WECODE
Authentication & Identity
2023-10-26

MFA & Account Recovery Review

Review MFA and account recovery flows to prevent bypasses, recovery attacks, and identity takeover in production systems.

SCENARIO

Act as a senior Security Engineer and Identity Architect reviewing the design and implementation of multi-factor authentication (MFA) and account recovery flows. Your task is to ensure these flows strengthen security rather than becoming the easiest path to account takeover.

CORE PRINCIPLE:

Most account takeovers do not break login. They bypass it through recovery, support flows, or weak MFA implementations.

CONTEXT:

The system uses MFA, backup codes, password reset, account recovery, or support-assisted identity recovery to restore access. These flows operate under stress and are prime targets for attackers.

PRIMARY OBJECTIVE:

Ensure MFA and recovery flows verify identity correctly, resist social engineering and automation, and do not allow attackers to bypass primary authentication controls.

MFA FLOW ANALYSIS:

  1. Identify all MFA methods supported (TOTP, SMS, email, push, WebAuthn)
  2. Trace MFA challenge issuance, verification, and failure handling
  3. Identify when MFA is enforced, skipped, or downgraded

RECOVERY & RESET PATHS:

  • Trace password reset, email recovery, and account unlock flows
  • Identify identity proofing requirements before recovery
  • Analyze recovery token generation, expiry, and reuse protection

BYPASS & DOWNGRADE RISKS:

  • Identify fallback paths that skip MFA
  • Analyze device trust, remember-me, and step-down behavior
  • Detect support or admin flows that override identity verification

ATTACK & ABUSE SCENARIOS:

  • SIM swap and SMS interception
  • Phishing of OTP and push fatigue attacks
  • Recovery token replay or brute force
  • Account enumeration via reset endpoints
  • Social engineering via support channels

RATE LIMITING & ANTI-AUTOMATION:

  • Verify throttling on OTP, reset, and recovery endpoints
  • Identify missing lockouts or CAPTCHA protections
  • Analyze detection of repeated failed recovery attempts

WHAT NOT TO DO:

  • Do NOT allow account recovery with weaker verification than login
  • Do NOT allow unlimited OTP or reset attempts
  • Do NOT reuse recovery tokens or allow long-lived reset links
  • Do NOT let support bypass identity verification informally

OUTPUT EXPECTATIONS:

  • Full MFA and recovery flow diagrams
  • Identified bypass paths and downgrade risks
  • Ranked vulnerabilities by likelihood and impact
  • Concrete recommendations for stronger verification and controls

VALIDATION & MONITORING:

  • Suggest tests for MFA enforcement and recovery correctness
  • Recommend logging for recovery attempts and MFA failures
  • Identify alerts for suspicious recovery and downgrade behavior

FINAL CHECK:

  • If an attacker cannot guess the password, can they still recover the account?
  • Is recovery harder than login, or accidentally easier?

INPUT:

MFA methods supported: [TOTP, SMS, email, push, WebAuthn] Recovery flows: [Password reset, email recovery, support] Policies: [Lockout rules, retries, device trust] Threat model: [Public, regulated, high-value accounts]

More Authentication & Identity Prompts

Authentication & Identity
Hot

Authentication & Identity Master Prompt

Design, review, and secure authentication systems to protect identities, prevent account compromise, and ensure correct behavior.

Act as a senior Security Engineer and Identity Architect with extensive experience designing authentication systems for large-scale production environments. Your task is to analyze, design, or review an authentication system to ensure correctness, security, usability, and long-term maintainability.

CORE PRINCIPLE: Authentication systems are part of the security perimeter. A single mistake can lead to account takeover, data breaches, and systemic compromise.

CONTEXT: The system includes login, signup, session or token handling, third-party identity providers, and user identity management. The goal is to ensure identities are authenticated correctly and safely.

PRIMARY OBJECTIVE: Design or review an authentication system that correctly verifies identity, resists common attack vectors, and behaves predictably across environments.

AUTHENTICATION FLOW ANALYSIS:

  1. Identify all authentication entry points (login, signup, refresh, callback, recovery)
  2. Trace the full authentication lifecycle from credential input to identity establishment
  3. Identify where identity is created, verified, persisted, and invalidated

CREDENTIAL & SECRET HANDLING:

  • Evaluate password handling, hashing, salting, and storage
  • Identify hardcoded secrets, API keys, or leaked credentials
  • Assess secret rotation and revocation mechanisms

TOKEN & SESSION STRATEGY:

  • Determine session vs token usage and rationale
  • Analyze token lifetimes, refresh behavior, and rotation policies
  • Review session invalidation, logout behavior, and multi-device handling

THREAT & ATTACK SURFACE REVIEW:

  • Identify risks such as brute force, credential stuffing, replay, fixation, and bypass
  • Evaluate CSRF, XSS, open redirect, and callback manipulation risks
  • Assess protection against enumeration and timing attacks

THIRD-PARTY & FEDERATED IDENTITY:

  • Review OAuth / SSO flow correctness
  • Validate scopes, callbacks, and identity mapping
  • Assess trust boundaries with external providers

FAILURE MODE & EDGE CASE ANALYSIS:

  • Token expiry, clock skew, network failures
  • Partial logins, interrupted flows, inconsistent state
  • Recovery flows and fallback behavior

WHAT NOT TO DO:

  • Do NOT mix authentication and authorization responsibilities
  • Do NOT trust client-side validation for identity decisions
  • Do NOT store or log sensitive credentials in plaintext
  • Do NOT assume happy-path behavior covers security correctness

OUTPUT EXPECTATIONS:

  • A clear description of the authentication architecture
  • Identified risks, weaknesses, and incorrect assumptions
  • Recommended improvements for security, correctness, and usability
  • Guidance on token, session, and identity handling

VALIDATION & SAFETY CHECK:

  • Describe how authentication correctness is verified
  • Identify logging and monitoring needed for auth failures and attacks
  • Suggest tests and audits required for long-term safety

FINAL CHECK:

  • If an attacker targets this system, where is the weakest point?
  • If authentication fails silently, how quickly will it be detected?

INPUT: Authentication flow or code: [Insert Code] System context: [Web, mobile, API, SaaS, enterprise] Identity providers (if any): [OAuth, SSO, custom] Threat model assumptions: [Public, internal, regulated]

Authentication & Identity
Hot

Authentication Threat Model & Attack Surface Review

Identify **attack vectors**, security weaknesses, and trust boundary failures in authentication systems before they lead to compromise.

Act as a senior Security Engineer and Identity Architect performing a threat model and attack surface review of an authentication system. Your task is to identify how this system could be attacked, bypassed, or abused, and recommend concrete defenses.

CORE PRINCIPLE: Authentication is the primary attack surface of most systems. If identity is compromised, every downstream control becomes irrelevant.

CONTEXT: The system exposes login, signup, token refresh, session handling, recovery flows, and third-party authentication endpoints. The goal is to identify realistic attack paths before attackers do.

PRIMARY OBJECTIVE: Systematically enumerate attack vectors, identify weak trust boundaries, and propose defenses that eliminate or reduce the likelihood of identity compromise.

ATTACK SURFACE ENUMERATION:

  1. List all externally reachable authentication endpoints
  2. Identify all credential entry points and token issuance paths
  3. Map trust boundaries between client, API, identity provider, and storage

THREAT MODELING PHASE:

  • Identify attacker goals (account takeover, session hijack, privilege escalation)
  • Identify attacker capabilities (unauthenticated, authenticated, insider, automated)
  • Enumerate assets at risk (credentials, tokens, sessions, personal data)

COMMON ATTACK VECTORS TO ANALYZE:

  • Brute force and credential stuffing
  • Account enumeration and timing attacks
  • Session fixation and session hijacking
  • Token replay and token leakage
  • CSRF and XSS in authentication flows
  • Open redirects and OAuth callback manipulation
  • Privilege escalation via identity confusion

TOKEN & SESSION ABUSE SCENARIOS:

  • Stolen refresh token reuse
  • Long-lived token exposure
  • Missing rotation or revocation
  • Multi-device session inconsistencies

THIRD-PARTY & FEDERATED RISKS:

  • OAuth misconfiguration and scope abuse
  • Incorrect identity mapping
  • Trust boundary violations with external providers

DEFENSE & CONTROL REVIEW:

  • Rate limiting, lockouts, and bot protection
  • MFA and step-up authentication
  • CSRF tokens and origin validation
  • Secure cookie flags and transport security
  • Logging, alerting, and anomaly detection

WHAT NOT TO DO:

  • Do NOT assume TLS alone protects authentication
  • Do NOT trust client-side enforcement for identity decisions
  • Do NOT ignore low-frequency or "theoretical" attacks
  • Do NOT deploy auth flows without monitoring and alerting

OUTPUT EXPECTATIONS:

  • List of realistic attack scenarios with step-by-step paths
  • Ranked vulnerabilities by severity and likelihood
  • Trust boundary diagram and weak points
  • Concrete defensive controls and mitigations

VALIDATION & VERIFICATION:

  • Suggest security tests and penetration scenarios
  • Identify logs and metrics required to detect attacks
  • Recommend periodic audits and review cadence

FINAL CHECK:

  • If an attacker targets this system tomorrow, what is their easiest path in?
  • Which single flaw would cause the largest identity breach?

INPUT: Authentication endpoints or flows: [Insert description or code] Token / session design: [JWT, cookies, refresh, rotation] Identity providers (if any): [OAuth, SSO] Deployment context: [Public, internal, regulated]

Authentication & Identity
Hot

Token & Session Lifecycle Analysis

Analyze token and session lifecycles to detect expiry bugs, leakage risks, rotation failures, and invalidation issues.

Act as a senior Security Engineer and Identity Architect responsible for reviewing the full lifecycle of tokens and sessions in a production authentication system. Your task is to ensure tokens and sessions are issued, refreshed, rotated, and invalidated correctly without enabling account takeover.

CORE PRINCIPLE: Most authentication failures are lifecycle failures. Tokens that live too long, refresh incorrectly, or fail to invalidate are the primary cause of compromise.

CONTEXT: The system uses sessions, JWTs, refresh tokens, or a combination of these to represent authenticated identities across web, mobile, and API clients.

PRIMARY OBJECTIVE: Verify that identity tokens and sessions are issued safely, expire predictably, rotate securely, and are revoked correctly across all devices.

LIFECYCLE MAPPING:

  1. Trace how authentication tokens or sessions are created
  2. Identify where they are stored (cookies, memory, local storage, headers)
  3. Trace refresh, renewal, and rotation flows
  4. Identify all invalidation and logout paths

EXPIRY & ROTATION ANALYSIS:

  • Evaluate access token lifetime and refresh token lifetime
  • Verify rotation on refresh and reuse detection
  • Identify long-lived tokens or permanent sessions
  • Analyze clock skew and time synchronization risks

INVALIDATION & LOGOUT BEHAVIOR:

  • Verify logout invalidates tokens and sessions server-side
  • Analyze multi-device and multi-session consistency
  • Identify orphaned, leaked, or non-revocable tokens

STORAGE & TRANSPORT SAFETY:

  • Review cookie flags (HttpOnly, Secure, SameSite)
  • Analyze local storage and in-memory risks
  • Verify TLS usage and header exposure

ABUSE & FAILURE SCENARIOS:

  • Refresh token replay
  • Token theft and reuse
  • Session fixation
  • Partial invalidation and ghost sessions
  • Environment-specific expiry behavior

WHAT NOT TO DO:

  • Do NOT use long-lived access tokens without rotation
  • Do NOT rely on client-side logout for invalidation
  • Do NOT store sensitive tokens in insecure storage
  • Do NOT assume expiry alone prevents abuse

OUTPUT EXPECTATIONS:

  • Full lifecycle diagram of tokens and sessions
  • Identified weaknesses in expiry, rotation, or invalidation
  • Ranked risks by likelihood and impact
  • Concrete recommendations for safer lifetimes and rotation

VALIDATION & MONITORING:

  • Suggest tests for expiry, rotation, and invalidation
  • Recommend logs and alerts for suspicious token behavior
  • Identify metrics for session anomalies and reuse

FINAL CHECK:

  • If a token leaks today, how long can an attacker use it?
  • Can all active sessions for a user be invalidated instantly?

INPUT: Token and session design: [JWT, cookies, refresh, sessions] Lifetimes and rotation rules: [Describe] Storage method: [Cookies, headers, local storage] Deployment context: [Web, mobile, API, multi-region]