By NHI Mgmt Group Editorial TeamPublished 2026-04-21Domain: Best PracticesSource: WorkOS

TL;DR: Authentication failures usually come from custom protocols, weak password handling, and recoveries that reopen account takeover paths, while stolen credentials still appear in roughly 80% of web application attacks and breaches average just under $5 million, according to Verizon and IBM. The practical case is clear: modern auth needs mature protocols, phishing-resistant factors, short-lived tokens, and strict reset controls before audit or incident pressure makes the gap visible.

At a glance

What this is: This is an opinionated checklist for secure user authentication, with the central finding that most real-world auth failures come from avoidable implementation choices rather than cryptographic weakness.

Why it matters: It matters because IAM teams have to align human authentication, session controls, and recovery flows with the same governance discipline used for NHI and autonomous access paths.

By the numbers:

👉 Read WorkOS's checklist for secure user authentication decisions

Context

Secure user authentication is the control plane for deciding who can prove they are entitled to access, and the article argues that most teams still fail in the ordinary places: protocol choice, password handling, MFA design, and recovery flows. For IAM programmes, the gap is rarely a lack of available standards. It is the tendency to ship fragile defaults and treat them as finished.

For human identity programmes, those weak defaults become governance debt. The same organisation that would not tolerate a standing service-account secret or an unreviewed privileged token often leaves users exposed to reset abuse, session theft, and weak factor chaining. That makes authentication a lifecycle issue as much as a login issue, which is why the NHI Lifecycle Management Guide is useful even when the subject is human access.

Key questions

Q: How should security teams harden user authentication without building custom auth code?

A: Use mature protocols and libraries instead of custom token formats, parsers, or session logic. For browser and mobile clients, prefer OAuth 2.1 with PKCE plus OpenID Connect for identity, use SAML only where enterprise interoperability requires it, and rely on vetted libraries for signature verification, issuer checks, audience checks, and key rotation.

Q: What breaks when password reset flows are too permissive?

A: A weak reset flow can bypass passwords, MFA, and device checks entirely, turning account recovery into permanent takeover. If reset tokens are reusable, long-lived, or stored in plaintext, a single compromise can hijack the account. Strong reset design uses single-use tokens, short lifetimes, hashed storage, and session invalidation after success.

Q: How do organisations know whether their MFA strategy is actually reducing risk?

A: Look beyond factor count and measure phishing resistance, step-up coverage, and recovery abuse. Passkeys and hardware keys are stronger than SMS or basic push because they bind authentication to origin, while number matching and adaptive challenges reduce fatigue attacks. If recovery paths remain weak, MFA may still be bypassed.

Q: Should teams prioritise session rotation or password policy first?

A: Session rotation should usually come first because stolen sessions and refresh tokens create immediate abuse paths even when passwords are strong. Password policy matters, but a user with a good password can still be compromised through token replay, reset abuse, or session theft. The best order is secure sessions, then stronger password handling.

Technical breakdown

Protocol choice: OAuth 2.1, OIDC, SAML, and WebAuthn

The article’s core technical point is that most authentication problems are self-inflicted by custom implementations. OAuth 2.1 with PKCE is the browser and mobile baseline for delegated access, while OpenID Connect adds identity assertions and SAML remains the enterprise interoperability layer. WebAuthn and FIDO2 shift the model further by binding credentials to the origin and removing shared secrets from the server side. The practical security benefit is less about novelty and more about reducing the number of places where teams can mis-handle signatures, redirects, or token validation.

Practical implication: standardise on vetted libraries and protocol-native flows instead of building custom token logic.

Password hashing and password policy in modern authentication

If passwords still exist, the article’s guidance is to slow attackers down and stop reinforcing weak user behaviour. Argon2id is preferred because it is memory-hard, bcrypt remains acceptable where needed, and both require safe comparison functions and bounded input lengths. The policy side matters just as much: long passphrases outperform complexity rules, periodic forced rotation usually weakens behaviour, and breached-password checks catch inputs that are compromised on day one. In other words, secure password storage is not a single control. It is a combination of hashing, validation, and policy design.

Practical implication: tune password policy for length, breach screening, and safe hashing instead of composition rules and forced rotation.

Session lifecycles, refresh token rotation, and reset flows

Most auth systems fail after the login event, not during it. Short-lived access tokens reduce exposure, refresh token rotation limits replay, and reuse detection turns one stolen token into an indicator of compromise for the whole token family. The same logic applies to reset and account-recovery flows: reset tokens must be single-use, short-lived, and stored hashed, while recovery changes should require re-authentication and invalidate existing sessions. This is where authentication becomes governance. The control objective is to prevent a low-friction user action from becoming permanent account takeover.

Practical implication: treat refresh reuse, password resets, and recovery changes as high-signal security events with mandatory revocation steps.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human authentication is still an identity governance problem, not just a UX problem. The article shows that the biggest failures come from weak defaults, not from broken cryptography. That matters because authentication controls sit inside broader identity governance, where session handling, factor choice, and recovery design all determine whether access can be trusted after the first login. Practitioners should treat authentication as a lifecycle control point, not a front-door feature.

Reset and recovery flows remain the easiest path to durable account takeover. Password reset, recovery email change, and session invalidation are the same control family from a governance standpoint because each can override stronger controls already in place. The article is clear that a vulnerable recovery path bypasses passwords, MFA, and device signals alike. Practitioners should therefore review recovery as the highest-risk branch in human IAM.

Phishing-resistant authentication is now the baseline for human access governance. Passkeys and hardware security keys matter because they remove shared secrets and bind authentication to the origin, which directly reduces replay risk. That does not make MFA optional. It means the factor hierarchy has to reflect attacker behaviour, not legacy policy comfort. Practitioners should align human access policy to phishing resistance, not just second-factor presence.

Session controls are the human equivalent of NHI token governance. Short-lived access tokens, refresh rotation, and reuse detection mirror the same lifecycle logic that applies to service credentials. The distinction is that human sessions create a larger recovery and notification surface, while the governance requirement remains identical: bound access, revocation on reuse, and explicit invalidation after sensitive events. Practitioners should manage human sessions with the same discipline used for NHI credential families.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • The governance lesson extends into lifecycle discipline, which is why NHI Lifecycle Management Guide is the next step for teams mapping human session controls to credential lifecycle control.

What this signals

Session governance is converging across human and non-human identities. The same lifecycle logic that governs secret rotation and token revocation in NHI programmes is increasingly relevant to human authentication, especially where refresh tokens and recovery flows create durable access paths. Teams that already treat credential reuse as a lifecycle event in machine identity should apply the same discipline to human sessions and recovery changes.

Password policy is no longer the centre of gravity. The industry has spent years moving away from complexity rules and forced rotation, but many programmes still measure success by password composition rather than recovery safety, phishing resistance, and replay containment. The control set has shifted, and the governance model needs to follow it, not preserve legacy compliance habits.

The authentication stack now needs to align with the broader identity control plane, including least privilege, step-up authentication, and reset-based revocation. For practitioners, that means examining where a login outcome can still be overridden by a later lifecycle event, because that is where account takeover usually persists.

For practitioners

  • Replace custom auth logic with vetted protocol libraries Use OAuth 2.1 with PKCE, OpenID Connect, SAML only where enterprise demand requires it, and WebAuthn for passwordless flows. Validate signatures, issuer, audience, and key rotation through maintained libraries rather than hand-rolled token parsing.
  • Rebuild password policy around length and breach screening Drop composition rules and periodic forced rotation. Require long passphrases, allow full character sets, cap input length safely, and check passwords against breached-password corpora before acceptance.
  • Treat recovery flows as critical takeover surfaces Require re-authentication for recovery email or phone changes, issue single-use reset tokens, store reset tokens hashed, and invalidate all active sessions after a successful reset or recovery change.
  • Implement refresh token reuse detection Rotate refresh tokens on every redemption, revoke the full token family on reuse, and alert on replay patterns that indicate theft or cloning of a session token.
  • Use phishing-resistant factors by default Make passkeys or hardware security keys the primary factor for sensitive accounts, keep SMS as a last resort, and require step-up authentication for changes to recovery data or authentication settings.

Key takeaways

  • Most authentication failures come from design and policy mistakes, not from weak cryptography.
  • Session replay and recovery abuse create a bigger takeover risk than a strong password can offset.
  • The practical fix is lifecycle-grade governance for login, token, and reset controls, not more friction at the sign-in screen.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63AAL2Phishing-resistant factors and recovery controls map to digital identity assurance.
NIST CSF 2.0PR.AA-1Auth policy, factors, and lifecycle logging align to identity and access management.
OWASP Non-Human Identity Top 10NHI-03Token reuse, secret handling, and lifecycle controls overlap with NHI governance patterns.

Adopt phishing-resistant authenticators and re-authentication for sensitive recovery changes.

Key terms

  • Phishing-resistant authentication: Authentication that binds the credential to a trusted origin or device so a fake login page cannot replay it. In practice, passkeys and hardware security keys reduce credential theft and proxy phishing because the secret is never exposed as a reusable shared secret.
  • Refresh token rotation: A session pattern where every use of a refresh token issues a new one and invalidates the old token immediately. This limits replay risk and makes token reuse a strong signal that a session has been copied or stolen.
  • Account recovery flow: The recovery path used to regain access after a password loss, device change, or session lockout. It is part of authentication governance, not just support, because a weak recovery branch can bypass stronger controls and convert a temporary issue into durable account takeover.
  • Session invalidation: The forced termination of active authenticated sessions after a security-relevant event such as password reset, recovery change, or token reuse. It prevents an attacker from retaining access through an old session even after the primary credentials have been changed.

Deepen your knowledge

Secure user authentication, passkeys, and recovery flow design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is aligning human login controls with broader identity lifecycle governance, it is worth exploring.

This post draws on content published by WorkOS: Best practices for secure user authentication. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org