Stop Testing "Login Pages": Security-Aware Auth Testing From Real Scenarios

Viola Lykova’s talk argues that most teams are testing login pages the wrong way: by focusing on fields, buttons, and happy paths instead of the authentication journeys where users actually fail. Drawing on her experience as a software engineer working on reliability, observability, and authentication-related systems, she makes the case that login testing should be driven by real user pain points such as rate limiting, MFA failures, redirect loops, session expiry, and password reset dead ends. Her core message is that a small number of high-signal tests, chosen around the failures users genuinely encounter, are far more valuable than a large suite of green but low-value UI checks.

She then turns that principle into a practical strategy for testing authentication flows end to end. Rather than retesting third-party providers, Viola recommends testing what your team controls, mapping the critical journeys between unauthenticated, authenticated, expired, and revalidated states, and selecting one high-impact scenario per journey when time is limited. Through examples from Cypress-based tests, she shows how to validate generic error handling, rate limiting, and session expiry while keeping CI stable and avoiding flaky overcoverage. The talk is ultimately a call to treat authentication as a connected system, prioritise risk and user impact, and build leaner, smarter tests that catch the failures that matter most.