Weak authentication is the gateway into the system. Credential stuffing, session fixation, missing MFA — identity attacks account for the majority of security incidents.
Common Mistakes¶
- Allowing weak passwords
- Missing brute force protection
- Session ID in URL
- Unlimited session validity
- Missing MFA
Secure Session¶
app.config.update( SECRET_KEY=os.environ[‘SECRET_KEY’], SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SECURE=True, SESSION_COOKIE_SAMESITE=’Lax’, PERMANENT_SESSION_LIFETIME=1800, )
Rate Limiting¶
const rateLimit = require(‘express-rate-limit’); const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5, message: { error: ‘Too many attempts.’ }, }); app.post(‘/api/login’, loginLimiter, loginHandler);
TOTP MFA¶
import pyotp secret = pyotp.random_base32() totp = pyotp.TOTP(secret) uri = totp.provisioning_uri(name=”[email protected]”, issuer_name=”MyApp”)
OWASP Top 10: Identification and Authentication Failures¶
totp.verify(code, valid_window=1)
Key Takeaway¶
Strong passwords + rate limiting + MFA + secure sessions. Use proven libraries, don’t implement your own crypto.