Better yet, basic unit tests that verify passed and failed authentication of test accounts. They should run before and after each code deploy (among other unit tests).
It's very disconcerting that they don't seem to be doing this.
Unit tests are a good thing, but could miss problems that crop up only in production; for instance, if they delegated authentication to another server, or if something got deployed out-of-process.
I don't like to be pedantic but code that tests multiple components and how they interact together aren't really "unit tests" anymore since they are testing more than one unit - it's pretty reasonable to assume that an authentication system is comprised of many modules / classes / etc.
It's very disconcerting that they don't seem to be doing this.