Password Reset
// Definition
The flow that lets a user regain access when their credentials are lost or compromised. Typically involves verifying identity through a registered email or phone (a reset link or OTP), then allowing the user to set a new password. Security test cases include: token expiry (links should expire quickly), token single-use enforcement (used tokens must be invalidated), account enumeration (the response should not reveal whether an email is registered), brute-force protection on OTP entry, and ensuring reset tokens cannot be reused across accounts.
// Related terms
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.
Token
A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).
Session
A server-side or client-side record that persists a user's authenticated state across requests. Sessions are created on login, referenced by a session ID sent in a cookie or header, and invalidated on logout or expiry. Testing considerations include: session fixation (attacker sets the victim's session ID before login), failure to rotate the ID after privilege escalation, excessively long session lifetimes that extend exposure after credential compromise, and whether logout actually invalidates the server-side session.
Email Verification
The process of confirming that a user controls the email address they registered with, typically by sending a one-time link or code that must be clicked or entered before account features are unlocked. Security test cases include: link expiry (unclicked links should expire quickly), single-use enforcement (links must be invalidated after first use), account enumeration through timing differences, and whether unverified accounts can access protected resources. Re-verification flows when a user changes their email address are also in scope.
Multi-Factor Authentication (MFA)
An authentication mechanism that requires at least two independent verification factors: something you know (password), something you have (TOTP app, hardware key), or something you are (biometric). MFA dramatically reduces the risk of credential-stuffing and phishing attacks. QA considerations include: testing fallback flows when a second factor is unavailable, recovery code handling, bypass scenarios via account recovery that skips MFA, and verifying MFA is checked on every protected action — not just at initial login.