What is token-based authentication?

Token-based authentication is a security protocol that verifies a user’s identity by using encrypted tokens. With token-based authentication, users authenticate themselves with a valid token to access servers, applications, websites or an Application Programming Interface (API). Token-based authentication is a common protocol of Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA), adding another layer of security alongside the traditional username and password.

What is a token?

A token is the key that authenticates users during the login process. Tokens can be digital or a physical device like a smart card or USB key. Web tokens, being digital and stored on the user’s device, are widely favored by organisations due to their convenience and flexibility. Web tokens eliminate the need for individuals to carry physical tokens and can be easily integrated into various software systems, offering a seamless authentication experience.

How token-based authentication works

Let’s look at the four essential steps of token-based authentication.

Initial request: A user will request to access a specific application by entering their username and password.
User verification: The login credentials are sent to the authentication system to see if the user’s credentials are correct. Once confirmed, it will check the specific permissions the user has on the system.
Token validation: The system will generate and issue a web token to the user that can be used for a limited period.
Token storage: The token is stored on the user’s device until the user logs out, closes out of the session or the token expires.

Types of tokens for authentication

Digital tokens come in various types, each playing a crucial role in ensuring a secure and appropriate authentication process. Let’s explore five common types of digital tokens and their specific roles in authentication.

JSON web token (JWT)

JSON web token is an open standard (RFC 7519) used to securely exchange information between two entities - a server and a client. JWTs carry information about a user’s identity and it is digitally signed to confirm the contained data is legitimate. A JSON web token is made of three parts: the header, payload and digital signature.

Header: The header contains information about the JWT. It provides the token type and the algorithm used to sign the token.
Payload: The payload contains the user’s claims. Claims are pieces of identifying information regarding a particular entity, typically of a user. Payloads may include additional information such as the expiration of the token and the user’s permissions.
Digital signature: The digital signature is a cryptographic key that verifies the header and payload to ensure that the message has not been changed during transmission and certifies the user’s identity.

Access tokens

Access tokens are the most common type of JSON web tokens. These tokens are intended for authorising user access to a particular service. After a user has successfully logged in, an access token with an expiration date is issued to the user. The access token will grant users access to their designated resources and services for a limited time.

ID tokens

Unlike access tokens, ID tokens are not primarily used for granting access to network resources and applications. Instead, ID tokens are JSON web tokens that contain information about the user such as a unique identifier, name and email address, along with their authentication status. ID tokens are provided to client applications to verify the user's identity.

Refresh tokens

Refresh tokens are specific types of JSON web tokens used to obtain additional access tokens without requiring the user to re-enter their login credentials. Their purpose is to extend the lifespan of an access token for users through its automatic renewal.

API tokens

An API token is a string of codes that corresponds to the user requesting authentication to an API. It authenticates the user’s identity and grants access to API endpoints, allowing authorised users to interact with the API resources securely.

Advantages of using token-based authentication

Here are three benefits of using token-based authentication.

Security: Since tokens are designed to have a short life span, it minimises the window of potential unauthorised access. Once a user finishes their session with the application, the issued token expires. This limits the time available for attackers to intercept the token and compromise an account.
Flexibility: Token-based authentication can be used across multiple platforms such as web applications, mobile apps and APIs. This creates an easy authentication experience while also increasing accessibility for users.
Scalability: Since tokens must be stored on the user’s device, servers do not need to maintain a user’s session on an application. This enables servers to efficiently manage multiple requests while also generating tokens as necessary.

Disadvantages of using token-based authentication

Here are three key drawbacks of using token-based authentication.

Risk for compromised key: A common threat associated with token-based authentication is the potential compromise of token keys. Cyber attacks like phishing, malware, brute force or Man-in-the-Middle (MITM) attacks can target these keys. Most web token systems rely on a single key, so if a cybercriminal compromises the key, the entire system becomes vulnerable.
Short life span: Due to the short life span of tokens, it’s important to note that tokens require consistent management. This involves ensuring that tokens have expiration dates and renewing their credentials as needed.
Token size: Tokens can be large, especially if they contain a significant amount of user information or metadata. Because of a token’s complexity and size, it can increase the network overhead in environments that have limited internet bandwidth.