What Is Token-Based Authentication and Who Uses It?
Our approach for securing buildings—whether they’re corporate or residential—and the items within them has evolved significantly in the last decade. Metal keys and locks are being replaced by access cards and fobs that residents or employees receive once their identity has been validated and their access permissions designated.
Token-based authentication works in much the same way. Users log in to a system and—once authenticated—are provided with a token to access other services without having to enter their username and password multiple times. In short, token-based authentication adds a second layer of security to application, network, or service access.
How token-based authentication works
Available in both physical and digital form, a token is a piece of data that, combined with the correct system, is used to secure user access to systems and applications. In token-based authentication, tokens are employed to ensure every request to a server is verified—similar to how passwords allow users to log into a service.
Physical tokens come in many forms. Some can be inserted into a USB port and others provide randomized codes for users to enter manually. The system then compares the information provided by the token with the details stored on its database and, if it is correct, the user is authorized to access the system.
Within the digital landscape, modern web applications typically use JSON web tokens (JWTs) to authenticate their users. JWTs are encoded as JSON objects and operate within an open standard for securely transmitting information between parties. In practice, user data is encrypted by an identity provider into a JWT, and is then stored by the service provider and confirming the user’s identity in every subsequent request. This ensures that hackers can’t access the user’s information—which is held by the identity provider—in the event of a breach to the service provider.
Token-based authentication vs. server-based authentication
With session- or server-based authentication, a user’s information is stored in the server memory when they log in, then the data is saved in a cookie on their browser. As they request access to new services and applications, the server compares the information in the cookie with the stored session data to authenticate their identity.
In contrast, token-based authentication ensures that the user’s activity is not stored on the server. This helps further ensure that users only have access to the information, tools, and systems they are allowed to.
Who uses token-based authentication
The key advantage of token-based authentication is that it removes the need for weak login credentials. It can help organizations opting for a passwordless approach to identity and access management by offering a strong multi-factor authentication factor that can complement biometrics, push notifications, and more.
Token-based authentication is particularly well suited to mobile apps, platform-as-a-service applications, and single-page applications. It simplifies the process of implementing native or hybrid applications and enables organizations to actively participate in the API economy, sharing their information with a range of modern clients and frameworks.
There are three main authentication tokens available:
- Connected tokens: Users can physically connect these tokens to the system they wish to access. For example, smart cards can be inserted into a device’s smart card reader.
- Disconnected tokens: The most commonly-used tokens in two-factor authentication alongside passwords. Users don’t have to physically insert these tokens into their devices, but rather they may need to enter a code that the token generates.
- Contactless tokens: These tokens don’t need to physically connect to a device and don’t require users to manually input information. A common example of this is Bluetooth tokens, which transmit authentication data to a system, which then determines whether the user has access rights.
As we continue to evolve how we secure access to our homes and offices, it’s just as important to implement mechanisms like token-based authentication to ensure that only the right people have access to our digital resources.