Which OWASP Top 10 category covers weaknesses in authentication mechanisms that allow attackers to compromise passwords, keys, or session tokens?