The Auth Mistakes LLMs Repeat Every Time
You paste a prompt.
“Build me authentication with email/password, OAuth, sessions, password reset.”
It generates 500 lines of code in 10 seconds.
Looks solid.
It’s not.
LLMs are great at scaffolding. They are terrible at edge cases. Auth is edge cases.
Here are the auth mistakes LLMs repeat every time - and why you shouldn’t ship them.
1. Rolling Their Own Password Logic
Classic output:
- Hash password with bcrypt
- Store hash in users table
- Compare on login
- Done
Looks fine. But it skips:
- Password complexity rules
- Breach detection (pwned passwords)
- Rate limiting
- Account lockout
- Re-auth flows
- Step-up verification
- Password rotation
- Audit logs
And sometimes:
- No salt
- Wrong cost factor
- Using plain SHA256
LLMs optimize for “working demo”, not “secure production system”.
Auth isn’t hashing. It’s policy + lifecycle + abuse protection.
2. Stateless JWTs Everywhere
LLMs love JWTs.
They generate:
- Access token
- Long-lived refresh token
- Store in localStorage
- Validate with secret
- Done
Problems:
- No token revocation
- No device-level logout
- No session invalidation
- No rotation strategy
- No replay protection
- XSS exposure via localStorage
They rarely:
- Implement rotating refresh tokens
- Store refresh tokens server-side
- Track token families
- Bind sessions to devices
JWTs are not a session system.
They’re a serialization format.
3. No Email Verification Edge Cases
LLM flow:
- Create user
- Send verification email
- Mark verified on click
Missing:
- Expiry
- One-time use
- Replay protection
- Email change verification
- Multiple pending tokens
- Idempotent handling
- Throttling resend
And worst:
- Auto-login before verification
- Privileged access without verification
Edge case: user signs up with typo email. That account becomes unclaimable.
LLMs don’t model real user behavior.
4. Password Reset That’s Easy to Exploit
Generated flow:
- POST /forgot
- Generate token
- Store token
- Email link
- Reset password
Common mistakes:
- Token stored in plaintext
- No expiry
- No hashing of reset token
- No invalidation after use
- No IP throttling
- Account enumeration via response timing
And often:
- Same response body, but different response time
- Reset token valid forever
- Reset does not invalidate sessions
That’s how accounts get hijacked.
5. No Rate Limiting
Most generated auth systems:
- Unlimited login attempts
- Unlimited password reset attempts
- Unlimited email verification requests
No:
- IP throttling
- User-based throttling
- Progressive backoff
- CAPTCHA fallback
- Abuse detection
LLMs assume polite users.
Attackers are not polite.
6. OAuth Done Superficially
Prompt: “Add Google OAuth.”
You get:
- Redirect
- Callback
- Exchange code
- Create user
Missing:
- State validation
- PKCE
- Email collision handling
- Account linking logic
- Provider mismatch logic
- Multi-provider merging
- Domain restrictions
- Re-auth flows
Edge case:
User signs up with email/password.
Later logs in with Google using same email.
Now you have two accounts or silent takeover.
LLMs rarely handle identity linking properly.
7. No Multi-Tenancy Isolation
If you’re building SaaS, this matters.
LLMs generate:
- users table
- organizations table
- membership table
But forget:
- Enforcing org scoping everywhere
- Preventing cross-tenant access
- Unique constraints per tenant
- Session-to-org binding
- Tenant-specific roles
- Role escalation prevention
Auth bugs in multi-tenant systems are data breaches.
LLMs don’t simulate malicious cross-tenant queries.
8. Insecure Session Storage
Common output:
- Store session in memory
- Or localStorage
- Or signed cookie
- Or plain cookie without proper flags
Missing flags:
- HttpOnly
- Secure
- SameSite
- Proper expiration
- Rotation on privilege escalation
Also missing:
- Session invalidation on password change
- Device tracking
- Concurrent session limits
They give you sessions.
Not session management.
9. No Audit Trail
Real auth systems log:
- Login attempts
- Failed attempts
- Password changes
- Email changes
- MFA enrollment
- OAuth linking
- Session revocation
LLM-generated systems rarely log anything.
When something goes wrong:
You have zero forensic trail.
10. MFA as an Afterthought
Prompt: “Add 2FA.”
You get:
- TOTP secret
- QR code
- Verify code
Missing:
- Recovery codes
- Step-up auth
- Backup methods
- Rate limiting TOTP attempts
- MFA enforcement policy
- Device remembering
- Admin-enforced MFA
- Per-tenant MFA settings
And sometimes:
- TOTP secret stored in plaintext.
MFA is policy + recovery + UX.
Not just a QR code.
11. No Payment-Auth Coupling
If you sell subscriptions:
LLMs treat auth and billing as separate systems.
Reality:
- Plan affects feature access
- Cancelled subscription affects session
- Downgrade affects role
- Trial expiration affects permissions
- Team billing affects org-level access
Generated auth rarely models:
- Entitlements
- Role-based + plan-based gates
- Real-time permission changes
Access control is dynamic.
LLMs generate static guards.
12. No Real Access Control Model
LLMs typically generate:
- isAdmin boolean
- role column
- if (user.role === “admin”)
Missing:
- Role hierarchy
- Permission-based model
- Org roles vs global roles
- Delegated admin
- Feature flags per plan
- Per-resource ACL
Authorization is harder than authentication. LLMs treat them the same.
They are not.
13. No Threat Modeling
LLMs don’t ask:
- What happens if token is stolen?
- What happens if user changes email?
- What happens if two resets requested?
- What happens under brute force?
- What happens during race conditions?
- What happens during partial OAuth failure?
They generate happy-path systems.
Attackers operate on unhappy paths.
14. No Compliance Awareness
If you deal with:
- GDPR
- SOC 2
- HIPAA
- ISO 27001
You need:
- Data retention policies
- Right to deletion
- Audit logs
- Security controls
- Access review mechanisms
LLMs don’t model compliance requirements.
They generate code.
Not systems.
15. No Operational Thinking
Auth is not just code.
It’s:
- Email deliverability
- OAuth app configuration
- Secret rotation
- Key rotation
- Incident response
- Abuse monitoring
- Uptime
- Scaling
- Session storage scaling
- Cross-region replication
LLMs don’t think operationally.
They think syntactically.
Why This Happens
LLMs are trained on:
- Tutorials
- Boilerplates
- StackOverflow snippets
- Simplified guides
Most tutorials:
- Skip rate limiting
- Skip abuse handling
- Skip compliance
- Skip multi-tenant isolation
- Skip edge cases
So the model repeats the same shallow patterns.
It’s not malicious.
It’s statistical.
The Real Cost of DIY + LLM Auth
You save:
- 2–3 days upfront
You pay:
- Weeks debugging edge cases
- Security audit fixes
- Production incidents
- Customer trust loss
- Compliance retrofits
Or worse:
- A breach
And the dangerous part:
It looks correct.
What You Actually Need
If you’re building:
- SaaS
- Marketplace
- B2B tool
- Internal admin panel
- Multi-tenant app
You need:
- Hosted login
- OAuth providers
- Session management
- Refresh rotation
- Email verification lifecycle
- Password reset lifecycle
- MFA
- Multi-tenant isolation
- Role + permission system
- Audit logs
- Webhooks
- Payment-aware access control
- Secure defaults
Not 500 lines of generated auth code.
Use Hosted Auth Instead
You don’t win by writing auth.
You win by shipping product.
With hosted auth you get:
- Secure session handling
- Proper OAuth implementation
- Verified email flows
- Rotating tokens
- Revocation
- MFA lifecycle
- Org + role model
- Payment coupling
- Multi-tenancy
- Audit trails
Without maintaining it yourself.
That’s what Simple Login is built for.
Hosted auth for builders.
Drop-in login, OAuth, sessions, multi-tenancy, payments.
You integrate once.
You stop thinking about edge cases.
You ship.
→ Ship faster with hosted auth
Key Takeaways
- LLM-generated auth handles happy paths, not attack paths
- JWT ≠ session management
- Multi-tenant auth bugs are data breaches
- Authorization complexity is underestimated every time
- Hosted auth eliminates years of edge-case maintenance