Audit the full authentication flow: signup, login, logout, password reset, email verification, and OAuth. Check for: missing email confirmation gates, insecure redirect handling after login, session fixation, lack of brute force protection, and tokens not being invalidated on logout.