Authentication — Engineering Experiments
Authentication is where most identity compromises actually succeed.
This page documents hands-on authentication experiments performed in isolated lab tenants to observe how MFA, sessions, tokens, and authentication methods behave under real-world conditions.
All content here reflects observed behavior, not assumptions.
What This Page Covers
This page serves as a central experiment index for authentication testing on F11.ca.
You will find:
- A live index of authentication experiments
- Tested scenarios covering MFA, passwordless, and session behavior
- Clear outcomes and security impact
- Links to detailed experiment records
This is not an authentication overview or best-practice guide.
Authentication Experiment Index
Each experiment ID links to a detailed record including configuration, logs, and observed behavior.
| ID | Category | Description | Result | Risk |
|---|---|---|---|---|
| AUTH-EXP-001 | Baseline | Password-only authentication in a default tenant | Account compromise possible | 🔴 High |
| AUTH-EXP-002 | MFA | MFA satisfied but session reused | MFA bypass via session | 🔴 High |
| AUTH-EXP-003 | Sessions | Password reset does not invalidate active sessions | Session persists | 🔴 High |
| AUTH-EXP-004 | MFA Methods | Push notification abuse (MFA fatigue) | Unauthorized access granted | 🔴 High |
| AUTH-EXP-005 | Passwordless | Passwordless sign-in without device trust | Reduced assurance | 🟠 Medium |
| AUTH-EXP-006 | Tokens | Refresh token reuse after credential change | Continued access | 🔴 High |
Experiment Categories
Experiments are grouped to surface authentication failure patterns:
Baseline — Default authentication behavior
MFA — Enforcement, abuse, and user interaction
MFA Methods — Push, SMS, OTP, and phishing-resistant methods
Sessions — Token and browser session persistence
Tokens — Access and refresh token behavior
Passwordless — FIDO2 and passwordless sign-in behavior
Experiment Methodology
Every authentication experiment on F11.ca uses the same step-by-step approach:
- Start by identifying the authentication method or control you want to test
- Set up the tenant and adjust user authentication settings as needed
- Run both regular sign-in and abuse scenarios
- Watch how tokens are issued, how sessions behave, and review the logs
- Compare what you expected to happen with what actually happened
- Write down the security impact and key takeaways
- Following these steps makes sure experiments can be repeated, tracked, and explained if needed.
Patterns Observed Across Authentication Experiments
Several patterns show up again and again in different authentication experiments:
- When MFA succeeds, it does not end any active sessions.
- Many people do not fully understand how session persistence works.
- Push-based MFA can be risky because it depends on how users respond.
- People often make wrong assumptions about how long tokens last.
- Using passwordless methods does not always mean strong security by default.
Scope & Notes
- All experiments take place in separate lab tenants.
- Results depend on how each tenant is set up and what licenses are used.
- This page records what was observed, not what is recommended.
- Official documentation is cited when relevant.
Authentication failures are rarely technical.
They are behavioral — amplified by assumptions.
F11 — Full-Scale Engineering Mode