- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: Secured authentication to databases and applications is crucial to enterprise cybersecurity management. Unfortunately, 82% of all breaches involve human error, including misused or compromised credentials that give threat actors unauthorized access to network resources. Luckily, there’s a solution that ensures security without the risks that come with traditional, credential-based authentication. This article discusses token-based authentication and explains why it's a reliable and flexible alternative to verifying users, especially for cloud applications.
What Is Token-based Authentication?
Token-based authentication is a security protocol that uses an access token to verify an authorized user’s identity for an application, website, or application programming interface (API) connection.
It is both an alternative and a supplement to providing user access through traditional authentication methods, such as a username and password. The token authentication process facilitates secure access at all stages, including initial logins, while connecting access protocols between applications and during additional verification steps, such as multi-factor authentication (MFA).
What is a token?
An access token is the security credential that enables the authentication process. It's a temporary key that verifies identity and authorizes resource access. A token can be computer-generated or hardware based.
A valid token allows a user to retain access to an online service or web application until the token expires. This offers convenience, as the user can continue to access a resource without re-entering their login credentials every time. A token’s life cycle varies depending on the type of token it is.
Token-based authentication vs. OAuth vs. JWT
|Standard||How It Works||Common Use Cases|
|OAuth||This open-source protocol gives the access token for a website, online service, or mobile app to a user without sharing the resource owner's credentials. The token is temporary and offers limited data access.||A token-based authentication example that uses OAuth is when someone needs to give another app data access to a specific account.
Another example is giving Zoom minimal data privileges to a Google account to sync with the calendar. OAuth provides that permission without the user needing to enter their login credentials.
|JWT||This open authentication standard exchanges online data securely to authorize users. Its verification process involves three components:
||Because it uses a thorough authentication process that can replicate across multiple apps, JWT is the typical protocol for single sign-on (SSO).|
A Brief History of Token-based Authentication
Within the past 20 years, experts realized all the flaws inherent in password credentials. They are easy to steal, tough to remember, and negligently managed by users. This led companies to develop passwordless authentication solutions, such as token-based systems, that can substitute usernames and passwords or add another security layer.
Security assertion markup language (SAML), released in 2002, is the cornerstone for later authentication standards. A few years later, in 2007, OAuth appeared on the scene as an API token authentication method for accessing Twitter. JWT came out in 2010 to improve security when managing digital certificates and making verification claims.
One of the most recent developments was OpenID Connect (OIDC). Built on OAuth, the OIDC protocol emerged in 2014 to incorporate identity management solutions within authentication processes and adapt to enterprise architecture changes that shifted to more cloud and hybrid environments.
Types of Token-based Authentication
While many protocols and tools can facilitate the token authentication process for user access, each process ultimately falls into one of the following categories according to token type.
Connected tokens are hardware devices that must be physically inserted into a computer or device sensor to enable user access to an application or network of resources. FIDO 2 security keys and one-time password (OTP) hardware tokens are common examples.
The most popular type, disconnected tokens, are computer generated. These tokens facilitate authentication by communicating with servers across distances and through the internet. An OTP tool that sends verification requirements through text or email and OAuth protocols are examples of disconnected authentication tokens.
Contactless tokens are similar to connected tokens. They’re generated by a hardware device, but the device doesn’t need to be inserted physically. Instead, the token gets communicated wirelessly when the hardware device is within range of the server or resource the user needs to access. Bluetooth tokens are examples of this technology.
Advantages and Disadvantages of Token-based Authentication
Advantages of token-based authentication
Enterprises using tokens for authentication to secure their resources reap some excellent benefits:
- Improved resource security: Token-based authentication can be a substitute for, or work in unison with, password-based systems, which are highly vulnerable when used on their own. Tokens provide a far more secure method for user authentication because they are self-contained, and only the server that created the token can verify it.
- Granular control: Token authorization is both flexible and adjustable. Administrators can deploy them quickly across all applications, databases, websites, and servers while having complete control over token expiration and other contextual details.
- Improved authentication experience: Tokens give users and administrators a better experience when provisioning and accessing resources. They are easy to generate and scale, as most don't require additional hardware or complex configurations. Tokens also speed up and add convenience to the authentication process, as users maintain access to their resources until the token expires.
Disadvantages of token-based authentication
While there are plenty of advantages to token implementation, organizations should consider these downsides before adoption:
- Introduces risk: If managed poorly or improperly configured, token-based authentication can lead to widespread data and application breaches. Much of the value in tokens is convenience because only one key is required for system or multi-system access. In SSO authentication, for example, all resources under that umbrella become vulnerable if the single key gets compromised.
- Requires constant revalidation: Token-based authentication isn't ideal for long-term access. No matter the protocol or type utilized, all tokens have expiration dates. So, administrators need to manage token life cycles continuously and renew the credentials as needed.
How to Implement Token-based Authentication
The process of implementing authorization tokens into an IT operation varies depending on the authentication stage, purpose, token type, and protocols used. Suppose, for example, a business wants to secure initial resource access using connected tokens. In this case, administrators must purchase and configure multiple physical devices, such as hardware tokens, for each user.
Here’s an example that’s common to most businesses. Let's say a company wanted to use tokens for two-step verification to supplement username and password credentials and add another layer of security for their applications. To accomplish this, they'd need to purchase OTP software to connect with their identity and access management (IAM) tool. From there, they could set granular controls that prompt the OTP to send a token to the user's phone or email after a login.
How token-based authentication works
When fully deployed, the token authentication process will take place for every request to a server or network resource. The process comprises four steps:
- Request: The user requests access to an online or network resource by submitting a password, inserting hardware, or submitting biometric data to the server.
- Confirmation: The server verifies the user's credentials against stored credential data to confirm or deny the request.
- Token Issuance: The server creates and issues a token associated with the user, their device, such as a mobile device or computer, and the credential data they used during the request.
- Token Logged for Verification: The token remains stored on the server and keeps the user's session active until it expires due to elapsed time or a change in contextual details, such as a login from another location.
How to Simplify Token-based Authentication with StrongDM
IT and security teams have enough on their plates, trying to ensure network resources are secure and accessible to authorized users. Unfortunately, traditional password-based authentication is too vulnerable on its own and doesn't cut it anymore.
StrongDM offers a robust solution for credential management and implementing token authentication. Our Dynamic Access Management (DAM) platform integrates with your entire tech stack of applications, security tools, IAM systems, and service directories.
This gives you granular control of user permissions, visibility across your entire IT environment, and the ability to administer tokens of all types and protocols to ensure secure and efficient access to servers, networks, and resources.
Ready to see how StrongDM can help deploy token-based authentication for your organization? Try StrongDM free for 14 days.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.