Checklist

OWASP authentication checklist

A checklist based on the OWASP Authentication Cheat Sheet. Use this when designing or reviewing login, registration, password, and MFA flows.

36 items
7 sections
Reusable template

Your progress

0 of 36 items complete

complete

Saved in your browser. Sign in to Checksy to share progress with your team.

Identifiers and registration

User IDs are case-insensitive, unique, and non-guessable in URLs
Email addresses are verified via a one-time link before activation
Registration is rate-limited per IP and per email
Registration responses do not reveal whether an email is already in use
CAPTCHAs or proof-of-work are used to deter automated signups

Password storage

Passwords are hashed with Argon2id (preferred), bcrypt, or scrypt
A unique salt is generated per password
Hash work factor is tuned to current hardware and reviewed yearly
Plaintext or reversibly-encrypted passwords are never stored
Legacy hashes are upgraded on next successful login

Password policy

Minimum length is at least 12 characters
No maximum length below 64 characters
All printable Unicode characters are allowed
No mandatory composition rules (no "must contain symbol")
Passwords are checked against a breached-password list at set time
No periodic forced password rotation without cause

Login flow

Login is rate-limited per account and per IP
Generic error message is used for both unknown user and bad password
Failed login attempts are logged with timestamp and source
Successful login is logged and shown to the user (last login time)
Session is regenerated immediately after authentication

Multi-factor authentication

MFA is offered to every user
TOTP, FIDO2/WebAuthn, or push are supported (avoid SMS where possible)
MFA enrollment requires re-authentication
Recovery codes are generated and shown only once
Disabling MFA requires step-up authentication and notifies the user

Account recovery

Password reset uses a single-use, time-limited, high-entropy token
Reset link is sent only to a verified email or registered second factor
Reset response is identical for known and unknown emails
Active sessions are invalidated after a successful password reset
Security questions are not used as a recovery factor

Brute force and credential stuffing

Account lockout or progressive delay is applied after repeated failures
IP-level and ASN-level throttling is in place
Logins from new devices or locations trigger a notification
Credential-stuffing detection (impossible travel, known bad lists) is monitored
CAPTCHAs are escalated to suspicious traffic, not all users

Markdown source

Copy this and paste it into Checksy to import the checklist.

Show markdown Hide markdown

---
template: true
about: A checklist based on the OWASP Authentication Cheat Sheet. Use this when designing or reviewing login, registration, password, and MFA flows.
---

# OWASP authentication checklist

## Identifiers and registration

- [ ] User IDs are case-insensitive, unique, and non-guessable in URLs
- [ ] Email addresses are verified via a one-time link before activation
- [ ] Registration is rate-limited per IP and per email
- [ ] Registration responses do not reveal whether an email is already in use
- [ ] CAPTCHAs or proof-of-work are used to deter automated signups

## Password storage

- [ ] Passwords are hashed with Argon2id (preferred), bcrypt, or scrypt
- [ ] A unique salt is generated per password
- [ ] Hash work factor is tuned to current hardware and reviewed yearly
- [ ] Plaintext or reversibly-encrypted passwords are never stored
- [ ] Legacy hashes are upgraded on next successful login

## Password policy

- [ ] Minimum length is at least 12 characters
- [ ] No maximum length below 64 characters
- [ ] All printable Unicode characters are allowed
- [ ] No mandatory composition rules (no "must contain symbol")
- [ ] Passwords are checked against a breached-password list at set time
- [ ] No periodic forced password rotation without cause

## Login flow

- [ ] Login is rate-limited per account and per IP
- [ ] Generic error message is used for both unknown user and bad password
- [ ] Failed login attempts are logged with timestamp and source
- [ ] Successful login is logged and shown to the user (last login time)
- [ ] Session is regenerated immediately after authentication

## Multi-factor authentication

- [ ] MFA is offered to every user
- [ ] TOTP, FIDO2/WebAuthn, or push are supported (avoid SMS where possible)
- [ ] MFA enrollment requires re-authentication
- [ ] Recovery codes are generated and shown only once
- [ ] Disabling MFA requires step-up authentication and notifies the user

## Account recovery

- [ ] Password reset uses a single-use, time-limited, high-entropy token
- [ ] Reset link is sent only to a verified email or registered second factor
- [ ] Reset response is identical for known and unknown emails
- [ ] Active sessions are invalidated after a successful password reset
- [ ] Security questions are not used as a recovery factor

## Brute force and credential stuffing

- [ ] Account lockout or progressive delay is applied after repeated failures
- [ ] IP-level and ASN-level throttling is in place
- [ ] Logins from new devices or locations trigger a notification
- [ ] Credential-stuffing detection (impossible travel, known bad lists) is monitored
- [ ] CAPTCHAs are escalated to suspicious traffic, not all users

Run this checklist for real

Save your progress, share with your team, and turn this into a reusable template. This helps you track how you improve over time.

Try Checksy More checklists