Authentication | What's Your IQ

Introduction

Authentication is the process of verifying that a user, device, or system is who or what it claims to be. In web security, authentication serves as the first line of defense, acting as the gatekeeper that controls access to protected resources. Without reliable authentication, authorization, access control, and all other security mechanisms become meaningless.

Authentication is fundamentally distinct from authorization. Authentication answers the question "Who are you?" while authorization answers "What are you allowed to do?" A system must first authenticate a user before it can authorize their actions. Conflating these two concepts is a common source of security vulnerabilities.

The history of authentication in computing stretches back to the 1960s, when Fernando Corbato introduced passwords at MIT for the Compatible Time-Sharing System (CTSS). Since then, authentication has evolved from simple password checks to sophisticated multi-factor systems involving biometrics, hardware tokens, and cryptographic challenges.

"The most dangerous phrase in the language is, 'We've always done it this way.' In authentication, clinging to passwords alone when better methods exist is a security failure waiting to happen." -- Grace Hopper (adapted), pioneer of computer science

Authentication Factors

Authentication methods are categorized into three fundamental factors, each representing a different type of evidence that a user can present to prove their identity.

Factor	Description	Examples	Strengths	Weaknesses
Knowledge	Something the user knows	Passwords, PINs, security questions	Easy to implement, no hardware needed	Can be guessed, phished, or forgotten
Possession	Something the user has	Phone, hardware key, smart card	Harder to steal remotely	Can be lost, stolen, or cloned
Inherence	Something the user is	Fingerprint, face, iris, voice	Cannot be forgotten or easily shared	Cannot be changed if compromised

Something You Know

Knowledge-based factors are the oldest and most widely deployed form of authentication. Passwords remain the dominant mechanism despite decades of security research demonstrating their weaknesses. The user provides a secret -- a password, PIN, or answer to a security question -- that the server compares against a stored reference.

The fundamental vulnerability of knowledge factors is that secrets can be shared, stolen, or guessed. Users frequently choose weak passwords, reuse them across services, and fall victim to phishing attacks. Security questions are particularly problematic because the answers are often discoverable through social media or public records.

Something You Have

Possession-based factors require the user to demonstrate control of a physical or digital object. Modern implementations include smartphones (receiving SMS codes or running authenticator apps), hardware security keys (such as YubiKeys using the FIDO2 protocol), and smart cards with embedded cryptographic chips.

The strength of possession factors lies in requiring physical access. An attacker who has stolen a password still cannot authenticate without also possessing the user's device. However, SIM-swapping attacks have demonstrated that SMS-based possession verification is less secure than cryptographic alternatives.

Something You Are

Biometric factors use unique physical or behavioral characteristics to verify identity. Unlike passwords, biometrics cannot be forgotten, and unlike tokens, they cannot be left behind. However, they introduce a unique risk: if compromised, a biometric cannot be changed. You cannot get a new fingerprint.

Modern biometric systems measure characteristics including fingerprints, facial geometry (using infrared depth mapping to prevent photo attacks), iris patterns, voice prints, and behavioral patterns such as typing rhythm or gait analysis.

Password-Based Authentication

Despite widespread recognition of its limitations, password-based authentication remains the most common method on the web. Understanding how to implement it securely is essential for any web developer.

Password Hashing

Passwords must never be stored in plaintext. Instead, they are processed through a cryptographic hash function, and only the resulting hash is stored. When a user attempts to log in, the submitted password is hashed and compared against the stored hash.

Not all hash functions are suitable for password storage. General-purpose hash functions like SHA-256 are designed to be fast, which makes them vulnerable to brute-force attacks. Password hashing algorithms are deliberately designed to be slow and memory-intensive.

Algorithm	Year	Memory-Hard	Recommended	Notes
MD5	1992	No	No	Broken. Never use for passwords.
SHA-256	2001	No	No	Too fast for password hashing.
bcrypt	1999	No	Yes	Adjustable work factor. Widely supported.
scrypt	2009	Yes	Yes	Configurable memory usage.
Argon2id	2015	Yes	Best	Winner of Password Hashing Competition.

A salt -- a unique random value generated for each password -- must be prepended or appended to the password before hashing. Salting prevents attackers from using precomputed rainbow tables and ensures that identical passwords produce different hashes.

# Python example: hashing with bcryptimport bcrypt# Hashing a passwordpassword = b"user_password_here"salt = bcrypt.gensalt(rounds=12) # Work factor of 12hashed = bcrypt.hashpw(password, salt)# Verifying a passworddef verify_password(submitted_password, stored_hash): return bcrypt.checkpw(submitted_password.encode('utf-8'), stored_hash)

Common Attacks

Password-based systems face numerous attack vectors:

Brute Force: Systematically trying every possible combination. Mitigated by rate limiting, account lockout, and strong hash algorithms.
Dictionary Attack: Trying common passwords and words. Mitigated by password complexity requirements and checking against known breached passwords.
Credential Stuffing: Using username/password pairs from data breaches on other services. Mitigated by multi-factor authentication and breach detection.
Phishing: Tricking users into entering credentials on fake websites. Mitigated by FIDO2/WebAuthn which binds credentials to specific origins.
Rainbow Tables: Precomputed hash-to-password lookup tables. Mitigated entirely by per-password salting.

Session-Based Authentication

Session-based authentication is the traditional approach used in server-rendered web applications. After a user successfully authenticates with their credentials, the server creates a session -- a temporary record stored on the server that represents the authenticated state. The server sends back a session ID (typically in a cookie), which the client includes with every subsequent request.

# Session-based authentication flow1. Client sends POST /login with username and password2. Server verifies credentials against database3. Server creates a session record (stored in memory, database, or Redis)4. Server responds with Set-Cookie: session_id=abc123; HttpOnly; Secure; SameSite=Strict5. Client automatically includes cookie with every subsequent request6. Server looks up session_id in its session store to identify the user7. On logout, server destroys the session record

The session store can be implemented using in-memory storage (fast but lost on restart), a database (persistent but slower), or a distributed cache like Redis (fast and persistent, suitable for multi-server deployments).

Session-based authentication is inherently stateful: the server must maintain session data for every active user. This creates challenges for horizontal scaling, as requests from the same user might hit different servers. Solutions include sticky sessions (routing all requests from a user to the same server) and centralized session stores.

For a deeper look at the risks of session management, see Session Hijacking.

Token-Based Authentication

Token-based authentication emerged as an alternative to sessions, particularly suited for APIs, single-page applications, and microservice architectures. Instead of storing session state on the server, the server issues a cryptographically signed token that contains all necessary information about the user. The most common implementation is JSON Web Tokens (JWT).

# Token-based authentication flow1. Client sends POST /login with credentials2. Server verifies credentials3. Server creates a signed token containing user claims4. Server responds with { "access_token": "eyJhbGciOiJIUzI1NiIs...", "expires_in": 3600 }5. Client stores token (memory, localStorage, or HttpOnly cookie)6. Client includes token in Authorization header: Bearer eyJhbGciOiJIUzI1NiIs...7. Server validates token signature and extracts user information8. No server-side session lookup required

Token-based authentication is stateless from the server's perspective: the token itself contains all the information needed to authenticate the request. This makes it easier to scale horizontally since any server can validate any token without consulting a shared session store.

Aspect	Session-Based	Token-Based
State	Stateful (server stores sessions)	Stateless (token contains all data)
Scalability	Requires shared session store	Any server can validate tokens
Revocation	Easy (delete session)	Difficult (token valid until expiry)
Storage	Cookie (automatic)	Header (manual) or cookie
CSRF Risk	Higher (cookies sent automatically)	Lower (if using Authorization header)
Cross-Domain	Difficult (cookie restrictions)	Easy (tokens are portable)
Mobile Support	Poor (cookie handling varies)	Excellent (standard HTTP headers)

"Tokens are not inherently more secure than sessions. The security depends entirely on how they are stored, transmitted, and validated. A JWT in localStorage is vulnerable to XSS just as a session cookie without HttpOnly is." -- Philippe De Ryck, web security researcher

Multi-Factor Authentication

Multi-factor authentication (MFA) requires users to present evidence from two or more different factor categories. The most common combination is a password (knowledge) plus a one-time code from a phone (possession). MFA dramatically reduces the risk of account compromise because an attacker must defeat multiple independent security mechanisms.

According to Microsoft, MFA blocks 99.9% of automated account compromise attacks. Google reported that adding a recovery phone number (for SMS-based verification) blocked 100% of automated bots, 99% of bulk phishing attacks, and 76% of targeted attacks.

Common MFA methods ranked by security:

FIDO2/WebAuthn hardware keys -- Cryptographic proof of possession; phishing-resistant
Authenticator apps (TOTP) -- Time-based one-time passwords; resistant to SIM swapping
Push notifications -- Approve/deny on registered device; vulnerable to MFA fatigue attacks
SMS codes -- Vulnerable to SIM swapping and SS7 attacks; better than nothing
Email codes -- Only as secure as the email account; circular dependency risk

// TOTP (Time-based One-Time Password) generation// Based on RFC 6238function generateTOTP(secret, timeStep = 30) { const epoch = Math.floor(Date.now() / 1000); const counter = Math.floor(epoch / timeStep); const hmac = crypto.createHmac('sha1', base32Decode(secret)); hmac.update(Buffer.from(counterToBytes(counter))); const hash = hmac.digest(); const offset = hash[hash.length - 1] & 0x0f; const code = ((hash[offset] & 0x7f) << 24 | (hash[offset + 1] & 0xff) << 16 | (hash[offset + 2] & 0xff) << 8 | (hash[offset + 3] & 0xff)) % 1000000; return code.toString().padStart(6, '0');}

Biometric Authentication

Biometric authentication uses measurable biological or behavioral characteristics to verify identity. On the web, biometric authentication is typically mediated through platform APIs -- the biometric data never leaves the user's device. The Web Authentication API (WebAuthn) enables websites to use biometrics through the browser without ever seeing the raw biometric data.

Key biometric modalities used in web authentication:

Fingerprint: Used by Touch ID, Windows Hello, and Android fingerprint sensors. Fast and widely available. False acceptance rate typically below 0.002%.
Facial Recognition: Used by Face ID and Windows Hello cameras. 3D depth mapping prevents photo-based spoofing. Works in varying lighting conditions.
Iris Scanning: Extremely high accuracy but requires specialized hardware. Primarily used in high-security environments.
Behavioral Biometrics: Analyzes typing patterns, mouse movements, or touchscreen gestures. Can provide continuous authentication but raises privacy concerns.

The critical security principle of modern biometric authentication is that biometric data must never leave the device. WebAuthn and FIDO2 enforce this by design: the device performs the biometric check locally and then uses a cryptographic key pair to prove the result to the server. The server never receives fingerprint data, facial geometry, or any other biometric information.

Passwordless Authentication

Passwordless authentication eliminates passwords entirely, relying instead on possession factors, biometrics, or cryptographic challenges. The push toward passwordless is driven by the recognition that passwords are the weakest link in most security systems: they can be stolen, guessed, phished, and are a burden for users to manage.

Major passwordless approaches:

Magic Links: An email containing a unique, time-limited URL. The user clicks the link to authenticate. Simple but only as secure as the user's email account.
WebAuthn/FIDO2: The gold standard. Uses public key cryptography with hardware authenticators or platform biometrics. Phishing-resistant by design because credentials are bound to the origin.
Passkeys: An evolution of FIDO2 that synchronizes credentials across devices via cloud platforms (iCloud Keychain, Google Password Manager). Combines the security of public key cryptography with the convenience of cross-device access.
One-Time Codes: Sent via SMS or authenticator app. Technically passwordless when used as the sole factor, but often considered weaker than cryptographic methods.

// WebAuthn registration (passkey creation)const credential = await navigator.credentials.create({ publicKey: { challenge: new Uint8Array(serverChallenge), rp: { name: "Example Corp", id: "example.com" }, user: { id: new Uint8Array(userId), name: "user@example.com", displayName: "Jane Doe" }, pubKeyCredParams: [ { type: "public-key", alg: -7 }, // ES256 (P-256) { type: "public-key", alg: -257 } // RS256 ], authenticatorSelection: { authenticatorAttachment: "platform", residentKey: "required", userVerification: "required" } }});// Send credential.response to server for storage

"Passkeys represent the most significant shift in authentication since the invention of the password itself. For the first time, we have a technology that is simultaneously more secure and more usable than passwords." -- Christiaan Brand, Google Identity and Security

Best Practices

Implementing authentication securely requires attention to numerous details beyond just choosing a method. The following guidelines represent current industry best practices based on recommendations from OWASP, NIST SP 800-63, and leading security researchers.

Use Argon2id or bcrypt for password hashing with appropriate work factors. Never use MD5, SHA-1, or SHA-256 alone for passwords.
Enforce minimum password length of at least 8 characters (NIST recommends allowing up to 64). Do not impose arbitrary complexity rules -- length matters more than complexity.
Check passwords against known breaches using services like the Have I Been Pwned API. Reject passwords that appear in known breach databases.
Implement rate limiting on login endpoints. Use exponential backoff or account lockout after repeated failures.
Support and encourage MFA. FIDO2/WebAuthn is preferred over TOTP, which is preferred over SMS.
Use secure session management. Set HttpOnly, Secure, and SameSite flags on session cookies. Regenerate session IDs after login.
Implement proper logout that invalidates server-side sessions and clears client-side tokens.
Use constant-time comparison for password verification and token validation to prevent timing attacks.
Log authentication events including successful logins, failed attempts, and password changes for audit and anomaly detection.
Plan for credential recovery with secure password reset flows that use time-limited, single-use tokens.

References

Grassi, P. et al. (2017). NIST SP 800-63B: Digital Identity Guidelines -- Authentication and Lifecycle Management. NIST.
OWASP Foundation. (2023). OWASP Authentication Cheat Sheet. OWASP.
Bonneau, J. et al. (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes." IEEE Symposium on Security and Privacy.
W3C. (2021). Web Authentication: An API for accessing Public Key Credentials -- Level 2. W3C Recommendation.
FIDO Alliance. (2022). FIDO2: Client to Authenticator Protocol (CTAP). FIDO Alliance.
Provos, N. and Mazieres, D. (1999). "A Future-Adaptable Password Scheme." USENIX Annual Technical Conference.
Biryukov, A. et al. (2016). "Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications." IEEE European Symposium on Security and Privacy.
Microsoft Security. (2019). "One simple action you can take to prevent 99.9 percent of attacks on your accounts." Microsoft Security Blog.