DEV Community

Cover image for TYPES OF AUTHENTICATION
Moses-Morris
Moses-Morris

Posted on

TYPES OF AUTHENTICATION

#ai #api #security #authentication

How do users prove their Identity, Earn Trust, and get managed on various platforms and APIs?

Having a way to protect your system or platform is everything. Imagine building a family house and not setting up a door. Or, setting up a backdoor where everyone who wants to breach can easily do it and come into your house. This puts you at risk with your family.
Having controlled access and verifying if someone has permission to access your platform is important. That is where Authentication(identity verification) comes in.

Authentication - the security process of verifying the identity of a user, device, or system to ensure they are who they claim to be before granting access to resources.

Let us look at the way to do this when designing and implementing the logic of your system or application.

Here are some types of authentication and architecture patterns you use to verify if someone has access to your system.

  1. Basic Authentication - This type of authentication relies on sending a username and password, encoded in various ways, like base64, which converts binary data into a safe, printable ASCII string format while transmitting data. It encodes and decodes the data. It is mainly used for internal tools, testing, and a simple API. Requires HTTPS for safer data transfer and requests.

  2. Session-Based Authentication - After login, a session is created with a session ID. It is stored in a secure session cookie. This session is maintained and cached in memory, Redis or in a database. Browsers store cookies that are validated each time the application is accessed. It is mainly used for traditional applications, admin dashboards, and server-rendered applications. It is harder to scale since there must be a database and caching.

  3. Token-based authentication - When a user logs in, the server returns a token to the client. So each time the client makes a request, the client must include a bearer token in the Authorization header. If not, no reply will be returned. Mostly used with REST APIs, mobile apps, and Microservices architecture(This helps the client move around different services without having to be authenticated for each service they need or access). The server does not store any client context or session data across requests.

  4. Json Web Token (JWT) - This is a self-contained token contained in encoded user data and signature(signed by the server/issuer). It contains credentials and user data in one string token. It can sometimes be risky. It can be read by anyone who gets it. It is encoded but not encrypted. It has a header, payload, and signature. It is also considered fast since it will not keep on querying sessions. Mainly used for API’s, microservices, server to server connection. Tip: Setting up expiration dates can help reduce attacks and maintain stateless authentication.

  5. *OAuth * - These are 3rd party applications being used as gateways to your applications. These are like hired security personnel. When a user accesses your platform or app, they are routed to your provider. They are then authenticated by your provider, then released and sent back to your app with permission and an access token. Example: Login with Google, Login with Apple, Login with Facebook, Auth2.0, AuthHero, Firebase, Supabase. Some companies provide services, and you just need to integrate with your service, API, or system. Mainly used by external developers, quick login and authentication setups, and third party servers.

  6. API keys - These are static keys assigned to each client application. The client needs that key to access the application or server. Servers use an architecture off ssh keys. They link and authenticate each other with these keys. API keys are good for internal services, server-to-server communication, and applications with usage limits(with rate limiting). They have no ownership or identity, so it can violate applications if stolen. They don't carry any user data or credentials to identify a client.

  7. Multi-Factor Authentication(MFA) - This is an additional step to a login authentication. It is very important because it prevents phishing attacks. It block unauthorized login attempts. It uses SMS or Email codes, authenticator apps, and hardware security codes/keys. Social media platforms rely on this as 2nd Factor authentications to confirm your account has not been attacked/ hijacked or hacked. You can allow a user to log in, but for them to perform an action or access a resource, they have to pass through the MFA.

  8. Biometric Authentication - It uses the client's physical traits. This is because they are immutable and are stored as digital templates. It relies on Fingerprint ID, Face ID, Retina/Iris Scan ID, Voice ID, Palm ID, and sometimes even behavioral patterns. A client can be locked out in case of physical changes. But, with new advanced AI, they can authenticate using ML patterns or well-identified scans. It is mainly used for device protection, service access authentication, financial apps verification, server access, application. They do serve as an additional authentication process.

Bonus

Single sign-on (SSO) - used for multiple access services. - They let you authenticate once and access all services. Some technologies are like OpenIDConnect,  SAML(Security Assertion Markup Language), Kerberos(Used for Enterprises), and mTLS(Mutual TLS).
Passwordless Authentication - used for secure access with cryptographic access key pairs. Very secure since no one can access the key or password, as it is not accessible. They follow a standard called FIDO2/WebAuthn.

Summary

Using more than one authentication type/Method is secure, scalable, and gives a client a very great experience. Building a secure system requires a well-designed authentication architecture. You can have more than one authentication architecture.

🔗 Follow Me on Socials and Let us link Up:
GitHub: @mosesmorrisdev.
LinkedIn: Moses-Morris.
Twitter: @Moses_Morrisdev.
Facebook: Moses Dev.
portfolio : mosesmorrisdev

Top comments (0)