Notifications
Clear all
Topic starter
06/06/2026 2:20 am
TL;DR: Authentication failures usually come from custom protocols, weak password handling, and recoveries that reopen account takeover paths, while stolen credentials still appear in roughly 80% of web application attacks and breaches average just under $5 million, according to Verizon and IBM. The practical case is clear: modern auth needs mature protocols, phishing-resistant factors, short-lived tokens, and strict reset controls before audit or incident pressure makes the gap visible.
NHIMG editorial — based on content published by WorkOS: Best practices for secure user authentication
By the numbers:
- The average breach now runs a little under $5 million, according to IBM's 2024 Cost of a Data Breach Report.
Questions worth separating out
Q: How should security teams harden user authentication without building custom auth code?
A: Use mature protocols and libraries instead of custom token formats, parsers, or session logic.
Q: What breaks when password reset flows are too permissive?
A: A weak reset flow can bypass passwords, MFA, and device checks entirely, turning account recovery into permanent takeover.
Q: How do organisations know whether their MFA strategy is actually reducing risk?
A: Look beyond factor count and measure phishing resistance, step-up coverage, and recovery abuse.
Practitioner guidance
- Replace custom auth logic with vetted protocol libraries Use OAuth 2.1 with PKCE, OpenID Connect, SAML only where enterprise demand requires it, and WebAuthn for passwordless flows.
- Rebuild password policy around length and breach screening Drop composition rules and periodic forced rotation.
- Treat recovery flows as critical takeover surfaces Require re-authentication for recovery email or phone changes, issue single-use reset tokens, store reset tokens hashed, and invalidate all active sessions after a successful reset or recovery change.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for choosing between OAuth 2.1, OIDC, SAML, and WebAuthn in production.
- Implementation details for refresh token rotation and reuse detection in browser sessions.
- Password hashing parameters and code examples for Argon2id and bcrypt.
- Practical authentication logging fields and event coverage for detecting account takeover patterns.
👉 Read WorkOS's checklist for secure user authentication decisions →
Secure user authentication: are your tokens and resets hardened?
Explore further
06/06/2026 3:56 am
Human authentication is still an identity governance problem, not just a UX problem. The article shows that the biggest failures come from weak defaults, not from broken cryptography. That matters because authentication controls sit inside broader identity governance, where session handling, factor choice, and recovery design all determine whether access can be trusted after the first login. Practitioners should treat authentication as a lifecycle control point, not a front-door feature.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Should teams prioritise session rotation or password policy first?
A: Session rotation should usually come first because stolen sessions and refresh tokens create immediate abuse paths even when passwords are strong. Password policy matters, but a user with a good password can still be compromised through token replay, reset abuse, or session theft. The best order is secure sessions, then stronger password handling.
👉 Read our full editorial: Secure user authentication hinges on protocols, tokens, and resets
