Authentication
Authentication is the process of verifying who a user claims to be — typically through passwords, tokens, certificates, biometrics, or hardware authenticators. It is distinct from authorization, which determines what an authenticated user is allowed to do, and the two failure modes are different: a correctly authenticated user can still be a victim of broken access control, and a perfectly authorized request can still come from a forged identity.
Modern authentication relies on layered standards: OAuth 2.0 for delegated access, OpenID Connect for federated identity, SAML for enterprise SSO, JWT for stateless session tokens, and FIDO2/WebAuthn for phishing-resistant passkeys. Each of these has well-documented attack surface — OAuth redirect_uri bypasses, SAML XML signature wrapping, MFA fatigue and AiTM phishing, session fixation, and credential stuffing remain among the most common root causes in real-world breaches.
The shift toward passkeys represents the biggest practical improvement in years: public-key credentials bound to a specific origin eliminate phishing, credential stuffing, and password reuse in one stroke. But the long tail of legacy authentication — password reset flows, OAuth implementations, SAML assertion handling, and MFA bypass paths — continues to produce critical findings across bug bounty programs.
This page collects research, writeups, tools, and standards covering authentication attacks and defenses: OAuth and SAML vulnerabilities, MFA bypass techniques, passkey rollouts, session management, and the OWASP cheat sheets that codify what good authentication looks like.
From OWASP Authentication Cheat Sheet
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-10 NEW 2026 | Semrush OAuth redirect_uri bypass via IDN homograph — HackerOne #861940 | Semrush OAuth redirect_uri bypass via IDN homograph — HackerOne #861940 |
| 2026-04-10 NEW 2026 | Slack OAuth2 redirect_uri bypass — HackerOne #2575 | Slack OAuth2 redirect_uri bypass — HackerOne #2575 |
| 2026-04-10 NEW 2026 | Cisco Talos: State-of-the-art phishing — MFA bypass | Cisco Talos: State-of-the-art phishing — MFA bypass |
| 2026-04-10 NEW 2026 | Bugcrowd: How attackers bypass multi-factor authentication (Part 1) | Bugcrowd: How attackers bypass multi-factor authentication (Part 1) |
| 2026-04-10 NEW 2026 | webauthn.me: WebAuthn and Passkeys guide | webauthn.me: WebAuthn and Passkeys guide |
| 2026-04-10 NEW 2026 | FIDO Alliance: Passkeys overview | FIDO Alliance: Passkeys overview |
| 2026-04-10 NEW 2026 | Hackmanit: XML Signature Validation Bypass in SimpleSAMLphp and xmlseclibs | Hackmanit: XML Signature Validation Bypass in SimpleSAMLphp and xmlseclibs |
| 2026-04-10 NEW 2026 | epi052: How to Hunt Bugs in SAML — A Methodology (Part II) | epi052: How to Hunt Bugs in SAML — A Methodology (Part II) |
| 2026-04-10 NEW 2026 | IBM: What is XML Signature Wrapping? | IBM: What is XML Signature Wrapping? |
| 2026-04-10 NEW 2026 | USENIX: On Breaking SAML — Be Whoever You Want to Be | USENIX: On Breaking SAML — Be Whoever You Want to Be |
| 2026-04-10 NEW 2026 | Astrix Security: How attackers exploit OAuth — a deep dive (Part 2) | Astrix Security: How attackers exploit OAuth — a deep dive (Part 2) |
| 2026-04-10 NEW 2026 | The Hacker Recipes: OAuth 2.0 | The Hacker Recipes: OAuth 2.0 |
| 2026-04-10 NEW 2026 | Security Innovation: Pentester's Guide to Evaluating OAuth 2.0 | Security Innovation: Pentester's Guide to Evaluating OAuth 2.0 |
| 2026-04-10 NEW 2026 | 0xn3va: OAuth 2.0 Vulnerabilities cheat sheet | 0xn3va: OAuth 2.0 Vulnerabilities cheat sheet |
| 2026-04-10 NEW 2026 | Cobalt: OAuth Vulnerabilities Part 2 | Cobalt: OAuth Vulnerabilities Part 2 |
| 2026-04-10 NEW 2026 | Vaadata: Understanding OAuth 2.0 and its common vulnerabilities | Vaadata: Understanding OAuth 2.0 and its common vulnerabilities |
| 2026-04-10 NEW 2026 | Doyensec: Common OAuth Vulnerabilities | Doyensec: Common OAuth Vulnerabilities |
| 2026-04-10 NEW 2026 | OWASP WSTG: Testing for Session Fixation | OWASP WSTG: Testing for Session Fixation |
| 2026-04-10 NEW 2026 | OWASP: Session Fixation Protection | OWASP: Session Fixation Protection |
| 2026-04-10 NEW 2026 | OWASP: Session fixation attack | OWASP: Session fixation attack |
| 2026-04-10 NEW 2026 | OWASP Top 10 A07: Identification and Authentication Failures | OWASP Top 10 A07: Identification and Authentication Failures |
| 2026-04-10 NEW 2026 | OWASP Session Management Cheat Sheet | OWASP Session Management Cheat Sheet |
| 2026-04-10 NEW 2026 | OWASP Authentication Cheat Sheet | OWASP Authentication Cheat Sheet |
| 2026-04-10 NEW 2026 | The Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger Research | The Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger Research |
| 2026-04-10 NEW 2026 | PortSwigger: OAuth 2.0 authentication vulnerabilities | PortSwigger: OAuth 2.0 authentication vulnerabilities |
Frequently Asked Questions
- What is the difference between authentication and authorization?
- Authentication (authn) verifies who a user is — typically through passwords, tokens, certificates, or biometrics. Authorization (authz) determines what an authenticated user is allowed to do. The two are often conflated but rely on different mechanisms and fail in different ways. A correctly authenticated user can still be a victim of broken authorization, and vice versa.
- What are the most common authentication vulnerabilities?
- Common authentication flaws include credential stuffing, weak password policies, missing or bypassable multi-factor authentication, predictable session tokens, password reset poisoning, OAuth redirect_uri manipulation, SAML signature wrapping, and JWT algorithm confusion. Many real-world breaches start with authentication weaknesses rather than novel exploitation.
- Are passkeys actually more secure than passwords?
- Yes — passkeys use public-key cryptography bound to a specific origin, which eliminates phishing, credential stuffing, and password reuse attacks. The private key never leaves the user's device. Passkeys are based on the WebAuthn and FIDO2 standards and are now supported by major browsers, operating systems, and identity providers.
Weekly AppSec Digest
Get new resources delivered every Monday.