password-only authentication

Traditional username and password login flow

user

browser

server

attacker

1

navigate to login

User visits website login page

⚠️Malicious injection attacks

🎣Phishing site can mimic this page

2

enter credentials

Type username and password

⚠️Visible to shoulder surfing

⌨️Keylogger captures credentials

3

submit request

POST credentials to server

⚠️Network interception possible

🕵MITM can intercept if not HTTPS

4

validate credentials

Check username & password hash

⚠️Database breach exposes all

💾SQL injection or breach risk

5

access granted

Logged into account

Total time: ~5-10 seconds

🍪Session hijacking via XSS

5+

pain points

8+

attack vectors

0

protection layers