Auth is the one thing the model always writes. Sign up, sign in, reset password — it never forgets the form. What it forgets is the hundred quiet rules underneath that decide whether the form is a door or a wall. The door works. That is not the same thing as the door being locked.
Identification and authentication failures cover every way a login flow can be technically correct but practically broken. Missing rate limits, weak password rules, predictable reset tokens, session IDs that never expire, MFA that is optional and easy to skip. The form works. The guarantees behind the form do not.
What your AI actually built
You asked for login with email and password. The model built the route, the form, the session cookie, and the redirect. Every happy-path test passes. You tried it yourself and it let you in.
What it didn't build was rate limiting on the login endpoint, so an attacker can try a hundred thousand passwords a minute. No lockout, no captcha, no delay. The form works exactly the same on attempt one and attempt one million.
The JWT it hands out is signed, but the secret is 'secret' in an .env.example that got committed. The password reset token is a random number from Math.random. None of these are typos — they are all defaults the model copied from a tutorial that skipped security for readability.
How it gets exploited
An attacker sees your login page. They have a list of 10 million known breached email/password pairs from a public dump.