🔐 Every app has a login. But do you know what's happening under the hood?
Here are the most common login mechanisms every developer (and tech enthusiast) should know:
𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱-𝗕𝗮𝘀𝗲𝗱 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
The most traditional method — user provides a username/email and a secret password.
• Plain passwords (basic, least secure)
• Hashed + salted passwords (bcrypt, Argon2, PBKDF2)
• Password managers auto-fill strong, unique passwords𝗠𝘂𝗹𝘁𝗶-𝗙𝗮𝗰𝘁𝗼𝗿 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 (𝗠𝗙𝗔 / 𝟮𝗙𝗔)
Combines two or more factors for stronger security:
• Something you know — password, PIN
• Something you have — OTP via SMS, authenticator app (TOTP/HOTP), hardware key
• Something you are — biometrics𝗢𝗧𝗣 (𝗢𝗻𝗲-𝗧𝗶𝗺𝗲 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱)
A temporary, single-use code:
• SMS OTP — code sent via text message
• Email OTP — code sent to email
• TOTP — Time-based (Google Authenticator, Authy)
• HOTP — Counter-based OTPs𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝗹𝗲𝘀𝘀 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
No password involved at all:
• Magic links — click a link sent to your email
• Passkeys (WebAuthn/FIDO2) — cryptographic key stored on device (Touch ID, Face ID, Windows Hello)
• Biometrics — fingerprint, face recognition, iris scan𝗦𝗼𝗰𝗶𝗮𝗹 / 𝗙𝗲𝗱𝗲𝗿𝗮𝘁𝗲𝗱 𝗟𝗼𝗴𝗶𝗻 (𝗢𝗔𝘂𝘁𝗵 𝟮.𝟬 / 𝗢𝗽𝗲𝗻𝗜𝗗 𝗖𝗼𝗻𝗻𝗲𝗰𝘁)
Delegate authentication to a trusted third party:
• OAuth 2.0 — authorization framework (Google, GitHub, Facebook login)
• OpenID Connect (OIDC) — identity layer on top of OAuth
• SAML — enterprise SSO (Okta, Azure AD)𝗦𝗶𝗻𝗴𝗹𝗲 𝗦𝗶𝗴𝗻-𝗢𝗻 (𝗦𝗦𝗢)
Log in once, access multiple apps:
• SAML 2.0 — XML-based, common in enterprise
• OIDC-based SSO — modern, JSON/JWT-based
• Kerberos — used in Windows/Active Directory environments
• LDAP — directory-based authentication𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲-𝗕𝗮𝘀𝗲𝗱 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
Uses digital certificates (PKI):
• Client certificates (TLS mutual auth)
• Smart cards / CAC cards — common in government/military
• SSH key pairs — public/private key for server access𝗧𝗼𝗸𝗲𝗻-𝗕𝗮𝘀𝗲𝗱 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
After login, a token is issued for subsequent requests:
• JWT (JSON Web Token) — stateless, self-contained token
• Session tokens — server stores session, client holds a reference
• API keys — long-lived tokens for service-to-service auth
• Bearer tokens — passed in HTTP headers (used with OAuth)𝗕𝗶𝗼𝗺𝗲𝘁𝗿𝗶𝗰 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
Identity verified by physical traits:
• Fingerprint scan
• Face recognition
• Iris / retina scan
• Voice recognition𝗥𝗶𝘀𝗸-𝗕𝗮𝘀𝗲𝗱 / 𝗔𝗱𝗮𝗽𝘁𝗶𝘃𝗲 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
Dynamically adjusts security level based on context:
• Device fingerprinting
• IP/geo-location checks
• Behavioral analytics (typing speed, mouse movement)
• Step-up authentication when risk is detected𝗤𝗥 𝗖𝗼𝗱𝗲 𝗟𝗼𝗴𝗶𝗻
User scans a QR code with an already-authenticated device (e.g., WhatsApp Web, WeChat).
💡 The best login mechanism? The one that balances security AND user experience for your use case.
𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 𝗮𝗿𝗲 𝗱𝘆𝗶𝗻𝗴. 𝗣𝗮𝘀𝘀𝗸𝗲𝘆𝘀 𝗮𝗿𝗲 𝗿𝗶𝘀𝗶𝗻𝗴.
Are you keeping up?
Top comments (0)