??How User Authentication Work?

Authentication of user accounts for web and app access. Identity is required for web access to your apps and data: only you should be able to see your stuff!

Apps use “Authentication” to verify that you are who you say you are: it can be as simple as a password or as complex as biometrics (e.g. fingerprint or facial recognition).

Identity is required for web access to your apps and data: only you should be able to see your stuff!

The most common method of authentication is username and password, but schemes such as single-sign-on, OAuth, SMS Pin and Password-less Authentication with Magic Links and SMS OTP code are becoming more popular.

?? SMS OTPs are also used for Two-factor authentication (2FA) security system that requires two or more pieces of evidence.

Authentication on the backend can be accomplished through the use of cookies, session tokens, JSON Web Tokens (JWTs),?and/or other complicated cryptography combinations.

How Authentication works

User authentication is the process of verifying the identity of a user who is attempting to access a system or application. It is an essential security measure to prevent unauthorized access and protect sensitive information. The following are the steps involved in user authentication:

User provides credentials:

The user provides their username and password, which is known as a "credential". Other forms of credentials, such as biometric authentication (e.g. fingerprint or facial recognition), may also be used.

Credentials are verified:

The system checks the credentials against the stored data, which could be stored in a database or another type of storage system.

Authentication is granted or denied:

If the credentials match the stored data, the user is granted access to the system. If the credentials do not match, the user is denied access.

Session is created: Once the user is authenticated, a session is created for them. This session is used to maintain the user's authenticated state throughout their interaction with the system.

Sessions, cookies, and tokens

Sessions, cookies, and tokens are all methods of maintaining user state and authentication in the applications. Here's an overview of each:

Sessions:

A session is a server-side mechanism for maintaining state between HTTP requests from the same user. When a user logs in to a web application, the server creates a unique session ID and stores it in a cookie or in the URL. This session ID is used to identify the user in subsequent requests and to maintain their authenticated state.

?? Sessions are easy to use and secure by default, but they can be vulnerable to session hijacking if not implemented correctly.

Cookies:

A cookie is a small text file that a website stores on a user's computer or mobile device. Cookies are often used to store user preferences or login credentials. In the case of authentication, a cookie can be used to store a user's session ID, which allows the server to maintain their authenticated state across multiple requests.

Cookies are widely supported and can be used to store session IDs, but they can be vulnerable to cross-site scripting attacks.

Tokens:

A token is a piece of data that is used to authenticate a user and maintain their state between requests. Tokens can be issued by the server after successful authentication, and they are usually in the form of a JSON Web Token (JWT). The client stores the token and sends it to the server in subsequent requests. The server can then verify the token to ensure that the client is authenticated and maintain the user's state.

Tokens are flexible and can be used for authentication and authorization, but they require more setup and can be vulnerable to token theft or replay attacks.

Each of these methods has its own advantages and disadvantages. Choosing the right method depends on the specific needs of the application and the level of security required.

??Please visit for more details about this article

Hi, I’m Wajid Khan. I am trying to explain computer stuff in a simple and engaging manner, so that even non-techies can easily understand, and delivered to your inbox weekly.