OWASP TOP 10 / A07:2021

Identification and Authentication Failures

Weaknesses in confirming user identity — weak passwords, broken session management, and missing MFA.

Previously “Broken Authentication,” this covers credential stuffing, brute force, weak or default passwords, exposed session IDs, and missing multi-factor authentication.

Authentication is the front door — once it’s bypassed, everything behind it is exposed.

How to prevent it

Enforce MFA, screen against breached passwords, use secure session management, and rate-limit authentication attempts.

Mapped weaknesses (CWE)

CWE-287 Improper Authentication CWE-384 Session Fixation CWE-297 CWE-522 Insufficiently Protected Credentials CWE-620 CWE-798 Use of Hard-coded Credentials CWE-306 Missing Authentication for Critical Function

Free tools to test for it

Password Strength → HIBP Check → Diceware → JWT Decoder →

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.

Identification and Authentication Failures

Mapped weaknesses (CWE)

Free tools to test for it

Related terms