Broken authentication happens when the mechanisms that verify a user's identity — login flows, session tokens, password reset links, multi-factor prompts — can be bypassed, forged, or brute-forced. It's not one bug; it's a category covering weak credential storage, predictable session IDs, missing MFA enforcement, and tokens that don't expire or verify correctly. OWASP folded it into A07:2021 – Identification and Authentication Failures in the current Top 10, but the underlying flaws are the same ones that have shown up in breaches for two decades.
The stakes are concrete. Verizon's 2023 Data Breach Investigations Report found stolen credentials were a factor in 44.7% of basic web application attacks. In October 2023, 23andMe confirmed attackers used credential stuffing — reusing passwords leaked from unrelated breaches — against roughly 14,000 accounts, and because the platform's "DNA Relatives" feature exposed connected profiles, the blast radius reached 6.9 million users. Broken authentication doesn't need a zero-day; it just needs a gap between how you verify identity and how attackers automate guessing it.
What Is Broken Authentication?
Broken authentication is any flaw that lets an attacker assume another user's identity without knowing their real credentials. This spans credential-related weaknesses (weak password policies, no rate limiting on login attempts, credentials stored in plaintext or with reversible encryption) and session-related weaknesses (predictable session tokens, session IDs exposed in URLs, sessions that never expire after logout). OWASP's 2021 Top 10 merged "Broken Authentication" (A2 in the 2017 list) with "Sensitive Data Exposure" concepts into A07:2021 – Identification and Authentication Failures, reflecting that authentication bugs and the data protections around them are usually exploited together. A single missing check — like an API endpoint that issues a session token without validating a second factor — is enough to qualify.
How Do Attackers Actually Exploit It?
Attackers exploit broken authentication primarily through three automatable techniques: credential stuffing, brute forcing, and session hijacking. Credential stuffing tools like OpenBullet or SentryMBA replay billions of previously breached username/password pairs against login endpoints, relying on password reuse rates that industry surveys have consistently placed above 60%. Brute forcing targets endpoints with no lockout policy or CAPTCHA, often at rates of thousands of attempts per minute against unthrottled APIs. Session hijacking exploits tokens that are predictable, transmitted over HTTP instead of HTTPS, or that persist after a user logs out — the PayPal credential-stuffing incident disclosed in January 2023 affected roughly 35,000 accounts through exactly this pattern, with no evidence PayPal's own systems were breached; the credentials came from other leaks.
What Do Real-World Broken Authentication CVEs Look Like?
Real-world broken authentication CVEs typically involve an authentication check that can be skipped entirely rather than a weak password. CVE-2022-40684, disclosed by Fortinet in October 2022, allowed an attacker to send a specially crafted HTTP/HTTPS request to FortiOS, FortiProxy, and FortiSwitchManager admin interfaces and obtain full administrative access without any credentials — CISA added it to the Known Exploited Vulnerabilities catalog within days because it was already being weaponized. CVE-2020-1472 ("Zerologon") let attackers reset the Netlogon computer account password to an empty string, bypassing authentication to the Active Directory domain controller entirely and enabling full domain takeover — Microsoft patched it in August 2020, but it was still one of the most exploited vulnerabilities in ransomware intrusions through 2021 because patching lagged in production environments. Both are textbook broken authentication: not a stolen password, but a logic flaw that removes the need for one.
Why Do JWTs Show Up So Often in These Bugs?
JSON Web Tokens show up so often because a JWT's validity depends entirely on the verifying server checking the signature correctly, and that check has been implemented wrong repeatedly across libraries and frameworks. The classic case is the "alg: none" attack, where a token's header is modified to declare no signing algorithm and poorly written verification code accepts it as valid, effectively letting an attacker forge any identity. CVE-2022-23529, affecting the widely used jsonwebtoken npm package before version 9.0.0, allowed remote code execution and token forgery in configurations where an attacker could influence the secret or public key resolution — the package sees tens of millions of weekly downloads, so a single verification flaw in a dependency propagates into thousands of downstream applications' login flows. This is why broken authentication is increasingly a supply chain problem, not just an application-code problem.
How Is Broken Authentication Different From Broken Access Control?
Broken authentication and broken access control are different failure points in the same trust chain: authentication answers "who are you," while access control answers "what are you allowed to do now that I know who you are." A CVE-2023-22515-class bug — Atlassian's October 2023 Confluence flaw that let an unauthenticated attacker create a rogue administrator account — actually straddles both, since it bypasses the authentication step and hands the attacker access-control privileges in one move. In practice, teams often catch access-control gaps (like an API that fails to check object ownership) faster than authentication gaps, because access-control bugs surface in normal QA testing while authentication bugs — especially token-forgery or session-fixation bugs — usually only surface under adversarial testing or after an incident.
How Can You Detect and Prevent Broken Authentication Before It's Exploited?
You can prevent broken authentication by combining mandatory MFA, credential-stuffing-resistant rate limiting, and dependency-level scanning of the libraries that implement your login and token logic. Concretely: enforce MFA for all accounts with elevated privileges (the 23andMe breach exploited accounts where MFA was available but not required), implement progressive delays or CAPTCHA after 5-10 failed login attempts per account, rotate and invalidate session tokens on logout and privilege change, and run credential exposure checks against known breach corpora like Have I Been Pwned's Pwned Passwords API. Because so many authentication CVEs — the JWT library flaw, the Fortinet bypass — live in third-party code rather than code your team wrote, static code review alone won't catch them; you need visibility into which authentication-handling dependencies are in your build and whether the vulnerable code path is actually reachable from your application.
How Safeguard Helps
Safeguard identifies broken authentication risk at the point where it actually matters: whether a vulnerable authentication library in your dependency tree is reachable from code your application executes, not just present in a manifest. Our reachability analysis traces call paths into libraries like jsonwebtoken, passport, and OAuth clients to confirm exploitability before it generates a ticket, cutting the noise that makes teams ignore CVE alerts on their auth stack. Griffin AI correlates those findings against known exploitation patterns — including CISA KEV entries like CVE-2022-40684 — to prioritize what a human should look at first. Safeguard generates and ingests SBOMs so you have an accurate, continuously updated inventory of every authentication-related component across your services, and for confirmed, reachable issues, it opens auto-fix pull requests that bump the vulnerable dependency to a patched version without waiting for a sprint planning cycle.