My Learnings from Implementing Authentication

My Learnings from Implementing Authentication


Introduction

Being my first time working with authentication, I thought it would be a good idea to write a blog about it. I’m not sure if it’s a good idea to start writing about it, but I thought it would be a good idea to document my learning process. With that said, let’s get started!

Authentication vs Authorization

Authentication and authorization are used interchangeably in many instances, but they are not the same thing. Authentication is the process of verifying if a user is who they are claiming to be. It’s a crucial part of any application, especially when user data is involved in the application.

Authorization, on the other hand, is all about what a user is allowed to do. It’s a more granular process than authentication, and it’s often used in conjunction with authentication. For example, if a user is authenticated, but not authorized, they won’t be able to access certain parts of the application.

Authentication

There are 2 things as far authentication is concerned:

  1. Way to allow requests to know if a user is authenticated
  2. Ways in which a user is able to authenticate

Way to allow requests to know if a user is authenticated

There are 2 ways to do this:

  1. Sessions
  2. JWT Token

Sessions

Sessions can be analogous to a lock and key system. When a user logs in, we store a key in our back end of choice. This key is called a session. While a user is logged in, the session which is created is sent to the user’s browser and stored as a cookie on their device. Why not use some other place to store the session like local storage? Because cookies storage is meant to be contain small amounts of data with an expiration date. But local storage is meant to be persist large amount of data indefinitely. Anyway, let’s move on.

This saved cookie as we discussed earlier is sent to the server with every request. The server then validated this session by calling the database to see if the session exists and is of the same user. If not, the server won’t even continue with the rest of the process to save on computation.

Pros

  • Easier to implement
  • Invalidating a user session is as easy are removing his session in the database

Cons

  • Sessions are vulnerable to session hijacking
  • Sessions are vulnerable to session fixation
  • It involves a lot of database calls

JWT Token

JWT (JSON Web Token) is a token that is used to authenticate a user. It’s a string of characters that is signed using a secret key. The secret key is kept in the user browser and is never sent to the server. Then an question arises, how do we know if the token is valid? The key which we store in the user’s browser is what is the key for the user which is used to authenticate the user. So, in this process, there is no need to call the backend api and database to validate the request.

Pros

  • No unwanted database calls for validation
  • Load on the server is reduced
  • Ideal for non web applications like mobile apps

Cons

  • Tokens are vulnerable to token hijacking
  • Tokens are vulnerable to token fixation

Conclusion

My opinion is that never trust a place where you don’t have absolute control over. So in that case, I would never go with jwt token where the responsibility of authenticating lies with the client. We could go with something like refresh tokens in JWT, but I think that defeats the purpose of JWT as verifying JWT is already a computation and making database calls on top of it adds to the load. ’

But there is always place for JWT token where there are multiple systems which are separate from each other but you know can be trusted. In that case, I would go with JWT token.

Ways in which a user is able to authenticate

There are many ways, but let’s look that the 3 methods I have experience with:

  1. Username and Password
  2. Magic Link
  3. Social Login

Username and Password

This is the most common way of authentication and is always recommended to have one of these for users who are privacy conscious and the older demograpic of audience who are not tech savvy. But you need to be very careful about it, of be sure that user data is not very sensitive one. There is lot more to do here than just hashing the password and verifying the hash which most of us will do. The important part is to give the user the provision to change their password if they forgot it or if they want to change it. But even with a lot of work put into it, it’s still not the most popular way of authentication due to the convenience of the other methods.

Even through it’s not the most popular way of authentication, it’s still a more secure and convenient way of authentication. It’s a link that is sent to the user’s email or phone number. When the user clicks on the link, they are redirected to a page where they can enter their username and password. This means that even though the user skips the hastle of remembering their password, the process is still 2 step where they need to enter the email and then come back to the page again which causing some dropdown in retention of users.

Social Login

Social login is the most popular way of authentication. It’s a way of authenticating a user using their social media account. There are many ways to implement social login, but the most common way is to use OAuth. OAuth is a protocol that allows users to grant access to their social media accounts to third-party applications. This way, the user doesn’t have to remember their password, and the application can access their data without them having to share their password with the application. The best part about OAuth is that the security of their authentication is as secure as the security of the social media account itself which is usually pretty high due to enforcement of privacy policies by the social media companies and people ready to put their time in protect their social media accounts.

Authorization

I’m yet to write about authorization, but I will write about it once I have a better understanding of it.

Conclusion

I hope this post has helped you understand the importance of authentication and authorization. I’m sure you have a better understanding of it now. If you have any questions or comments, feel free to reach out to me on LinkedIn. And if you liked this post, please share it with your friends and family. Thank you for reading!