checklists

Authentication Testing Checklist.

Security & Permissions A practical, QA-focused checklist for testing login, password reset, MFA and session handling — what to verify, the safe checks, and the evidence to collect.

5
sections
19
items
1–2 hours
time
Manual QA engineersSDETsQA leads

When to use this checklist

  • Before shipping a new or changed login, registration or password-reset flow
  • After changes to session handling, token storage or MFA
  • As part of a security regression before a release
  • When adding security checks to acceptance criteria for an auth feature

Authentication is one of the highest-risk surfaces in any product. This checklist keeps the testing QA-focused and safe: you verify that the controls the team designed actually work, using controlled test accounts and approved environments. It covers login, password reset, MFA, session handling, rate limiting and error-message consistency, plus the evidence to capture when something is wrong.

0/19

Login

0/5

Confirm valid logins work and invalid ones fail safely.

Password reset

0/4

Reset flows must be single-use, time-limited and must not reveal account existence.

MFA

0/4

Confirm multi-factor checks are enforced and recovery paths are protected.

Sessions & logout

0/4

Sessions must expire and fully invalidate on logout.

Error messages & evidence

0/2

Errors must be consistent and not leak detail; evidence must be safe to share.

Common Bugs

Password reset link reusable after the password has changed

The reset token is not invalidated after use, so the link works again — effectively a backdoor. Tokens must be marked used immediately after the change.

Session still valid after logout

Logout only clears the client cookie but the server-side session lives on. A captured token keeps working. Invalidate sessions server-side on logout.

Account enumeration via different login or reset messages

Different responses for 'unknown email' vs 'wrong password' let an attacker build a list of registered emails. Keep messages identical.

No rate limit on login or OTP

Unlimited attempts allow brute-force or OTP guessing. Apply rate limiting or lockout after a documented threshold.

Recommended Tools

Postman

Replay login, reset and token requests to check single-use tokens, expiry and rate limiting at the API layer.

Browser DevTools

Inspect session cookie flags (Secure, HttpOnly, SameSite) and the network panel during the auth flow.

JWT Decoder

Inspect non-production token claims and expiry safely.

// Related resources

Practice apps

Glossary terms

Related checklists