What Is Token-Based Authentication and Who Uses It?
What Is Token-Based Authentication and Who Uses It?
Our approach for securing buildings—whether they’re corporate or residential—and the items within them has evolved significantly in the last decade. Metal keys and locks are being replaced by access cards and fobs that residents or employees receive once their identity has been validated and their access permissions designated.
Token-based authentication works in much the same way. Users log in to a system and—once authenticated—are provided with a token to access other services without having to enter their username and password multiple times. In short, token-based authentication adds a second layer of security to application, network, or service access.
How token-based authentication works
Available in both physical and digital form, a token is a piece of data that, combined with the correct system, is used to secure user access to systems and applications. In token-based authentication, tokens are employed to ensure every request to a server is verified—similar to how passwords allow users to log into a service.
Physical tokens come in many forms. Some can be inserted into a USB port and others provide randomized codes for users to enter manually. The system then compares the information provided by the token with the details stored on its database and, if it is correct, the user is authorized to access the system.
Within the digital landscape, modern web applications typically use JSON web tokens (JWTs) to authenticate their users. JWTs are encoded as JSON objects and operate within an open standard for securely transmitting information between parties. In practice, user data is encrypted by an identity provider into a JWT, and is then stored by the service provider and confirming the user’s identity in every subsequent request. This ensures that hackers can’t access the user’s information—which is held by the identity provider—in the event of a breach to the service provider.
Token-based authentication vs. server-based authentication
With session- or server-based authentication, a user’s information is stored in the server memory when they log in, then the data is saved in a cookie on their browser. As they request access to new services and applications, the server compares the information in the cookie with the stored session data to authenticate their identity.
In contrast, token-based authentication ensures that the user’s activity is not stored on the server. This helps further ensure that users only have access to the information, tools, and systems they are allowed to.
Who uses token-based authentication
The key advantage of token-based authentication is that it removes the need for weak login credentials. It can help organizations opting for a passwordless approach to identity and access management by offering a strong multi-factor authentication factor that can complement biometrics, push notifications, and more.
Token-based authentication is particularly well suited to mobile apps, platform-as-a-service applications, and single-page applications. It simplifies the process of implementing native or hybrid applications and enables organizations to actively participate in the API economy, sharing their information with a range of modern clients and frameworks.
There are three main authentication tokens available:
- Connected tokens: Users can physically connect these tokens to the system they wish to access. For example, smart cards can be inserted into a device’s smart card reader.
- Disconnected tokens: The most commonly-used tokens in two-factor authentication alongside passwords. Users don’t have to physically insert these tokens into their devices, but rather they may need to enter a code that the token generates.
- Contactless tokens: These tokens don’t need to physically connect to a device and don’t require users to manually input information. A common example of this is Bluetooth tokens, which transmit authentication data to a system, which then determines whether the user has access rights.
As we continue to evolve how we secure access to our homes and offices, it’s just as important to implement mechanisms like token-based authentication to ensure that only the right people have access to our digital resources.
相关文章
- 最具人气的十八种IT认证资质
- What is systemvolumeinformation? delete it?
- creating-skeletal-animation-in-blender-and-exporting-it-to-three-js
- [AWS] Lab - Create a SNS and subscribe it
- [PWA] Cache JSON Data in a React PWA with Workbox, and Display it while Offline
- [Angular] NgRx/effect, why to use it?
- MySQL触发器更新本表数据异常:Can't update table 'tbl' in stored function/trigger because it
- 网络号 = IP和子网掩码的每位数AND 主机号 掩码取反与IP地址and运算
- What's the best SOAP client library for Python, and where is the documentation for it?[转]
- cannot ignore cache if it is not cached [ArcGIS Catalog 10]
- [JUnit] Introduce to Junit and it annotations
- new sap.m.Select - how is it implemented
- Angular单元测试框架beforeEach和it的执行顺序
- IT:银行类金融科技岗笔试习题集合—四个模块包括【综合知识+EPI+英语+个性测评】持续更新,建议收藏
- 成功解决Cannot uninstall 'pywin32'. It is a distutils installed project and thus we cannot accurately de
- IT:后端进阶技术路线图(初级→中级→高级)、后端开发工程师(技术方向分类之后台业务开发/中间件/内核/分布式架构)基础知识简介、技术路线/技术趋势指南(如何选择自己的技术方向)之详细攻略
- 已解决otherwise you may silence this warning and allow it anyway with ‘–trusted-host mirrors.aliyun.com
- POJ1308 Is It A Tree?
- PAT 1135 Is It A Red-Black Tree 【C++版】
- U-GAT-IT 论文阅读