Foundations
The building blocks every login decision rests on — read these first before diving into patterns.
AAAAAStill the default authenticator for most products — and the one most likely to be misconfigured.
A second factor is only as good as its fallback — design the whole chain, not just the happy path.
Phishing-resistant and passwordless by design — but adoption depends entirely on how they're introduced.
The login screen gets all the attention; the session that follows is where trust is actually lived.
The path back into an account is the path most likely to be attacked — and most often designed last.
Knowing a device belongs to a returning user is different from knowing who that user legally is.
Someone acting on another person's behalf is a normal case, not an edge case — design it as one.