What Is Broken Authentication?
Broken authentication is a vulnerability class that lets attackers compromise user identities by exploiting weaknesses in how applications verify who you are and maintain that verified state. When login mechanisms, session management, or credential recovery processes contain flaws, attackers can impersonate legitimate users, escalate privileges, and access systems without authorization.
This vulnerability has appeared in every OWASP list since the project's early editions. OWASP has renamed and refined the category over time, reflecting broader coverage of authentication-related weaknesses rather than any loss of importance.
The scope of broken authentication extends well beyond simple password guessing. It encompasses credential stuffing, session fixation, MFA bypass, token forgery, hard-coded credentials, and missing authentication on critical functions. The root CWE for the entire category is CWE-287, with a broad set of related CWEs mapped into the category in newer OWASP classifications.
According to the DBIR report, credential abuse remains a leading initial access method in breaches. If you understand how broken authentication works, you can stop it more effectively.
.jpg)
How Does Broken Authentication Work?
Broken authentication exploits flaws across two distinct failure domains: authentication, which covers how applications verify who you are, and session management, which covers how they maintain that verified identity for the duration of your visit. Each domain presents different attack surfaces, but both lead to the same outcome: unauthorized access.
Authentication Failures
When an application fails to properly verify user identity, attackers gain entry through the front door. A credential stuffing attack submits stolen username and password pairs against your login endpoint. If your application lacks rate limiting or account lockout, the attacker can test credentials at scale until valid pairs are found.
The attack flow is straightforward. The attacker obtains credential dumps from previous breaches. They feed those pairs into automated tools targeting your login page. The application accepts each attempt without throttling, lockout, or CAPTCHA. When a valid pair matches, the attacker gains full account access.
Brute force follows a similar pattern but generates password combinations rather than replaying known credentials. Password spraying takes the inverse approach: testing a common password against many accounts at the same time to avoid per-account lockout thresholds.
Session Management Failures
Even after you authenticate correctly, flaws in session handling can hand that authenticated state to an attacker. In a session fixation attack (CWE-384), the attacker sets a known session ID before you log in. If your application does not regenerate the session ID after successful authentication, the attacker uses the pre-set ID to access your authenticated session.
Session token exposure creates another path. When session IDs appear in URLs, they get logged in server access logs, browser history, and HTTP referrer headers. An attacker who obtains the URL obtains the session. Insufficient session expiration (CWE-613) compounds the problem: if you close a browser tab without logging out, someone using the same browser later may find your session still active.
MFA Bypass
Multi-factor authentication adds a second verification layer, but attackers have developed reliable bypass techniques. MFA fatigue, sometimes called prompt bombing, floods a user's device with push notifications until they approve one to stop the interruptions. The Uber breach is often cited as an example of how stolen credentials, repeated MFA prompts, and social engineering can be chained together to gain access to internal systems.
These mechanisms work because broken authentication is rarely a single flaw. It is a chain of weaknesses, from weak credentials to missing rate limits to poor session handling, that attackers exploit in sequence.
Types of Broken Authentication
Broken authentication is not a single vulnerability but a category that spans six distinct failure types. Each targets a different layer of the authentication stack and requires different controls to stop.
| Type | What fails | Common attack methods | Core CWEs |
| Credential-based attacks | Password policy, rate limiting | Credential stuffing, brute force, password spraying | CWE-307, CWE-521 |
| Session management flaws | Session ID lifecycle and storage | Session fixation, session hijacking, cookie theft | CWE-384, CWE-613 |
| MFA bypass | Second-factor implementation | MFA fatigue, TOTP relay, SIM swapping | CWE-308 |
| Token forgery | Cryptographic key protection | SAML assertion forgery, JWT manipulation, OAuth token theft | CWE-347, CWE-345 |
| Hard-coded credentials | Credential management in code | Static credential extraction from source or config files | CWE-798 |
| Missing authentication | Authentication enforcement on critical functions | Direct object access, API endpoint bypass, alternate path access | CWE-306, CWE-288 |
Understanding which type is present in a given application determines which controls apply and which forensic evidence to look for. Credential stuffing calls for rate limiting and MFA; missing authentication on an admin API requires a fundamentally different response.
Causes of Broken Authentication
Broken authentication does not arise from a single design mistake. It emerges from compounding weaknesses across four categories that OWASP guidance identifies as interconnected with other Top 10 risks including broken access controls, cryptographic failures, and outdated libraries.
Credential Policy Failures
Permitting weak, default, or well-known passwords remains the most fundamental cause. When your application accepts common default passwords without enforcement, you hand attackers an easy entry point (CWE-521). NIST 63B-4 requires verifiers to check new passwords against lists of known-compromised passwords, yet many applications still skip this step.
Password reuse amplifies the problem. The DBIR report highlights that password reuse across services remains common, which makes stolen credentials far more useful to attackers.
Authentication Flow Design Failures
Missing MFA (CWE-308) leaves accounts protected by a single factor that can be stolen, guessed, or phished. Weak credential recovery mechanisms that rely on knowledge-based answers create a parallel authentication path that is trivially guessable. The absence of rate limiting on login attempts (CWE-307) allows attackers to test large numbers of combinations without consequence.
Hard-coded credentials in source code or configuration files (CWE-798) represent a complete design failure. This weakness appears in recent CWE Top 25 rankings and has been confirmed by CISA alert in active exploitation of industrial control systems.
Session Lifecycle Management Failures
Three session lifecycle failures create direct exploitation paths:
- Not regenerating session IDs after login enables session fixation attacks
- Allowing sessions to persist without idle or absolute timeouts extends the window for session hijacking
- Embedding session tokens in URLs rather than secure cookies leaks credentials through every system that logs or caches the URL
Each of these failures independently increases risk; combined, they give attackers multiple options for maintaining unauthorized access.
Cryptographic and Transport Failures
Storing passwords in plaintext, using reversible encryption, or applying weak hashing algorithms means that any database breach exposes credentials directly. Transport failures like improper certificate validation (CWE-295) allow attackers to intercept authentication traffic. These causes often overlap with OWASP A02:2021 Cryptographic Failures, demonstrating how broken authentication intersects with other vulnerability categories.
These four categories rarely appear in isolation. A weak credential policy makes credential stuffing possible; a missing rate limit makes it practical; poor session management extends the attacker's window once they are in. Understanding which causes are present in your system determines both the severity of the risk and where remediation should start.
Impact and Risk of Broken Authentication
The consequences of broken authentication extend from individual account compromise to organization-wide breaches with regulatory, financial, and operational fallout.
Breach Prevalence
Authentication failures are among the most exploited initial access paths. The DBIR report confirms that credential abuse remains a top breach driver. Within basic web application attacks, stolen credentials are especially prominent in financial services.
Financial Consequences
The IBM report found that the global average cost of a data breach reached $4.88 million in 2024, a 10% increase from the prior year. Financial services organizations averaged $6.08 million per breach, 22% above the global figure. Beyond direct expenses, 70% of breached organizations reported significant or moderate operational disruption.
Cascading Business Effects
Broken authentication rarely stays contained. A compromised credential becomes a pivot point for lateral movement, privilege escalation, data exfiltration, and ransomware deployment. The Verizon DBIR found a correlation between ransomware victimization and the presence of victim domains in credential dumps, directly linking authentication weakness to ransomware risk.
Broken authentication is not an abstract application security concern. It is a primary mechanism through which breaches begin.
How Attackers Exploit Broken Authentication
Attackers choose their approach based on the specific authentication weakness they discover. Here are the primary exploitation techniques, mapped to the CWEs they target.
MFA Fatigue and Social Engineering
When MFA blocks a credential stuffing attempt, attackers escalate to social engineering. MFA fatigue sends repeated push notifications to the legitimate user until they approve one. The CISA advisory documented a related technique: after brute-forcing a weak password on a dormant account, the attackers enrolled a new MFA device because Duo's default configuration allowed re-enrollment for inactive accounts, gaining network access.
SAML Token Forgery
In the SolarWinds/SUNBURST campaign, attackers extracted private encryption keys from Active Directory Federation Services containers, then forged SAML assertions that appeared valid to any relying party. Per CISA advisory, this Golden SAML technique bypassed authentication entirely without possessing legitimate credentials, granting access to cloud environments across multiple U.S. federal agencies.
Session Hijacking via Token Disclosure
CVE-2023-4966, known as Citrix Bleed, allowed attackers to extract valid session tokens from remote access appliances. With a stolen session token, the attacker impersonates an already-authenticated user, bypassing both the password and MFA layers entirely. CISA confirmed active zero-day exploitation before a patch was available [cite-19].
Authentication Bypass via Alternate Path
Some vulnerabilities eliminate authentication requirements altogether. One network appliance flaw allowed unauthenticated super-admin access via a Node.js websocket and received a critical severity rating [cite-20]. Another management interface flaw enabled unauthenticated admin privilege escalation through the web management interface. The management interface issue represents CWE-306: the complete absence of authentication on a critical function, while the websocket issue maps to CWE-288: authentication bypass using an alternate path or channel.
Capture-Replay Attacks
Attackers intercept authentication tokens or credentials in transit and replay them to gain access (CWE-294). Without sender-constrained tokens as specified in RFC 9700, OAuth implementations remain vulnerable to this technique.
Each of these techniques produces different forensic signatures, which determines how you find and respond to them.
Who Is Affected by Broken Authentication?
Broken authentication affects every organization that relies on user identity for access control. However, specific sectors and system types carry elevated risk.
Web Applications and APIs
Any application that manages its own authentication is directly exposed. OWASP explicitly addresses API-specific broken authentication in the OWASP API Security project, noting that authentication endpoints require brute force protections stricter than regular API rate limiting.
Cloud and SaaS Platforms
The Snowflake/UNC5537 campaign demonstrated that cloud platforms with single-factor authentication are high-value targets, with many organizations breached because affected accounts lacked MFA. Cloud platforms that delegate authentication to identity providers inherit the IdP's weaknesses.
Financial Services
Financial institutions face disproportionate risk. The Verizon finance snapshot found that stolen credentials dominate basic web application breaches in financial services. The PayPal credential stuffing incident resulted in a regulatory settlement and mandatory MFA for U.S. customer accounts.
Critical Infrastructure and Network Appliances
VPN gateways, firewalls, and network management interfaces are prime targets. CVE-2019-11510, CVE-2024-55591, and CVE-2024-53704 all represent authentication bypass vulnerabilities in perimeter devices that CISA added to its Known Exploited Vulnerabilities catalog.
Healthcare and Government
Organizations handling sensitive personal data face both breach risk and regulatory consequences, with CISA documenting that weak authentication consistently ranks among its top findings per CISA's authentication assessment for Federal High Value Asset systems.
The following breaches show how these risks materialize across industries.
Real-World Examples of Broken Authentication
These breaches illustrate how broken authentication manifests across different industries, attack techniques, and scales of impact.
23andMe: Credential Stuffing to mass data exposure
Attackers used credential stuffing to access a small subset of 23andMe user accounts where passwords matched those from previous breaches. Through the DNA Relatives feature, that foothold expanded to a much broader set of exposed profile data. Per 23andMe SEC filings, the company incurred incident-related expenses. MFA was not mandatory at the time of the breach.
Snowflake/UNC5537: Infostealer Credentials used later
The threat actor UNC5537 used credential theft via infostealer malware to breach organizations through Snowflake cloud data warehouse accounts. Per Mandiant's investigation, none of the affected accounts had MFA enabled. Victims included Ticketmaster, Santander Bank, and Advance Auto Parts.
SolarWinds/SUNBURST: SAML token forgery
Russian state actors compromised the SolarWinds build process and used the resulting access to steal ADFS private encryption keys. Per CISA report, they forged trusted SAML authentication tokens to access cloud environments across multiple U.S. government agencies without possessing any legitimate credentials.
PayPal: Credential Stuffing with regulatory consequences
Attackers used credential stuffing to access customer accounts, exposing highly sensitive customer data. The New York DFS imposed a regulatory settlement and required mandatory MFA for U.S. customer accounts.
GoDaddy: Multi-year Credential Compromise
A compromised administrative password gave attackers access to GoDaddy's Managed WordPress environment, per GoDaddy breach reporting. The breach affected a large set of current and inactive Managed WordPress customers, with stolen WordPress admin credentials, FTP accounts, and email addresses. Attackers also installed malware and obtained source code.
Yahoo: Cookie Forgery at massive scale
The Yahoo breach ultimately affected all 3 billion user accounts, per New York Times coverage. Attackers used forged authentication cookies to access accounts without passwords. A later breach involved spear-phishing for administrative credentials, with cookie-forging linked to a state-sponsored actor.
These incidents form part of a broader historical pattern that traces back two decades.
Broken Authentication: A Timeline
The history of broken authentication tracks the evolution of web security itself, from early session management flaws to today's identity-layer attacks.
| Year | Milestone |
| 2004 | First OWASP Top 10 published; "Broken Authentication and Session Management" named at A3. |
| 2012 | LinkedIn breach exposes a massive credential set via unsalted SHA-1 hashing. |
| 2013 | Yahoo breach affects all user accounts; malicious code bypasses account controls. OWASP ranks broken authentication at A2. |
| 2017 | OWASP Top 10 keeps broken authentication at A2 and highlights the availability of huge credential collections for stuffing. |
| 2019 | CVE-2019-11510, Pulse Connect Secure, is added to CISA KEV. |
| 2020 | SolarWinds/SUNBURST: SAML token forgery compromises U.S. federal agencies. |
| 2021 | CISA documents Russian state actors bypassing Duo MFA via dormant account re-enrollment. OWASP reclassifies the category as A07. |
| 2022 | Uber breached via MFA fatigue. PayPal credential stuffing leads to a regulatory settlement. |
| 2023 | 23andMe credential stuffing exposes millions of profiles. Citrix Bleed enables session hijacking. |
| 2024 | Snowflake/UNC5537 campaign breaches many organizations lacking MFA. |
| 2025 | OWASP Top 10:2025 expands the category further. CVE-2024-55591 receives critical attention, and Verizon DBIR confirms credential abuse as a leading initial access path. |
Broken authentication has grown from a web application flaw into a full-stack identity security problem spanning applications, infrastructure, and cloud environments.
How to Detect Broken Authentication
Finding broken authentication requires a layered approach that covers application design flaws, runtime credential abuse, and post-authentication behavioral anomalies.
Log and Session Analysis
The OWASP Authentication Cheat Sheet specifies that you must log and review all authentication failures, password failures, and account lockouts. Look for patterns that indicate credential stuffing: high volumes of failed logins across different accounts from the same IP range, or failed logins against a single account from diverse geographic locations.
The OWASP Session Management Cheat Sheet identifies session events that should trigger reauthentication challenges: logins from new or suspicious IP addresses, attempted password changes, and completed account recovery flows. Distinguish between permissive session management, which accepts any user-set session ID and is vulnerable, and strict session management, which only accepts server-generated IDs.
Dynamic application security testing (DAST)
The OWASP Testing Guide defines authentication-specific test procedures in the WSTG-ATHN series. These cover testing for default credentials, weak lockout mechanisms, authentication schema bypass, vulnerable password reset flows, weak security questions, and MFA implementation flaws. Tools like DAST scanners and password-testing utilities execute these tests against running applications.
Static Analysis for Hard-Coded Credentials
Static application security testing (SAST) tools scan source code before deployment to find hard-coded passwords (CWE-798), weak cryptographic implementations, and insecure session logic. This catches credential management flaws that DAST cannot reach because they exist in code paths not exposed through the application's external interface.
Identity threat identification and response (ITDR)
Attackers using valid stolen credentials evade both network and endpoint security because their traffic appears legitimate and involves no malware. ITDR systems monitor the identity layer specifically, comparing authentication events against behavioral baselines. Flagged deviations include logins from unusual geographic locations, lateral movement across unrelated datasets, and unusual privilege escalation requests. XDR architecture extends this by correlating authentication anomalies with subsequent network-layer lateral movement, revealing the full attack chain that siloed tools miss.
How to Prevent Broken Authentication
Prevention maps directly to the root causes. Each control below addresses specific broken authentication sub-types with references to governing standards.
Deploy Phishing-Resistant MFA
CISA guidance identifies FIDO2/WebAuthn and PIV/CAC smart cards as the gold standard for phishing-resistant MFA. Push-based MFA is vulnerable to fatigue attacks and real-time phishing that solicits one-time codes. NIST SP 800-63B requires approved MFA at stronger assurance levels.
Enforce Modern Credential Policies
Align with NIST 63B-4 requirements: check new passwords against known-compromised password lists, allow all character types including Unicode and whitespace, enforce minimum length, and do not require periodic rotation. The OWASP Authentication Cheat Sheet recommends including a password strength meter and rotating credentials only when a leak is confirmed.
For storage, the password storage cheat sheet recommends Argon2id as the primary hashing algorithm, with scrypt, bcrypt, and PBKDF2 as acceptable alternatives. Include proper salting, peppering, and work factor configuration with upgrade paths for legacy hashes.
Implement Rate Limiting and Account Lockout
Apply brute force protections on authentication endpoints that are stricter than standard API rate limiting. The OWASP API Security 2023 project specifies implementing account lockout, CAPTCHA, and progressive delays. The OWASP Testing Guide also describes typical lockout thresholds used in practice.
Once a user authenticates successfully, the session itself becomes the new attack surface. Securing how that session is issued, stored, and expired is a separate and equally important control.
Secure Session Management
Use server-generated session IDs with high entropy from a cryptographically secure random number generator. Regenerate session IDs after every successful login. Set idle and absolute timeouts. Never embed session tokens in URLs. The OWASP Session Management Cheat Sheet recommends using built-in session management frameworks, J2EE, ASP.NET, PHP, rather than custom implementations.
Harden Account Enumeration and Recovery
Use identical response messages for all authentication outcomes so attackers cannot distinguish between valid and invalid usernames. The forgot password cheat sheet specifies that security questions must not serve as the sole recovery mechanism and that credential recovery endpoints require the same brute force protections as login endpoints.
Eliminate Default Credentials
OWASP A07 states directly: "Do not ship or deploy with any default credentials, particularly for admin users." Include default credential checks as part of your deployment checklist.
For applications using OAuth and OIDC, strong credentials and session hygiene are not sufficient on their own. Token-level controls prevent the replay and forgery attacks that operate above the credential layer.
Enforce Token Security for OAuth/OIDC
RFC 9700 requires sender-constrained access tokens, refresh token rotation for public clients, and Mutual TLS per RFC 8705 to prevent token replay attacks.
Implementing these controls requires the right tooling across multiple security layers.
Tools for Detection and Prevention
Stopping broken authentication requires coverage across multiple tool categories because no single category addresses the full attack surface.
| Tool Category | Primary Function | Authentication Attacks Addressed |
| DAST tools | Runtime authentication flow testing | Bypass, weak lockout, session token exposure, default credentials |
| SAST tools | Source code analysis pre-deployment | Hard-coded credentials, weak crypto, insecure session logic |
| ITDR | Identity layer behavioral monitoring | Credential stuffing, post-compromise lateral movement, privilege escalation |
| XDR with identity correlation | Cross-layer telemetry, endpoint, network, cloud, identity | Post-authentication lateral movement, impossible travel, full attack chain reconstruction |
| Behavioral AI / UEBA | Statistical anomaly on authentication event streams | Credential abuse, anomalous service account activity |
No single tool covers the full attack surface on its own. Effective coverage combines pre-deployment testing, runtime behavioral monitoring, and identity-layer correlation across all sources. The following describes how SentinelOne addresses that stack end to end.
How can SentinelOne help?
When attackers steal credentials, they move fast. SentinelOne helps you spot and stop identity-based attacks across your whole environment in real-time. Here’s how our solutions work together and help.
Singularity™ AI SIEM: Get Broad Visibility into Threats
Start with Singularity™ AI SIEM. It ingests authentication telemetry from endpoints, networks, cloud services, and identity providers, then correlates everything in one place. Its behavioral analytics catch impossible travel patterns (same token in New York and Tokyo minutes apart), concurrent session anomalies, and privilege escalation through token manipulation. In the 2024 MITRE ATT&CK Evaluations, the Singularity platform detected 100% of attack steps with zero delays and 88% fewer alerts than the median—so your team isn’t drowning in noise.
Singularity™ Identity: Find Weak Spots Before Your Attackers
Singularity™ Identity gives you continuous identity threat detection and response (ITDR). It scans for weak, exposed, or compromised credentials across on-premises Active Directory and cloud identity providers like Entra ID, Okta, Ping, Duo, and SecureAuth. You’ll see unusual spikes in failed logins, logins from odd locations, and Kerberosting attempts against service accounts. It also includes identity security posture management (ISPM), so you get ongoing posture assessments of your identity security—not just one-off audits.
Purple AI: Ask Natural Language Questions, Get Answers Fast
When an alert fires, Purple AI speeds up investigation. Just ask a plain-English question like “show me all systems this compromised account accessed in the past 72 hours.” You get back correlated results with MITRE ATT&CK tactic context. According to an IDC Business Value study, security teams using Purple AI identify threats 63% faster and remediate 55% faster.
Use Singularity™ Data Lake and Storyline™
All event data lands in the Singularity™ Data Lake, normalized into the Open Cybersecurity Schema Framework (OCSF). Queries run up to 100x faster than legacy SIEMs. Storyline technology then reconstructs the entire attack chain—tying the initial credential theft to every lateral move, privilege escalation, and data access—so you see the whole timeline without manual correlation.
Request a SentinelOne demo to see Singularity AI SIEM and Singularity Identity in action.
Reduce Identity Risk Across Your Organization
Detect and respond to attacks in real-time with holistic solutions for Active Directory and Entra ID.
Get a DemoRelated Vulnerabilities
Broken authentication intersects with and enables several other vulnerability classes:
- Broken Access Control (OWASP A01:2021): Authentication verifies who you are; access control verifies what you can do. A broken authentication flaw that grants attacker access to any valid account inherits that account's permissions, making access control irrelevant.
- Cryptographic Failures (OWASP A02:2021): Weak password hashing, plaintext credential storage, and improper certificate validation are cryptographic failures that directly enable authentication compromise.
- Security Misconfiguration (OWASP A05:2021): Default credentials, permissive MFA re-enrollment settings, and overly long session timeouts are configuration failures that create authentication weaknesses.
- Server-Side Request Forgery (SSRF): SSRF can be combined with authentication bypass to access internal services that trust requests from the compromised server.
- Injection Vulnerabilities: SQL injection against authentication queries can bypass login logic entirely by manipulating the query that validates credentials.
- Credential Theft (MITRE ATT&CK T1078 Valid Accounts): The use of valid accounts obtained through any theft mechanism maps directly to the post-exploitation phase of broken authentication.
Addressing broken authentication does not just reduce identity risk in isolation. Stronger credential policies, enforced MFA, and hardened session controls reduce the shared attack surface that broken access control, cryptographic failures, and misconfiguration all depend on.
Related CVEs
| CVE ID | Description | Severity | Affected Product | Year |
| API authentication bypass in mobile device management platform allows unauthenticated access to restricted functionality | HIGH | Ivanti Endpoint Manager Mobile | 2025 | |
| Missing authentication on code execution endpoint allows unauthenticated remote code injection | CRITICAL | Langflow AI workflow platform | 2025 | |
| Missing authentication on management web interface allows unauthenticated administrative access | HIGH | Palo Alto PAN-OS | 2025 | |
| Improper authentication in SSLVPN component allows attackers to hijack active VPN sessions | HIGH | SonicWall SonicOS | 2024 | |
| Admin console authentication bypass allows unauthenticated remote attackers to gain full administrative access | CRITICAL | Ivanti Cloud Services Appliance | 2024 | |
| Authentication bypass via alternate path enables complete unauthenticated takeover of remote support platform | CRITICAL | ConnectWise ScreenConnect | 2024 | |
| Session token disclosure from memory allows attackers to hijack authenticated sessions and bypass MFA (Citrix Bleed) | CRITICAL | Citrix NetScaler ADC and Gateway | 2023 | |
| Authentication bypass on critical API endpoints leads to unauthenticated remote code execution on CI/CD server | CRITICAL | JetBrains TeamCity | 2023 | |
| API authentication bypass allows unauthenticated access to restricted endpoints and sensitive data | CRITICAL | Ivanti Endpoint Manager Mobile | 2023 | |
| SAML authentication bypass via outdated Apache xmlsec library allows unauthenticated remote code execution | CRITICAL | Zoho ManageEngine (20+ products) | 2022 | |
| Authentication bypass via alternate path or channel allows unauthenticated attackers to perform privileged operations | CRITICAL | Fortinet FortiOS / FortiProxy / FortiSwitchManager | 2022 | |
| Missing authentication on iControl REST API allows unauthenticated attackers to execute arbitrary system commands | CRITICAL | F5 BIG-IP | 2022 | |
| Missing authentication on OpenSSO Agent component enables unauthenticated complete system takeover via HTTP | CRITICAL | Oracle Access Manager (Fusion Middleware) | 2021 | |
| SSRF vulnerability enables pre-authentication bypass and unauthenticated remote code execution (ProxyLogon) | CRITICAL | Microsoft Exchange Server | 2021 | |
| Authentication bypass via Windows File Share Browser and Collaboration features enables unauthenticated RCE | CRITICAL | Ivanti Connect Secure (Pulse Connect Secure) | 2021 | |
| Undisclosed hardcoded account with unchangeable password grants unauthenticated full admin access via SSH and web UI | CRITICAL | Zyxel USG / ATP / VPN firmware | 2020 | |
| Missing authentication on Experimental API allows unauthenticated remote access and arbitrary code execution | CRITICAL | Apache Airflow | 2020 | |
| Improper username case handling allows attackers to bypass two-factor authentication on SSL VPN without FortiToken | CRITICAL | Fortinet FortiOS SSL VPN | 2020 | |
| Authentication bypass on wsdReadForm endpoint allows retrieval and decryption of all user credentials via hardcoded XOR key | MEDIUM | eWON Firmware 12.2–13.0 | 2019 | |
| SQL injection in login endpoint bypasses authentication entirely, granting unauthenticated dashboard access | CRITICAL | E Learning Script 1.0 | 2019 | |
| SQL injection via POST parameter enables authentication bypass and unauthorized database access | HIGH | Simplejobscript | 2019 |
Conclusion
Broken authentication remains one of the most exploited initial access paths in enterprise breaches. If your authentication controls fail, attackers can turn weak passwords, fragile sessions, MFA bypass, or missing checks into full account compromise.
You reduce that risk with phishing-resistant MFA, modern credential policies, secure session management, and identity-layer visibility that shows how stolen credentials are being used.
FAQs
Broken authentication is an identity trust failure. It happens when an application cannot reliably verify who a user is or cannot safely maintain that identity after login.
In practice, that includes weak credential checks, fragile recovery flows, and session handling flaws that let attackers act as legitimate users.
Yes. OWASP has included this category since the Top 10 began in 2004. The naming changes matter: the shift from "Broken Authentication" to "Identification and Authentication Failures" and then "Authentication Failures" shows that the risk now spans passwords, MFA, session state, federation, and alternate access paths.
Usually yes. The trust boundary often sits on an internet-facing login, API, VPN gateway, SaaS account, or management interface.
Attackers may reuse valid credentials, abuse exposed authentication paths, or hijack sessions, which can make the activity look like normal access rather than a traditional exploit.
The highest-risk systems are those that make identity decisions for other systems: web apps, APIs, cloud consoles, SSO-connected services, and perimeter appliances.
A simple rule applies: the more broadly an account can pivot after login, the more damaging an authentication failure becomes.
They usually combine testing with reuse. Testing reveals weak lockout, recovery, MFA, or session behavior. Reuse applies stolen credentials, tokens, or known CVEs that already work.
That makes discovery relatively inexpensive because attackers often do not need a novel exploit to get in.
Early signs are usually patterns, not single alerts. Common indicators include distributed login failures, impossible travel, unusual recovery activity, repeated MFA prompts, and new session behavior after a successful login.
The key signal is a sequence that crosses authentication, session, and privilege events.
It is severe because it breaks the control that gates every other control. When authentication fails, an attacker may inherit normal user access, privileged access, or federated trust into downstream systems.
That larger blast radius is why credential abuse and authentication bypass flaws are tied to high-impact breaches.
Yes. Authentication failure is often the entry point, not the end state. Once inside, attackers can move laterally, escalate privileges, access cloud resources, or persist through trusted identity channels.
A single compromised account can quickly become an organization-wide access problem.
Only partly. Automated testing is useful for finding weak lockout, recovery flaws, missing controls, and hard-coded credentials. It is less effective when attackers use valid credentials or stolen tokens, because those actions can appear legitimate.
That is why identity monitoring and cross-layer correlation matter.
The most exposed industries are those where authenticated access leads directly to regulated data, money movement, administrative control, or critical operations. Financial services, government, healthcare, cloud-heavy businesses, and infrastructure operators all fit that pattern.
The shared risk factor is the value and reach of what a trusted account can unlock.
