Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Authentication and Authorization

Authentication

Authentication is the process of verifying identity. It confirms that users are who they claim to be. Common methods are:

  • Username and Password
  • Biometrics
  • Multi-Factor authentication
  • Security tokens or keys
  • Single sign-on(SSO)

Authorization

It is the process of determining what permission on authenticated user has. It happens after authentication and control access to resources. Common implementation are:

  • Role-based access control(RBAC)
  • Permission lists
  • Access control lists (ACL’s)
  • Attribute-based access control(ABAC)

The stateless problem

HTTP is inherently stateless, meaning the server treats every request as new. It processes the request and immediately forgets it. For example, on a website, we log in with our username and password to authenticate ourselves. The easiest way would be to send our credentials with every request, but this is insecure and inefficient. Therefore, various authentication methods such as session auth, jwt auth, etc have been created to solve this problem.

Types of Authentication

By Factor Type

  • Single Factor Authentication(SFA): Authentication using only one factor such as password, pin, etc.
  • Two Factor Authentication(2FA): Requires two different types of factors to authenticate. For example: password and code from authenticator app/SMS/Email.
  • Multi Factor Authentication(MFA): Uses two ore more factors such as password + SMS/authenticator app/ or qrcode.

By Method/Technology

  • Password based authentication: This is ours traditional username/password authentication.
  • Password-less authentication: This uses different ways to authenticate users such as magic link, OTP, Biometrics, etc.
  • Biometric Authentication: It uses physical characteristics of user such as thumbprint, faceid, etc.
  • Token based authentication: Using cryptographically signed tokens such as JWT’s
  • Session based authentication: Uses session tokens to create and verify session for users.
  • Certificate based authentication: Uses digital certificates to prove identity.
  • API Key authentication: Using a unique string to authenticate API requests
  • Single Sign-ON (SSO): Allows access to multiple applications through one set of credentials
  • OAuth 2.0/OpenID Connect: Let a trusted third part handle authentication such as google, github, etc and recieve a token proving user’s identity.
  • SAML(Security Assertion Markup Language): XML-based SSO standard(older than OAuth).
  • Kerberos: Network authentication protocol using tickets rather than passwords.
  • LDAP(Lightweight Directory Access Protocol): Protocol for accessing and managing directory services(like phone book for users)
  • Smart Card Authentication: Physical card with embedded chip containing cryptographic keys.
  • OTP based: OTP is sent using SMS or authenticator app.
  • FIDO2/WebAuthn: Modern passwordless standard using public-key cryptography. Used in Yubikeys, Google Titan key, etc
  • Magic link: Passwordless login via email link