Token-based Authentication

Token-based authentication is a protocol that allows users to verify their identity using a token, rather than traditional username and password credentials. In this system, a token is issued to the user after a successful login, which they can then use to access protected resources. This token is usually a string of characters that uniquely identifies the user and grants access to specific services or resources.

During the life of the token, users can access the website or app without re-entering credentials each time they revisit a protected resource. Auth tokens function like a stamped ticket, granting access as long as the token is valid. When the user logs out or exits the app, the token is invalidated.

Token-based authentication differs from traditional password-based methods, providing an extra layer of security and allowing administrators detailed control over actions and transactions.

Token Types

All authentication tokens allow access. The three common types of authentication tokens are -

  • Connected: Keys, discs, drives, and other physical items plug into the system for access.

  • Contactless: A device is close enough to a server to communicate with it, but it doesn't plug in. (https://smallbiztrends.com/token-ring-will-replace-passwords/)

  • Disconnected: A device can communicate with the server across long distances, even if it never touches another device at all.

In all three of these scenarios, a user must do something to start the process. They may need to enter a password or answer a question. But even when they complete those preliminary steps perfectly, they can't gain access without the help of an access token.

Token Authentication

Reference: https://www.okta.com/identity-101/what-is-token-based-authentication/

Use a token-based authentication system, and visitors will verify credentials just once. In return, they'll get a token that allows access for a time period you define.

  • Request: The person asks for access to a server or protected resource. That could involve a login with a password, or it could involve some other process you specify.

  • Verification: The server determines that the person should have access. That could involve checking the password against the username, or it could involve another process you specify.

  • Tokens: The server communicates with the authentication device, like a ring, key, phone, or similar device. After verification, the server issues a token and passes it to the user.

  • Storage: The token sits within the user's browser while work continues.

If the user attempts to visit a different part of the server, the token communicates with the server again. Access is granted or denied based on the token.

Administrators set limits on tokens. You could allow a one-use token that is immediately destroyed when the person logs out. Or you could set the token to self-destruct at the end of a specified time period.

Last updated