Authentication Fundamentals

Authentication answers a fundamental question: "Who are you?" Before a system can decide what you're allowed to do, it must verify your identity. This verification happens through various methods, each with different security and usability tradeoffs.

Authentication Factors

Authentication relies on proving something about yourself. These proofs fall into three categories:

Something you know: Passwords, PINs, security questions. These are the most common but also most vulnerable — they can be guessed, stolen, or phished.

Something you have: A phone receiving SMS codes, a hardware security key, an authenticator app. Physical possession is harder to steal remotely.

Something you are: Fingerprints, face recognition, voice patterns. Biometrics are convenient but raise privacy concerns and can't be changed if compromised.

Combining factors — multi-factor authentication — dramatically improves security. Even if an attacker steals your password, they still need your phone.

Authentication Methods

Username and password: The traditional approach. Users create credentials that the system stores (as hashed values, never plaintext). Simple but vulnerable to weak passwords, reuse, and phishing.

Social login: Delegate authentication to providers like Google or GitHub using OAuth. Users don't create new credentials, and you don't store passwords. But you depend on third-party availability.

Passwordless: Magic links sent via email, or WebAuthn using device biometrics. Eliminates password problems entirely but requires email access or compatible devices.

API keys: Long random strings for programmatic access. Not tied to user sessions — used for server-to-server communication.

Sessions vs Tokens

After authentication succeeds, the system needs to remember who you are for subsequent requests. Two main approaches exist:

Session-based: The server stores session data and gives the client a session ID (usually in a cookie). The server looks up the session on each request. Simple but requires server-side storage.

Client                    Server
  |-- Login request ------->|
  |<-- Session ID cookie ---|
  |-- Request + cookie ---->|
  |   (Server looks up session)

Token-based: The server issues a JWT containing user information. The client sends this token with requests. The server validates the token without storing state. Scalable but tokens can't be easily revoked.

Client                    Server
  |-- Login request ------->|
  |<-- JWT token -----------|
  |-- Request + token ----->|
  |   (Server validates token)

Security Considerations

Authentication is a critical security boundary. Implement it carefully:

Hash passwords with modern algorithms (bcrypt, Argon2)
Use HTTPS for all authentication traffic
Implement account lockout after failed attempts
Log authentication events for security monitoring

See More

Authentication Factors

Authentication relies on proving something about yourself. These proofs fall into three categories:

Something you know: Passwords, PINs, security questions. These are the most common but also most vulnerable — they can be guessed, stolen, or phished.

Something you have: A phone receiving SMS codes, a hardware security key, an authenticator app. Physical possession is harder to steal remotely.

Something you are: Fingerprints, face recognition, voice patterns. Biometrics are convenient but raise privacy concerns and can't be changed if compromised.

Combining factors — multi-factor authentication — dramatically improves security. Even if an attacker steals your password, they still need your phone.

Authentication Methods

Username and password: The traditional approach. Users create credentials that the system stores (as hashed values, never plaintext). Simple but vulnerable to weak passwords, reuse, and phishing.

Passwordless: Magic links sent via email, or WebAuthn using device biometrics. Eliminates password problems entirely but requires email access or compatible devices.

API keys: Long random strings for programmatic access. Not tied to user sessions — used for server-to-server communication.

Sessions vs Tokens

After authentication succeeds, the system needs to remember who you are for subsequent requests. Two main approaches exist:

Session-based: The server stores session data and gives the client a session ID (usually in a cookie). The server looks up the session on each request. Simple but requires server-side storage.

Client                    Server
  |-- Login request ------->|
  |<-- Session ID cookie ---|
  |-- Request + cookie ---->|
  |   (Server looks up session)

Client                    Server
  |-- Login request ------->|
  |<-- JWT token -----------|
  |-- Request + token ----->|
  |   (Server validates token)

Security Considerations

Authentication is a critical security boundary. Implement it carefully:

Hash passwords with modern algorithms (bcrypt, Argon2)
Use HTTPS for all authentication traffic
Implement account lockout after failed attempts
Log authentication events for security monitoring

Authentication Fundamentals

Authentication Factors

Authentication Methods

Sessions vs Tokens

Security Considerations

See More

Further Reading

Authentication Factors

Authentication Methods

Sessions vs Tokens

Security Considerations

See More

Further Reading

Authentication Factors

Authentication Methods

Sessions vs Tokens

Security Considerations

See More

Further Reading