Authentication is about confirming the identity of a client. For example, when you log in to an account, you use a username and password to authenticate yourself.
Examples of where authentication might fail include:
Systems that allow brute force attacks (e.g. guessing passwords from common-password list).
Systems that allow weak passwords such as "password1".
Systems with poorly-implemented credential-recovery systems (e.g. using knowledge-based security questions to recover password).
Systems which do not hash passwords, or do not hash passwords with a secure algorithm (such as Bcrypt).
Systems which do not use (or do not properly use) multi-factor authentication.
Systems which put session identifiers in the URL.
Systems which reuse session identifiers after a successful login.
Systems which don't properly invalidate session tokens during logout or a period of inactivity.
Implement multi-factor authentication where possible
Prevent users using weak passwords (e.g. short passwords or those present in databases of common passwords)
Limit information provided in failed login attempts (e.g. "your username or password is incorrect") to prevent malicious users accumulating information
Rate-limit login attempts (with increasing delay) to prevent brute forcing
Log failed login attempts and alert administrators when attempted hacks are suspected
Use a secure server-side session manager
(as a user) Use strong and unique passwords for each application you register for. A password-manager is recommended.
Complete the Password Strength challenge on Juice Shop