By: Nihad Hassan
May 7, 2021
Introduction To Token Based Authentication
By: Nihad Hassan
May 7, 2021
As the world moves steadily to become fully digital, human dependence on technology increases rapidly. Nowadays, technology has infiltrated all aspects of our lives; people are using it to socialize, work, and study and shop, to name a few. To distinguish a user among millions of connected users online, authentication was invented to prove someone's digital identity.
Digital authentication establishes confidence in a legal person or other entity against the authentication system. Digital authentication helps to mitigate the risk of fraud and identity theft by verifying the entity's identity conducting the online transaction.
Authentication is a crucial concept in cybersecurity; it allows organizations to keep their computer networks secure by permitting only authenticated users or processes and other systems to access the protected resources. This includes databases and networks, websites, and other network applications and services.
The authorization phase commonly follows authentication. In this phase, the authentication system will determine whether the authenticated entity (user, system, or process) has the necessary privileges to access the protected resources.
The authentication and authorization terms are commonly used interchangeably, although they are different and widely used together in modern authentication systems. Keep in mind: authentication precedes authorization.
Different types of digital authentications authenticate users' identities; it begins with simple passwords and reaches Multi-Factor Authentication (MFA), which is considered the most secure.
The primary type of digital authentication is using a username and a password. The user enters his/her username or ID and then enters the associated password. The password is known as the "authentication factor", and the traditional password systems are based on one factor. When utilizing more than one "authentication factor" (for example, a password and temporary PIN sent to a user's phone), it is called MFA.
Token-Based Authentication is a type of e-authentication (electronic authentication) that allows users to verify their identity by receiving a unique access token. The access token is a piece of data that cannot be used independently; the token must be combined with the tokenization system to secure the network or system.
A token exists for a specific period within the system. During the token validity time, a user can access the website or the application that issued the token without re-entering his/her credentials. This shortens the time they spend accessing the protected resources within the system.
The user retains access within the protected resources as long as the token is valid. When a user closes the application or logs out of the website, the token becomes invalid.
The token is different from traditional password authentication systems. It allows Administrators to track every authenticated user's actions.
Why Token Authentications?
Before tokens, people used to utilize passwords to access protected resources; password-only systems suffered from multiple shortcuts such as:
- A user needs to generate the password. The password must contain uppercase and lowercase letters, numbers, and symbols to create a complex password and longer than 12 characters.
- A user needs to remember this complex password, which is a daunting task, especially if there is a need to remember many passwords.
- A user needs to repeat entering this password whenever he/she needs to access the protected resources.
Why are traditional passwords not secure enough?
Password theft frequently occurs today. According to idagent1, about 80% of data breaches in 2019 were caused by password compromise. Traditional passwords are not secure enough for the following three reasons:
- People tend to reuse passwords for more than one account. For example, a user may use the same password for his work and private email accounts. If one password gets compromised, all accounts using the same passwords will get compromised as well.
- Non-tech savvy users tend to store their passwords on a piece of paper; this creates a security nightmare for Security Administrators.
- Many organizations enforce a password change policy. However, users tend to cheat the system by changing only one letter or several old passwords.
Finally, passwords require server authentication. Hence, a user enters his/her password, and the server needs to authenticate the credentials. This increases the workload on the server end and results in some delays.
Token-based authentication is entirely different!
How does token authentication work?
Commonly, tokens are generated using special hardware devices called dongle or keychain fob; of course, software programs can also generate tokens.
The dongle, a device similar to a USB flash memory, holds a small amount of storage to store a digital certificate. Modern dongles contain an LCD, a keypad to type passwords, and wireless access capability.
The dongle will generate a token every 60 seconds; the user must keep the dongle safe and secure and avoid leaving it out in the open as this may compromise the user login if the dongle is stolen.
The token system is formed from the following three elements:
- Header: Contains the signing algorithm being used in the authentication.
- Payload: This contains user claims, anything related to a user request.
- Signature: This to assure the message has not been tempered during the transit.
The rapid development of smartphone technology has changed traditional token-based authentication systems. For instance, a user can now utilize a software token generator via a smartphone app (authenticator app) that generates passcodes valid for 30 or 60 seconds depending on the authentication server settings.
The widespread usage of smartphone technology will facilitate using token-based authentication in organizations, as most staff will already have the token generators (smartphones) to leverage the system. On the other hand, training staff and the costs of deploying token-based authentication will remain a minimum, making this option viable for many organizations.
Traditional password authentication systems are no longer secure enough to protect the user's login credentials. Implementing token-based authentication into an organization might mitigate the numerous shortfalls a password-only system is exposed to.