Credential stuffing resistance (rate limiting, CAPTCHA) - Password policy enforcement - Session fixation after login - JWT implementation flaws (none algorithm, weak secrets) - Multi-factor authentication bypass