Image: A cesspit with an open iron gate.
You jump into the cesspit holding your nose as you swim towards the gate. As you reach the gate you notice that the numbers on the gate lock are loose and rusted. As you remove the numbers holes appear which makes it possible for you to peek into the locking mechanism and change it's geers and springs. You turn the huge dial while you rearange the gears until you hear a click. The gate opens and you enter into the lower part of the castle dungeon.
In general, all authentication routines should be on the server-side using robust, tested and protected routines.
NB: Unlike other cards, "Authentication - King" relates to an attacker being able to change the executing code. This may be due to inadequate source code control, deployment controls, server protection, compromise of delegated authentication, modification of client-side code, or in this case, old and rusted locks.
You may mistakingly assume that you do not need to maintain old and tested code since it has been throughly tested, but old libraries can contain known software vulnerabilities allowing for modification and/or tampering. You may think that this type of libraries are properly hidden, inaccessible, or in this case, protected by a stinking cesspit, but a good hacker always find his way around these type of barriers.