Skill

authentication-design

Design secure authentication systems with strong password policies, MFA, secure password reset, and session management.

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-secure-development

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Authentication (prove identity): Passwords, biometrics, certificates, hardware tokens, OAuth

Authorization (grant privileges): Roles, permissions, ACLs; implemented after authentication succeeds

Session Management (maintain authenticated state): Tokens, cookies, JWTs; must be protected against hijacking and fixation

Multi-Factor Authentication (MFA): Second factor (TOTP, FIDO2, SMS) significantly increases security

Instructions

Password Policy:

Minimum 12 characters (NIST recommends 12+, not 8+)
No complexity requirements (NIST 2017 guidance: avoid enforcing special characters, uppercase; users create weak passwords to meet requirements)
No password expiration (unless compliance requires; drives users to weak, predictable changes)
Must be checked against compromised-password databases (e.g., Have I Been Pwned API)

Password Storage:

Use modern password hashing: Argon2id (preferred), bcrypt, or PBKDF2
Never MD5, SHA1, or SHA256 (too fast; can be brute-forced)
Use high cost/iteration parameters (Argon2: time=2, memory=19 MiB; bcrypt: cost=12; PBKDF2: 100k+ iterations)
Use unique salt per password (standard in bcrypt, Argon2)

Multi-Factor Authentication (MFA):

Require MFA for all user accounts (ideally)
Support multiple MFA methods: TOTP (Google Authenticator, Authy), FIDO2 (hardware tokens), SMS (fallback, less secure)
Provide backup codes if primary MFA device is lost
Never use email as a second factor (email account compromise = game over)

Secure Password Reset:

Email verification required; no password hints that reveal information
Reset links: short-lived (30 min), single-use, cryptographically random
Require re-authentication before password reset (security question is weak; require knowledge of current password or MFA)
Log all password resets; alert user

Session Management:

Use frameworks' built-in session handling (not custom cookies)
HTTPOnly: Prevent JavaScript access (reduces XSS impact)
Secure: HTTPS-only transmission
SameSite: Strict or Lax to prevent CSRF
Short expiry (1-24 hours depending on sensitivity)
Invalidate on logout
Regenerate session ID after login (prevent session fixation)

Credential Transmission:

Always HTTPS; no HTTP for authentication
Use POST for credential submission; never GET (credentials in URL history)
CSP header to prevent credential interception via malicious scripts

Anti-Patterns

Storing passwords in plaintext or with weak hashing (MD5, SHA1); always use Argon2, bcrypt, or PBKDF2

Password expiration policies that drive weak passwords; modern guidance: strong password + breach detection, not periodic expiration

Trusting client-side password strength indicators; validate server-side, but don't enforce complexity

SMS-only 2FA; SMS is vulnerable to SIM swap; prefer TOTP or FIDO2

Allowing password reset via security questions; these can be guessed or socially engineered; require email or MFA

Session tokens with predictable patterns; use cryptographically random, high-entropy tokens

Domain Context

Authentication (prove identity): Passwords, biometrics, certificates, hardware tokens, OAuth

Authorization (grant privileges): Roles, permissions, ACLs; implemented after authentication succeeds

Session Management (maintain authenticated state): Tokens, cookies, JWTs; must be protected against hijacking and fixation

Multi-Factor Authentication (MFA): Second factor (TOTP, FIDO2, SMS) significantly increases security

Instructions

Password Policy:

Minimum 12 characters (NIST recommends 12+, not 8+)
No complexity requirements (NIST 2017 guidance: avoid enforcing special characters, uppercase; users create weak passwords to meet requirements)
No password expiration (unless compliance requires; drives users to weak, predictable changes)
Must be checked against compromised-password databases (e.g., Have I Been Pwned API)

Password Storage:

Use modern password hashing: Argon2id (preferred), bcrypt, or PBKDF2
Never MD5, SHA1, or SHA256 (too fast; can be brute-forced)
Use high cost/iteration parameters (Argon2: time=2, memory=19 MiB; bcrypt: cost=12; PBKDF2: 100k+ iterations)
Use unique salt per password (standard in bcrypt, Argon2)

Multi-Factor Authentication (MFA):

Require MFA for all user accounts (ideally)
Support multiple MFA methods: TOTP (Google Authenticator, Authy), FIDO2 (hardware tokens), SMS (fallback, less secure)
Provide backup codes if primary MFA device is lost
Never use email as a second factor (email account compromise = game over)

Secure Password Reset:

Email verification required; no password hints that reveal information
Reset links: short-lived (30 min), single-use, cryptographically random
Require re-authentication before password reset (security question is weak; require knowledge of current password or MFA)
Log all password resets; alert user

Session Management:

Use frameworks' built-in session handling (not custom cookies)
HTTPOnly: Prevent JavaScript access (reduces XSS impact)
Secure: HTTPS-only transmission
SameSite: Strict or Lax to prevent CSRF
Short expiry (1-24 hours depending on sensitivity)
Invalidate on logout
Regenerate session ID after login (prevent session fixation)

Credential Transmission:

Always HTTPS; no HTTP for authentication
Use POST for credential submission; never GET (credentials in URL history)
CSP header to prevent credential interception via malicious scripts

Anti-Patterns

Storing passwords in plaintext or with weak hashing (MD5, SHA1); always use Argon2, bcrypt, or PBKDF2

Password expiration policies that drive weak passwords; modern guidance: strong password + breach detection, not periodic expiration

Trusting client-side password strength indicators; validate server-side, but don't enforce complexity

SMS-only 2FA; SMS is vulnerable to SIM swap; prefer TOTP or FIDO2

Allowing password reset via security questions; these can be guessed or socially engineered; require email or MFA

Session tokens with predictable patterns; use cryptographically random, high-entropy tokens

authentication-design

authentication-design

Authentication Design

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Authentication Design

Context

Domain Context

Instructions

Anti-Patterns

Further Reading