security-authentication
Security Authentication
Overview
Use this skill to design and review authentication flows that resist account takeover while preserving acceptable user friction.
Scope Boundaries
- Authentication factors, login flows, or account-recovery behavior are being introduced or changed.
- Session management (cookie/token TTL, refresh policy, revocation) needs to be defined.
- Risk-based controls (MFA, step-up auth, suspicious login handling) are required.
Templates And Assets
- Authentication assurance matrix:
assets/auth-assurance-matrix-template.md
Inputs To Gather
- Identity sources and trust level requirements (internal users, external users, federated identities).
- Threat assumptions (credential stuffing, phishing, token theft, session hijacking).
- Regulatory and product constraints (MFA mandates, session timeout policy, UX limits).
- Operational constraints (IdP availability, incident response expectations, observability baseline).
Deliverables
- Authentication flow map for primary login, re-auth, and recovery paths.
- Credential and token/session policy (issuance, storage, rotation, revocation, expiry).
- Control matrix for anti-abuse protections and detection signals.
- Residual risk list with owners and verification checkpoints.
Workflow
- Define assurance targets by action sensitivity using
assets/auth-assurance-matrix-template.md. - Select factor strategy (password, passkey, OTP, federated SSO) using attacker capability and usability constraints.
- Design session/token lifecycle with explicit expiry, refresh, revocation, and device binding rules.
- Add anti-automation and abuse controls for login and recovery endpoints.
- Specify fallback and lockout policy that avoids permanent user denial while blocking attacker persistence.
- Define telemetry for login success/failure, suspicious patterns, and step-up triggers.
- Validate flows with negative scenarios: replay, stolen token use, brute-force, and recovery abuse.
Quality Standard
- Every sensitive action has a declared required assurance level.
- Session/token invalidation behavior is explicit and testable.
- Recovery flow is at least as strong as primary authentication assurance.
- Audit signals are actionable for incident triage.
Failure Conditions
- Stop when account recovery can bypass primary assurance guarantees.
- Stop when token/session revocation behavior is undefined.
- Escalate when control strength cannot meet required risk level.
More from kentoshimizu/sw-agent-skills
graph-algorithms
Graph algorithm workflow for modeling entities/relations and selecting traversal, path, ordering, or flow strategies. Use when correctness or performance depends on graph representation and algorithm choice; do not use for schema-only modeling or deployment topology planning.
14bash-style-guide
Style, review, and refactoring standards for Bash shell scripting. Trigger when `.sh` files, files with `#!/usr/bin/env bash` or `#!/bin/bash`, or CI workflow blocks with `shell: bash` are created, modified, or reviewed and Bash-specific quality controls (quoting safety, error handling, portability, readability) must be enforced. Do not use for generic POSIX `sh`, PowerShell, or language-specific application style rules. In multi-language pull requests, run together with other applicable `*-style-guide` skills.
11architecture-clean-architecture
Clean Architecture workflow for enforcing dependency direction, stable domain boundaries, and use-case-centered application design. Use when teams must separate business rules from frameworks and delivery mechanisms; do not use for isolated module cleanup without boundary implications.
11powershell-style-guide
Style, review, and refactoring standards for PowerShell scripting. Trigger when `.ps1`, `.psm1`, `.psd1` files, or CI workflow blocks with `shell: pwsh` or `shell: powershell` are created, modified, or reviewed and PowerShell-specific quality controls (error handling, parameter validation, readability, operational safety) must be enforced. Do not use for Bash, generic POSIX `sh`, or language-specific application style rules. In multi-language pull requests, run together with other applicable `*-style-guide` skills.
10github-codeowners-management
Govern CODEOWNERS rules so review routing reflects real ownership and risk boundaries on GitHub. Use when repository ownership mapping or mandatory reviewer rules must be defined, updated, or audited; do not use for non-GitHub runtime architecture or data-layer design.
9redis-caching-patterns
Redis caching workflow for latency improvement with explicit key strategy, TTL/invalidation policy, and correctness bounds. Use when Redis-backed caching decisions are required for application performance; do not use for repository-wide architecture governance or release management policy.
9