secure-auth

# Secure authentication ## Step 0: Research the current security landscape (do this first) > Security knowledge ages on a 6-12 month half-life. The recipes below were last verified on 2026-05-08; they may be stale by the time you read this. Before applying any pattern in this skill, fan out research scoped to the authentication primitive being implemented (passwords, sessions, JWT, OAuth, MFA, passkeys) so the recipes are interpreted against current authoritative sources, not against this file's snapshot. ### Default-on, with a documented skip Run the 4-angle research below by default. Skip ONLY when ALL of these hold: - (a) You ran this same skill on this same primitive within the last 4 hours of the current session, - (b) That prior research surfaced no urgent advisories for the authentication primitive being implemented (passwords, sessions, JWT, OAuth, MFA, passkeys), - (c) You log a one-line `Research skipped because <reason>` note in your response. "I think I know" / "moving fast" / "user wants this done quickly" / "already familiar" are NOT valid skip reasons. The whole point of this preamble is that future-you should not trust this skill body's defaults until current state is checked. ### Fan out 4 subagents in parallel Each subagent returns at most 300 words of bullets with citations. Dispatch all 4 in a single message so they run concurrently. **Angle 1 — Authoritative standards.** Have NIST / OWASP / IETF (RFCs and Internet-Drafts) / W3C / CISA published a...