With businesses adopting a plethora of cloud-based platforms and apps, authenticating people and machines to access these services can be a real burden. Relying on traditional, static passwords or secrets is no longer adequate for securing access to sensitive data and resources.
It is time to invest in new authentication mechanisms. Just like metal keys and locks are being replaced by access cards that employees receive once their identity has been validated and their access permissions determined, token-based authentication allows access to services and resources once the requestor’s identity has been authenticated.
What is token-based authentication?
To mitigate the weaknesses and risks of password-based authentication, many methods have been developed. While each authentication method is unique, all fall under one of the following three categories: knowledge (something you know), inheritance (something you are), and possession (something you own).
Password authentication falls within the knowledge category because users rely on a word or phrase they have created and are aware of to verify their identity. On the other hand, authentication using biometrics, such as fingerprints, is an example of “something you are” due to its use of biological traits. Finally, token-based authentication belongs in the possession category.
Token authentication requires users to obtain a computer-generated code, known as token, before they are granted access to a network or a resource. Token-based authentication is usually used in combination with password authentication as part of a two-factor authentication (2FA).
How does it work?
There are two forms of tokens, hardware and software. Whatever their form, tokens are employed to ensure every request to a server is verified, similar to how passwords allow users to log into a service but offering a superb user experience. Users are not required to memorize any passwords. With the plethora of apps and services requiring access authentication, logging in with passwords leads to password fatigue.
Hardware or physical tokens are usually inserted into a USB port. The system then compares the information provided by the token with the details stored on its database and, if it is correct, the user is authorized to access the system.
On the other hand, modern web applications typically use software tokens, known as JSON web tokens (JWTs) to authenticate their users. JWTs are encoded as JSON objects and operate within an open standard for securely transmitting information between parties. In practice, user data is encrypted by an identity provider into a JWT. The service provider then stores this encrypted data and uses it to confirm the user identity in every subsequent request. This ensures that criminals cannot access user data—which is held by the identity provider—in the event of a breach to the service provider.
While these traditional token authentication systems are still in effect today, the rise of smartphones has made token-based authentication easier than ever, transforming smartphones to mobile-as-a-token authentication mechanisms. Smartphones serve as code generators, providing end users with the security tokens necessary to gain access to their network at any given time. As part of the login process, users receive a cryptographically secure one-time-passcode (OTP token) which expires after 30 or 60 seconds, depending on the settings at the server end. These OTP tokens are generated either by an authenticator app on the device or sent on demand via SMS.
The token-based authentication process
When using an authentication based system, your users will only need to verify their identity once and then are allowed access to the system for an allotted time frame. Here’s how that process works:
- The user requests service or access to the system
- The server determines if the user is verified to enter the system and can be trusted to use it.
- When the user is verified, the system issues a token to the user which allows the user access to the system.
- The token is then stored in the user's browser while the user is working with the system.
Benefits of token-based authentication
The key advantage of token-based authentication is that it removes reliance on weak login credentials. It can help organizations move towards a passwordless approach to identity and access management (IAM) by offering a strong multi-factor authentication factor that can complement biometrics, push notifications, and more.
Token-based authentication is particularly beneficial to mobile apps and platform-as-a-service (PaaS) applications. It simplifies the process of securing access to on-premise or cloud-based applications and enables organizations to actively adopt digital transformation initiatives by securely sharing their information through APIs with a wide range of customers, partners and suppliers beyond the traditional corporate perimeter.
Except for these important benefits, the use of tokens comes with many advantages such as:
- Tokens are stateless. The token is self-contained and contains all the information required for authentication. This is great for scalability as it removes the burden from the server to store session state.
- Tokens can be generated from anywhere. Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different company.
- Fine-grained access control. Within the token payload you can easily specify user roles and permissions as well as resources that the user can access, providing a seamless user authentication experience.
How secure is token-based authentication?
Password authentication is no longer enough to contain attackers from breaking into corporate networks. Compromised or stolen credentials because of brute force attacks, dictionary attacks, or phishing campaigns are the preferred attack vector used by malicious actors.
Token-based authentication, when used in tandem with other authentication mechanisms, creates an extra obstacle for the criminals to overcome. Since tokens can only be stolen from the generator device—whether a USB key or a smartphone—token-based authorization methods are considered highly secure and effective.
Despite the many advantages token-based authentication presents, they are not immune to security risks. For example, sending OTP tokens through SMS are not a best practice, since these tokens are susceptible to SIM swapping attacks and could be intercepted or compromised during transmission. For this reason, it is highly advisable to use authenticator apps for generating OTP tokens. Even then, there is always the danger of losing the smartphone of the USB key. A stolen token together with a compromised password can be the key to all your secrets, leaving your organization vulnerable to the criminals’ malicious intentions.
Best practices for managing tokens
Implementing a robust and effective authentication strategy is the key to protecting critical corporate assets from data breaches or security incidents. For the strategy to truly be effective, adoption and adherence to identity and credential protection best practices is required. Here are a few factors to consider when deploying a token-based authentication strategy:
- Select the right token. With so many available options to choose from, selecting the right token-based authentication method is an exercise that should consider factors like business environment, security, scalability, user experience, and cost of ownership.
- Keep it private. A token should be treated the same way user credentials are. Protecting the security and integrity of your tokens is the cornerstone of an effective IAM strategy. Stolen or compromised tokens act like Trojan Horses.
- Set an expiration date. Technically, once a token is signed, it is valid forever, unless the signing key is changed, or expiration is explicitly set. To avoid authentication issues due to expired tokens, organizations should have policies and automated solutions for monitoring these credentials and revoking tokens.
- Leverage HTTPS connections. HTTPS connections leverage encryption and security certifications to protect sensitive data. It is important to use HTTPS when sending tokens to avoid being intercepted.
The use of passwords or static secrets to authenticate users or machines accessing corporate resources is not adequate for modern enterprises migrating to hybrid environments. Organizations should adopt multi-factor authentication mechanisms while developing passwordless initiatives. Token-based authentication is the right approach towards providing a robust, efficient and effective Identity and Access Management (IAM) policy. However, as with every credential, tokens and their signing keys must be protected adequately to avoid compromise. Venafi offers the most reliable certificate and machine identity management platform. Learn more here.
- 5 Cloud Catastrophes and How to Avoid Them
- The “Egregious 11” Have Spoken: Machine Identities in the Cloud Need to Evolve
- Why Zero Trust in the Cloud Requires On-demand Machine Identity Protection
- Dynamism in the Cloud Complicates the Task of Securing Machine Communication