security-authentication

📁 kentoshimizu/sw-agent-skills 📅 1 day ago

总安装量

周安装量

#76033

全站排名

安装命令

npx skills add https://github.com/kentoshimizu/sw-agent-skills --skill security-authentication

Agent 安装分布

amp 1

cline 1

opencode 1

cursor 1

continue 1

kimi-cli 1

Use this skill to design and review authentication flows that resist account takeover while preserving acceptable user friction.

Authentication factors, login flows, or account-recovery behavior are being introduced or changed.
Session management (cookie/token TTL, refresh policy, revocation) needs to be defined.
Risk-based controls (MFA, step-up auth, suspicious login handling) are required.

Identity sources and trust level requirements (internal users, external users, federated identities).
Threat assumptions (credential stuffing, phishing, token theft, session hijacking).
Regulatory and product constraints (MFA mandates, session timeout policy, UX limits).
Operational constraints (IdP availability, incident response expectations, observability baseline).

Authentication flow map for primary login, re-auth, and recovery paths.
Credential and token/session policy (issuance, storage, rotation, revocation, expiry).
Control matrix for anti-abuse protections and detection signals.
Residual risk list with owners and verification checkpoints.

Define assurance targets by action sensitivity using assets/auth-assurance-matrix-template.md.
Select factor strategy (password, passkey, OTP, federated SSO) using attacker capability and usability constraints.
Design session/token lifecycle with explicit expiry, refresh, revocation, and device binding rules.
Add anti-automation and abuse controls for login and recovery endpoints.
Specify fallback and lockout policy that avoids permanent user denial while blocking attacker persistence.
Define telemetry for login success/failure, suspicious patterns, and step-up triggers.
Validate flows with negative scenarios: replay, stolen token use, brute-force, and recovery abuse.