Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 💢Threat Modeling
    • Why Threat Model?
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Token Types
  • Token Authentication
  1. Platform 9(3/4)
  2. Auth-Auth
  3. Authentication

Token-based Authentication

PreviousAccess TokenNextJWT

Last updated 1 year ago

Token-based authentication is a protocol that allows users to verify their identity using a token, rather than traditional username and password credentials. In this system, a token is issued to the user after a successful login, which they can then use to access protected resources. This token is usually a string of characters that uniquely identifies the user and grants access to specific services or resources.

During the life of the token, users can access the website or app without re-entering credentials each time they revisit a protected resource. Auth tokens function like a stamped ticket, granting access as long as the token is valid. When the user logs out or exits the app, the token is invalidated.

Token-based authentication differs from traditional password-based methods, providing an extra layer of security and allowing administrators detailed control over actions and transactions.

Token Types

All authentication tokens allow access. The three common types of authentication tokens are -

  • Connected: Keys, discs, drives, and other physical items plug into the system for access.

  • Contactless: A device is close enough to a server to communicate with it, but it doesn't plug in. ()

  • Disconnected: A device can communicate with the server across long distances, even if it never touches another device at all.

In all three of these scenarios, a user must do something to start the process. They may need to enter a password or answer a question. But even when they complete those preliminary steps perfectly, they can't gain access without the help of an access token.

Token Authentication

Reference:

Use a token-based authentication system, and visitors will verify credentials just once. In return, they'll get a token that allows access for a time period you define.

  • Request: The person asks for access to a server or protected resource. That could involve a login with a password, or it could involve some other process you specify.

  • Verification: The server determines that the person should have access. That could involve checking the password against the username, or it could involve another process you specify.

  • Tokens: The server communicates with the authentication device, like a ring, key, phone, or similar device. After verification, the server issues a token and passes it to the user.

  • Storage: The token sits within the user's browser while work continues.

If the user attempts to visit a different part of the server, the token communicates with the server again. Access is granted or denied based on the token.

Administrators set limits on tokens. You could allow a one-use token that is immediately destroyed when the person logs out. Or you could set the token to self-destruct at the end of a specified time period.

🚂
https://smallbiztrends.com/token-ring-will-replace-passwords/
https://www.okta.com/identity-101/what-is-token-based-authentication/