Authentication and Session Management

Authentication verifies the identity of a user, while session management maintains that verified identity across multiple requests. Weaknesses in either area can allow attackers to impersonate legitimate users, access unauthorised data, or take over accounts entirely.

---

Authentication Fundamentals

Authentication answers the question: "Who are you?"

There are three factors of authentication:

Factor	Type	Examples
Something you know	Knowledge	Password, PIN, security question
Something you have	Possession	Mobile phone (SMS/TOTP), hardware token, smart card
Something you are	Inherence	Fingerprint, face recognition, iris scan

Multi-factor authentication (MFA) requires two or more factors from different categories. Using a password and a security question is not MFA because both are knowledge factors.

---

Password Security

Common Password Vulnerabilities

Vulnerability	Description
Weak passwords	Short, common, or easily guessable passwords
Credential stuffing	Attackers use breached username/password pairs from other sites
Brute force	Systematic guessing of passwords
Password spraying	Trying common passwords across many accounts
Phishing	Tricking users into entering credentials on a fake site

Password Storage

Never store passwords in plaintext. Always hash them with a purpose-built password hashing algorithm:

Algorithm	Recommended	Notes
Argon2id	Yes (preferred)	Winner of the Password Hashing Competition; resistant to GPU and side-channel attacks
bcrypt	Yes	Widely supported; use a work factor of 10+
scrypt	Yes	Memory-hard; good alternative to Argon2
PBKDF2	Acceptable	Use with HMAC-SHA-256 and at least 600,000 iterations
SHA-256 / MD5	No	Too fast — vulnerable to brute force; never use for passwords

// Example: hashing a password with bcrypt in Node.js
import bcrypt from 'bcrypt';

const saltRounds = 12;
const hashedPassword = await bcrypt.hash(plainPassword, saltRounds);

// Verifying a password
const isValid = await bcrypt.compare(inputPassword, storedHash);

Password Policies

Policy	Recommended Setting
Minimum length	8 characters (12+ preferred)
Maximum length	At least 64 characters (do not limit unnecessarily)
Complexity rules	Do not require special characters — encourage passphrases instead
Breach check	Check against known breached passwords (Have I Been Pwned API)
Rate limiting	Lock account or increase delays after repeated failures

---

Multi-Factor Authentication (MFA)

MFA significantly reduces the risk of account compromise:

Method	Security Level	User Experience
SMS codes	Low (vulnerable to SIM swapping)	Familiar but insecure
TOTP apps (Google Authenticator, Authy)	Medium	Good balance of security and usability
Push notifications	Medium	Convenient but susceptible to prompt bombing
Hardware tokens (YubiKey, FIDO2)	High	Most secure; requires physical device
Passkeys (WebAuthn/FIDO2)	High	Phishing-resistant; becoming the standard

Best practice: Support TOTP at minimum and encourage hardware tokens or passkeys for high-value accounts.

---

Session Management

After authentication, the server creates a session to track the user's identity across requests. Session management vulnerabilities are a primary target for attackers.

Session Tokens

A session token is a unique identifier assigned to an authenticated user:

Set-Cookie: sessionId=a3f8b2c1d4e5f6a7b8c9d0e1f2a3b4c5; HttpOnly; Secure; SameSite=Strict; Path=/

Session Token Requirements

Requirement	Rationale
Sufficient length	At least 128 bits of entropy to prevent brute force
Cryptographically random	Use a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
Unpredictable	No sequential or time-based patterns
Transmitted securely	Only over HTTPS (Secure flag)
Not accessible to JavaScript	HttpOnly flag prevents XSS-based theft
Scoped	SameSite and Path attributes limit where the cookie is sent

Session Attacks