You are responsible for the login flow of a web application that handles customer profiles and sensitive account settings. The current implementation uses password-based sign-in with ad hoc session handling, and your team has seen suspicious login attempts and a few user reports of account takeover. You need to replace the current approach without breaking existing users or creating a new path for session theft.
How would you implement user authentication for this application? Walk through the design you would choose, the security controls you would add, and how you would verify the system resists common attacks like credential stuffing, replay, and session hijacking.
