User authentication code vulnerable to tampering
The code in the user's machine, even if compiled and protected by operating system policies, can be tampered generating false authentications responses. Client server systems, for instance, when using a single password to access the database, are authenticating the user in the user's machine. That way, an attacker can manipulate the code using a debugger or other local tool.
The user authentication functions shall be implemented, at least in part, by code in a server or in a machine out of the reach of the user.