I have trouble believing the actual coders are stupid enough to not realise the many many faults of client based authentication.
I have to imagine its a directive from on high in an attempt to reduce their server load. (and yes that doesn't mash well with the silly details they are checking server side)
The only other option is that everyone on the team needs to have their IT degree taken away from them for gross incompetence.