Insights from Our Experts

Blog image

Understanding different Authentication systems

Author Image

Ajith Mohan,Software Engineer

The most popular and oldest method of authenticating a user is by username and password. But the evolution of technologies, now a lot of authentication methods has come up. To determine which authentication method is secure for your application, would require the knowledge about the authentication methods available. Here I will introduce a few of today's innovative authentication mechanisms. 

Session-based authentication

HTTP is a stateless protocol. A stateless protocol means it does not require an HTTP server to retain information about each user during multiple requests. This means that if we authenticate a user with the right credentials, then on next request, our application won’t know this is the same person from whom the previous request came. So for any new request for private data, we would have to authenticate again to make sure the application knows this is really you. Session-based authentication was introduced to avoid this problem.  This changes the authentication from stateless to stateful. It means an in memory or database session must be kept on a server, and on the client side, a cookie is kept and managed by a browser that holds a session identifier. Thus its names session cookie-based authentication. This is the most widely used authentication method for a long time.

Basic Flow of session based authentication

  • User enters their login credentials
  • Server verifies the credentials are correct and creates a session which is then stored in a database or memory
  • A cookie which contains Session ID is placed in the browser and sends it back with each subsequent request
  • On request for private data, the Session ID is verified and if valid the request is processed
  • When User logs out, the session is destroyed from both client and server side and so that subsequent request from the client to the server becomes unauthorized.

Token-based authentication

Token-based authentication has gained popularity for the past couple of years mainly due to the migration of web application to single page application and mobile apps. Token authentication is stateless. Here we generally talk about JSON Web Token(JWT). The token is generally sent as an additional Authorization header in form of Bearer {JWT}. We will not store any information about our user on the server, not even which JWTs have been issued to the clients.

Basic Flow of token-based authentication

  • User enters their login credentials
  • The server verifies if the credentials are correct and return a signed token.
  • The client application or browser store it mainly on local Storage but can be stored in session storage or a cookie as well.
  • Each subsequent request to the server includes this token as an additional authorization header in form of Bearer {JWT}. It can additionally be sent in the body of a POST request or even as a query parameter.
  • The server process the request upon successful validation of JWT token
  • When the user logouts, the client-side remove the token. 

Passwordless Authentication

As the name suggests, Passwordless authentication is one in which users do not need to log in with passwords.  In this approach, users will be provided with the options of either logging in simply via a magic link or by using a token that is delivered via email or text message. Passwordless authentication can be implemented in various forms, that will be explained below.
Instead of providing an interface for the user to enter username/email and password, in this method, the user is provided an interface for an email address. The application server sends them a one-time-use link to the mail, which the user clicks, that will authenticate the user to the application. In the case of a password-less login, the application assumes that user will get the authentication link from their inbox if the email provided is genuine and belongs to the user. Most of the trending tech apps are using this method for authentication of users, the main advantage being that user need not remember his/her password for every app that he uses. 

Basic Flow of passwordless authentication

  • Users visit the login page
  • Input their linked email-id
  • A link is sent to their email
  • Upon clicking the link from email, they are redirected back to the app and logged in
  • The link is disabled

Single Sign-On Authentication

Single Sign-On Authentication provides your users with a seamless authentication experience where they have to authenticate only in one single central server and can use this credentials for logging into other applications which trust on the central app’s authentication system. Most of the time single click sign-on happens, where the user will be redirected to the central system, if the user is logging in for the first time a cookie will be created and saved to the central server, or the existing cookie from the central will be used. With this cookie, the authentication will happen at the central server, which in turn lets the user into the third party app as well.

I Need

Help for