenticated state to an attacker. In a session fixation attack (CWE-384), the attacker sets a known session ID before you log in. If your application does not regenerate the session ID after successful authentication, the attacker uses the pre-set ID to access your authenticated session.

Session token exposure creates another path. When session IDs appear in URLs, they get logged in server access logs, browser history, and HTTP referrer headers. An attacker who obtains the URL obtains the session. Insufficient session expiration (CWE-613) compounds the problem: if you close a browser tab without logging out, someone using the same browser later may find your session still active.

MFA Bypass

Multi-factor authentication adds a second verification layer, but attackers have developed reliable bypass techniques. MFA fatigue, sometimes called prompt bombing, floods a user's device with push notifications until they approve one to stop the interruptions. The Uber breach is often cited as an example of how stolen credentials, repeated MFA prompts, and social engineering can be chained together to gain access to internal systems.

These mechanisms work because broken authentication is rarely a single flaw. It is a chain of weaknesses, from weak credentials to missing rate limits to poor session handling, that attackers exploit in sequence.

Types of Broken Authentication

Broken authentication is not a single vulnerability but a category that spans six distinct failure types. Each targets a different layer of the authentication stack and requires different controls to stop.

Understanding which type is present in a given application determines which controls apply and which forensic evidence to look for. Credential stuffing calls for rate limiting and MFA; missing authentication on an admin API requires a fundamentally different response.

Causes of Broken Authentication

Broken authentication does not arise from a single design mistake. It emerges from compounding weaknesses across four categories that OWASP guidance identifies as interconnected with other Top 10 risks including broken access controls, cryptographic failures, and outdated libraries.

Credential Policy Failures

Permitting weak, default, or well-known passwords remains the most fundamental cause. When your application accepts common default passwords without enforcement, you hand attackers an easy entry point (CWE-521). NIST 63B-4 requires verifiers to check new passwords against lists of known-compromised passwords, yet many applications still skip this step.

Password reuse amplifies the problem. The DBIR report highlights that password reuse across services remains common, which makes stolen credentials far more useful to attackers.

Authentication Flow Design Failures

Missing MFA (CWE-308) leaves accounts protected by a single factor that can be stolen, guessed, or phished. Weak credential recovery mechanisms that rely on knowledge-based answers create a parallel authentication path that is trivially guessable. The absence of rate limiting on login attempts (CWE-307) allows attackers to test large numbers of combinations without consequence.

Hard-coded credentials in source code or configuration files (CWE-798) represent a complete design failure. This weakness appears in recent CWE Top 25 rankings and has been confirmed by CISA alert in active exploitation of industrial control systems.

Session Lifecycle Management Failures

Three session lifecycle failures create direct exploitation paths:

• Not regenerating session IDs after login enables session fixation attacks
• Allowing sessions to persist without idle or absolute timeouts extends the window for session hijacking
• Embedding session tokens in URLs rather than secure cookies leaks credentials through every system that logs or caches the URL

Each of these failures independently increases risk; combined, they give attackers multiple options for maintaining unauthorized access.

Cryptographic and Transport Failures

Storing passwords in plaintext, using reversible encryption, or applying weak hashing algorithms means that any database breach exposes credentials directly. Transport failures like improper certificate validation (CWE-295) allow attackers to intercept authentication traffic. These causes often overlap with OWASP A02:2021 Cryptographic Failures, demonstrating how broken authentication intersects with other vulnerability categories.

These four categories rarely appear in isolation. A weak credential policy makes credential stuffing possible; a missing rate limit makes it practical; poor session management extends the attacker's window once they are in. Understanding which causes are present in your system determines both the severity of the risk and where remediation should start.

Impact and Risk of Broken Authentication

The consequences of broken authentication extend from individual account compromise to organization-wide breaches with regulatory, financial, and operational fallout.

Breach Prevalence

Authentication failures are among the most exploited initial access paths. The DBIR report confirms that credential abuse remains a top breach driver. Within basic web application attacks, stolen credentials are especially prominent in financial services.

Financial Consequences

The IBM report found that the global average cost of a data breach reached $4.88 million in 2024, a 10% increase from the prior year. Financial services organizations averaged $6.08 million per breach, 22% above the global figure. Beyond direct expenses, 70% of breached organizations reported significant or moderate operational disruption.

Cascading Business Effects

Broken authentication rarely stays contained. A compromised credential becomes a pivot point for lateral movement, privilege escalation, data exfiltration, and ransomware deployment. The Verizon DBIR found a correlation between ransomware victimization and the presence of victim domains in credential dumps, directly linking authentication weakness to ransomware risk.

Broken authentication is not an abstract application security concern. It is a primary mechanism through which breaches begin.

How Attackers Exploit Broken Authentication

Attackers choose their approach based on the specific authentication weakness they discover. Here are the primary exploitation techniques, mapped to the CWEs they target.

MFA Fatigue and Social Engineering

When MFA blocks a credential stuffing attempt, attackers escalate to social engineering. MFA fatigue sends repeated push notifications to the legitimate user until they approve one. The CISA advisory documented a related technique: after brute-forcing a weak password on a dormant account, the attackers enrolled a new MFA device because Duo's default configuration allowed re-enrollment for inactive accounts, gaining network access.

SAML Token Forgery

In the SolarWinds/SUNBURST campaign, attackers extracted private encryption keys from Active Directory Federation Services containers, then forged SAML assertions that appeared valid to any relying party. Per CISA advisory, this Golden SAML technique bypassed authentication entirely without possessing legitimate credentials, granting access to cloud environments across multiple U.S. federal agencies.

Session Hijacking via Token Disclosure

CVE-2023-4966, known as Citrix Bleed, allowed attackers to extract valid session tokens from remote access appliances. With a stolen session token, the attacker impersonates an already-authenticated user, bypassing both the password and MFA layers entirely. CISA confirmed active zero-day exploitation before a patch was available [cite-19].

Authentication Bypass via Alternate Path

Some vulnerabilities eliminate authentication requirements altogether. One network appliance flaw allowed unauthenticated super-admin access via a Node.js websocket and received a critical severity rating [cite-20]. Another management interface flaw enabled unauthenticated admin privilege escalation through the web management interface. The management interface issue represents CWE-306: the complete absence of authentication on a critical function, while the websocket issue maps to CWE-288: authentication bypass using an alternate path or channel.

Capture-Replay Attacks

Attackers intercept authentication tokens or credentials in transit and replay them to gain access (CWE-294). Without sender-constrained tokens as specified in RFC 9700, OAuth implementations remain vulnerable to this technique.

Each of these techniques produces different forensic signatures, which determines how you find and respond to them.

Who Is Affected by Broken Authentication?

Broken authentication affects every organization that relies on user identity for access control. However, specific sectors and system types carry elevated risk.

Web Applications and APIs

Any application that manages its own authentication is directly exposed. OWASP explicitly addresses API-specific broken authentication in the OWASP API Security project, noting that authentication endpoints require brute force protections stricter than regular API rate limiting.

Cloud and SaaS Platforms

The Snowflake/UNC5537 campaign demonstrated that cloud platforms with single-factor authentication are high-value targets, with many organizations breached because affected accounts lacked MFA. Cloud platforms that delegate authentication to identity providers inherit the IdP's weaknesses.

Financial Services

Financial institutions face disproportionate risk. The Verizon finance snapshot found that stolen credentials dominate basic web application breaches in financial services. The PayPal credential stuffing incident resulted in a regulatory settlement and mandatory MFA for U.S. customer accounts.

Critical Infrastructure and Network Appliances

VPN gateways, firewalls, and network management interfaces are prime targets. CVE-2019-11510, CVE-2024-55591, and CVE-2024-53704 all represent authentication bypass vulnerabilities in perimeter devices that CISA added to its Known Exploited Vulnerabilities catalog.

Healthcare and Government

Organizations handling sensitive personal data face both breach risk and regulatory consequences, with CISA documenting that weak authentication consistently ranks among its top findings per CISA's authentication assessment for Federal High Value Asset systems.

The following breaches show how these risks materialize across industries.

Real-World Examples of Broken Authentication

These breaches illustrate how broken authentication manifests across different industries, attack techniques, and scales of impact.

23andMe: Credential Stuffing to mass data exposure

Attackers used credential stuffing to access a small subset of 23andMe user accounts where passwords matched those from previous breaches. Through the DNA Relatives feature, that foothold expanded to a much broader set of exposed profile data. Per 23andMe SEC filings, the company incurred incident-related expenses. MFA was not mandatory at the time of the breach.

Snowflake/UNC5537: Infostealer Credentials used later

The threat actor UNC5537 used credential theft via infostealer malware to breach organizations through Snowflake cloud data warehouse accounts. Per Mandiant's investigation, none of the affected accounts had MFA enabled. Victims included Ticketmaster, Santander Bank, and Advance Auto Parts.

SolarWinds/SUNBURST: SAML token forgery

Russian state actors compromised the SolarWinds build process and used the resulting access to steal ADFS private encryption keys. Per CISA report, they forged trusted SAML authentication tokens to access cloud environments across multiple U.S. government agencies without possessing any legitimate credentials.

PayPal: Credential Stuffing with regulatory consequences

Attackers used credential stuffing to access customer accounts, exposing highly sensitive customer data. The New York DFS imposed a regulatory settlement and required mandatory MFA for U.S. customer accounts.

GoDaddy: Multi-year Credential Compromise

A compromised administrative password gave attackers access to GoDaddy's Managed WordPress environment, per GoDaddy breach reporting. The breach affected a large set of current and inactive Managed WordPress customers, with stolen WordPress admin credentials, FTP accounts, and email addresses. Attackers also installed malware and obtained source code.

Yahoo: Cookie Forgery at massive scale

The Yahoo breach ultimately affected all 3 billion user accounts, per New York Times coverage. Attackers used forged authentication cookies to access accounts without passwords. A later breach involved spear-phishing for administrative credentials, with cookie-forging linked to a state-sponsored actor.

These incidents form part of a broader historical pattern that traces back two decades.

Broken Authentication: A Timeline

The history of broken authentication tracks the evolution of web security itself, from early session management flaws to today's identity-layer attacks.

Broken authentication has grown from a web application flaw into a full-stack identity security problem spanning applications, infrastructure, and cloud environments.

How to Detect Broken Authentication

Finding broken authentication requires a layered approach that covers application design flaws, runtime credential abuse, and post-authentication behavioral anomalies.

Log and Session Analysis

The OWASP Authentication Cheat Sheet specifies that you must log and review all authentication failures, password failures, and account lockouts. Look for patterns that indicate credential stuffing: high volumes of failed logins across different accounts from the same IP range, or failed logins against a single account from diverse geographic locations.

The OWASP Session Management Cheat Sheet identifies session events that should trigger reauthentication challenges: logins from new or suspicious IP addresses, attempted password changes, and completed account recovery flows. Distinguish between permissive session management, which accepts any user-set session ID and is vulnerable, and strict session management, which only accepts server-generated IDs.

Dynamic application security testing (DAST)

The OWASP Testing Guide defines authentication-specific test procedures in the WSTG-ATHN series. These cover testing for default credentials, weak lockout mechanisms, authentication schema bypass, vulnerable password reset flows, weak security questions, and MFA implementation flaws. Tools like DAST scanners and password-testing utilities execute these tests against running applications.

Static Analysis for Hard-Coded Credentials

Static application security testing (SAST) tools scan source code before deployment to find hard-coded passwords (CWE-798), weak cryptographic implementations, and insecure session logic. This catches credential management flaws that DAST cannot reach because they exist in code paths not exposed through the application's external interface.

Identity threat identification and response (ITDR)

Attackers using valid stolen credentials evade both network and endpoint security because their traffic appears legitimate and involves no malware. ITDR systems monitor the identity layer specifically, comparing authentication events against behavioral baselines. Flagged deviations include logins from unusual geographic locations, lateral movement across unrelated datasets, and unusual privilege escalation requests. XDR architecture extends this by correlating authentication anomalies with subsequent network-layer lateral movement, revealing the full attack chain that siloed tools miss.

How to Prevent Broken Authentication

Prevention maps directly to the root causes. Each control below addresses specific broken authentication sub-types with references to governing standards.

Deploy Phishing-Resistant MFA

CISA guidance identifies FIDO2/WebAuthn and PIV/CAC smart cards as the gold standard for phishing-resistant MFA. Push-based MFA is vulnerable to fatigue attacks and real-time phishing that solicits one-time codes. NIST SP 800-63B requires approved MFA at stronger assurance levels.

Enforce Modern Credential Policies

Align with NIST 63B-4 requirements: check new passwords against known-compromised password lists, allow all character types including Unicode and whitespace, enforce minimum length, and do not require periodic rotation. The OWASP Authentication Cheat Sheet recommends including a password strength meter and rotating credentials only when a leak is confirmed.

For storage, the password storage cheat sheet recommends Argon2id as the primary hashing algorithm, with scrypt, bcrypt, and PBKDF2 as acceptable alternatives. Include proper salting, peppering, and work factor configuration with upgrade paths for legacy hashes.

Implement Rate Limiting and Account Lockout

Apply brute force protections on authentication endpoints that are stricter than standard API rate limiting. The OWASP API Security 2023 project specifies implementing account lockout, CAPTCHA, and progressive delays. The OWASP Testing Guide also describes typical lockout thresholds used in practice.

Once a user authenticates successfully, the session itself becomes the new attack surface. Securing how that session is issued, stored, and expired is a separate and equally important control.

Secure Session Management

Use server-generated session IDs with high entropy from a cryptographically secure random number generator. Regenerate session IDs after every successful login. Set idle and absolute timeouts. Never embed session tokens in URLs. The OWASP Session Management Cheat Sheet recommends using built-in session management frameworks, J2EE, ASP.NET, PHP, rather than custom implementations.

Harden Account Enumeration and Recovery

Use identical response messages for all authentication outcomes so attackers cannot distinguish between valid and invalid usernames. The forgot password cheat sheet specifies that security questions must not serve as the sole recovery mechanism and that credential recovery endpoints require the same brute force protections as login endpoints.

Eliminate Default Credentials

OWASP A07 states directly: "Do not ship or deploy with any default credentials, particularly for admin users." Include default credential checks as part of your deployment checklist.

For applications using OAuth and OIDC, strong credentials and session hygiene are not sufficient on their own. Token-level controls prevent the replay and forgery attacks that operate above the credential layer.

Enforce Token Security for OAuth/OIDC

RFC 9700 requires sender-constrained access tokens, refresh token rotation for public clients, and Mutual TLS per RFC 8705 to prevent token replay attacks.

Implementing these controls requires the right tooling across multiple security layers.

Tools for Detection and Prevention

Stopping broken authentication requires coverage across multiple tool categories because no single category addresses the full attack surface.

No single tool covers the full attack surface on its own. Effective coverage combines pre-deployment testing, runtime behavioral monitoring, and identity-layer correlation across all sources. The following describes how SentinelOne addresses that stack end to end.

How can SentinelOne help?

When attackers steal credentials, they move fast. SentinelOne helps you spot and stop identity-based attacks across your whole environment in real-time. Here’s how our solutions work together and help.

Singularity™ AI SIEM: Get Broad Visibility into Threats

Start with Singularity™ AI SIEM. It ingests authentication telemetry from endpoints, networks, cloud services, and identity providers, then correlates everything in one place. Its behavioral analytics catch impossible travel patterns (same token in New York and Tokyo minutes apart), concurrent session anomalies, and privilege escalation through token manipulation. In the 2024 MITRE ATT&CK Evaluations, the Singularity platform detected 100% of attack steps with zero delays and 88% fewer alerts than the median—so your team isn’t drowning in noise.

Singularity™  Identity: Find Weak Spots Before Your Attackers

Singularity™ Identity gives you continuous identity threat detection and response (ITDR). It scans for weak, exposed, or compromised credentials across on-premises Active Directory and cloud identity providers like Entra ID, Okta, Ping, Duo, and SecureAuth. You’ll see unusual spikes in failed logins, logins from odd locations, and Kerberosting attempts against service accounts. It also includes identity security posture management (ISPM), so you get ongoing posture assessments of your identity security—not just one-off audits.

Purple AI: Ask Natural Language Questions, Get Answers Fast

When an alert fires, Purple AI speeds up investigation. Just ask a plain-English question like “show me all systems this compromised account accessed in the past 72 hours.” You get back correlated results with MITRE ATT&CK tactic context. According to an IDC Business Value study, security teams using Purple AI identify threats 63% faster and remediate 55% faster.

Use Singularity™  Data Lake and Storyline™ 

All event data lands in the Singularity™ Data Lake, normalized into the Open Cybersecurity Schema Framework (OCSF). Queries run up to 100x faster than legacy SIEMs. Storyline technology then reconstructs the entire attack chain—tying the initial credential theft to every lateral move, privilege escalation, and data access—so you see the whole timeline without manual correlation.
Request a SentinelOne demo to see Singularity AI SIEM and Singularity Identity in action.

Related Vulnerabilities

Broken authentication intersects with and enables several other vulnerability classes:

• Broken Access Control (OWASP A01:2021): Authentication verifies who you are; access control verifies what you can do. A broken authentication flaw that grants attacker access to any valid account inherits that account's permissions, making access control irrelevant.
• Cryptographic Failures (OWASP A02:2021): Weak password hashing, plaintext credential storage, and improper certificate validation are cryptographic failures that directly enable authentication compromise.
• Security Misconfiguration (OWASP A05:2021): Default credentials, permissive MFA re-enrollment settings, and overly long session timeouts are configuration failures that create authentication weaknesses.
• Server-Side Request Forgery (SSRF): SSRF can be combined with authentication bypass to access internal services that trust requests from the compromised server.
• Injection Vulnerabilities: SQL injection against authentication queries can bypass login logic entirely by manipulating the query that validates credentials.
• Credential Theft (MITRE ATT&CK T1078 Valid Accounts): The use of valid accounts obtained through any theft mechanism maps directly to the post-exploitation phase of broken authentication.

Addressing broken authentication does not just reduce identity risk in isolation. Stronger credential policies, enforced MFA, and hardened session controls reduce the shared attack surface that broken access control, cryptographic failures, and misconfiguration all depend on.

Related CVEs

Conclusion

Broken authentication remains one of the most exploited initial access paths in enterprise breaches. If your authentication controls fail, attackers can turn weak passwords, fragile sessions, MFA bypass, or missing checks into full account compromise. 

You reduce that risk with phishing-resistant MFA, modern credential policies, secure session management, and identity-layer visibility that shows how stolen credentials are being used.