Authentication
Authentication is the process of verifying identity - confirming that users are who they claim to be. It answers the question "Who are you?" before authorisation determines "What can you do?"
Authentication Factors
| Factor | Description | Examples |
|---|---|---|
| Knowledge | Something you know | Password, PIN, security questions |
| Possession | Something you have | Phone, hardware key, smart card |
| Inherence | Something you are | Fingerprint, face, voice |
Multi-Factor Authentication (MFA) combines two or more factors for stronger security.
Common Authentication Methods
Session-Based (Stateful)
Traditional approach for web applications:
1. User submits credentials
2. Server creates session, stores in database/memory
3. Server sends session ID as cookie
4. Browser sends cookie with each request
5. Server validates session ID
Token-Based (Stateless)
Modern approach, especially for APIs:
1. User submits credentials
2. Server validates and returns JWT
3. Client stores token (memory, localStorage)
4. Client sends token in Authorisation header
5. Server validates token signature
JWT Structure
header.payload.signature
{
"sub": "user123",
"name": "Alice",
"role": "admin",
"exp": 1735000000
}
OAuth 2.0 and OpenID Connect
| Protocol | Purpose |
|---|---|
| OAuth 2.0 | Authorisation (delegated access) |
| OpenID Connect | Authentication (identity layer on OAuth) |
Common providers: Google, Microsoft, Apple, Auth0, Cognito
What We Like
- Managed services: Cognito, Auth0, Firebase Auth handle complexity
- Passwordless: WebAuthn, magic links reduce attack surface
- SSO: Single Sign-On improves UX and security
What We Don't Like
- Password-only: Still the most common, most vulnerable method
- Session management: Easy to get wrong
- Token storage: Secure storage in browsers is tricky
Best Practices
- Use established libraries: Never roll your own crypto or auth
- Enforce strong passwords: Length over complexity requirements
- Enable MFA: Especially for privileged accounts
- Implement rate limiting: Prevent brute force attacks
- Secure session handling: HttpOnly, Secure, SameSite cookies
- Use short token expiry: With refresh token rotation
- Hash passwords properly: bcrypt, scrypt, or Argon2