Your login form works on the first try. A password manager autofills, the token comes back, the user lands in the dashboard. What the model didn't build is everything that happens when the login form is called a million times, or when the token is never rotated, or when the password reset link never expires.
Broken Authentication is the whole family of bugs where proving who you are goes wrong: brute-forceable login, guessable tokens, forever-valid JWTs, password reset links that never expire, sessions that don't terminate. Any one of them lets an attacker become a user they are not.
What your AI actually built
You asked for auth. You got a /login route that checks a password, signs a JWT, and sends it back. It works. That's the part that gets tested.
What it didn't build: rate limiting on login. Lockout after failed attempts. Short-lived tokens. Rotation on password change. A refresh flow that actually invalidates old tokens. A reset link that expires in fifteen minutes instead of forever.
On top of that, half the generated JWT middleware accepts tokens with `alg: none`, or signs with a hardcoded secret that ends up in the client bundle. The login passes testing because nobody tested the parts that matter.
How it gets exploited
The attacker finds the login endpoint from a mobile app or SPA bundle — /api/auth/login, JSON in, JWT out.