// Practical guide
How to review login and authentication in AI-built SaaS
Authentication vs authorization: do not confuse them
Authentication answers "who are you"; authorization answers "what can you do". AI-built SaaS often gets login right and authorization wrong — the person gets in but reaches data or actions they should not. Review both, separately.
What to check in login
Login is the door; it must withstand automated attempts and leak no information.
- Rate limiting and lockout after repeated attempts.
- Error messages that do not reveal whether the e-mail exists.
- Sessions that expire, invalidate on logout, and run in a secure cookie.
- MFA available at least for admin accounts.
Password reset and invites
Recovery and invite flows are the favorite path to account takeover. The token must be unique, short-lived, single-use, and invalidated after use. An invite must not grant access to the wrong tenant.
- Single-use reset token with a short expiry.
- Changing the password invalidates old sessions.
- Invite bound to the correct e-mail and tenant.
How to review without guessing
Instead of reading line by line in the dark, use prompts that force the AI to walk each path — login, session, reset, invite, permission — and flag where a check lives in the front-end instead of the server. The RET Promptbook organizes exactly that playbook.
Frequently asked questions
Is MFA mandatory for small SaaS?
For admin accounts, treat it as essential: it is the most valuable target. For regular users, offer it as an option. A compromised admin is too expensive to depend on a password alone.
Does the login error message really matter?
It does. "E-mail not found" versus "wrong password" hands an attacker a list of valid e-mails for brute force and phishing. Use a generic message.
Does a correct login guarantee security?
No. Many incidents happen after login, in authorization: an authenticated person reaches another customer’s data or an admin action. Review authorization separately from login.