## Secure Authentication Mechanisms

- Take Care with User Credentials
	Never send login data over unencrypted connections
	Redirect HTTP requests to HTTPS
	Audit website to make sure no username or emails are disclosed through HTTP responses

- Don't Count on Users for Security
	Implement an effective password policy
	Provide real-time feedback on user's password strength

- Prevent Username Enumeration
	Use identical/generic error messages on all authentication pages
	Return the same HTTP status code with each login request
	Make response times indistinguishable

- Implement Robust Brute-Force Protection
	Implement strict, IP-based user rate limiting
	Require a user to complete a CAPTCHA test with every login attempt after a limit is reached

- Check Verification Logic
	Audit all verification and validation logic to eliminate flaws

- Implement Proper MFA
	Use a device or app that generates the code directly (not SMS or email)
	Make sure MFA logic is sound