Broken Authentication & Token Theft

all the ways the "who are you" half of auth quietly breaks in production: credential stuffing, missing rate limits, broken password resets, session fixation, MFA that's implemented but never enforced, JWT footguns, and stolen tokens that replay until they expire.