Just imagine 2 different scenarios in a ASP.NET MVC app using ASP.NET Identity. In both cases you have an application that requires the user to be logged in.
Scenario 1: Blacklisting
Your authentication-default is “allow anonymous”, which is the default of the ASP.NET MVC 5 template. You create a new Action Method on a controller and forget to add the [authorize] attribute.
Resulting Issue: You have a potential security hole in your application that may remain undetected and possibly exploited.
Scenario 2: Whitelisting
Your global authentication-default is “requires authentication”. You create a new action method on a controller that should be accessible without authentication and forget to add the [AllowAnonymous] attribute.
Resulting issue: You try your application, can’t enter that new page and fix it. In the worst case you didn’t do your homework and a customer/user finds the bug and complains to you.
Which issue would you rather have to deal with?
I personally prefer the whitelisting approach and err on the side of caution.