Glossary

What Is Token-based Authentication?

While passwords are the most common form of authentication, they’re not the only option and not always the best choice. For example, passwords require someone to have a unique, strong password for each account.

Token-based authentication encodes authentication data within a token. This token can be sent to other applications, which read the authentication data stored inside and use it to determine if a user is authorized to access a system.

How Token-based Authentication Works

Token-based authentication systems break the identity and access management (IAM) process into two steps performed by different systems. Authentication is performed by an authentication server, while authorization is managed by each individual application or system. These systems could reside within the same organization or be split across them if the authorization system is configured to trust the other system’s authentication of the user’s identity. Logging into websites via a social media account is an example of cross-organizational authentication performed using tokens.

In the first step, the user proves their identity to the authentication server via a password or other means. This is the only system that receives the user’s password, which provides various security and usability benefits. After authenticating the user, the authentication server generates a token containing information about their identity. This token is then included in a request to an application that the user wants to access.

Upon receiving this token and validating its contents, the application can be confident that the user is who they claim to be. Based on this information, it can determine whether the user is authorized to make that request and provide/deny access to the resource.

Some common use cases for tokens include:

  • App-to-App Authentication: Passwords are primarily designed for humans to authenticate to an application. Apps interacting with one another commonly use tokens or other means of authentication instead.
  • Single Sign-On (SSO): Token-based authentication is the backbone of SSO, which allows users to authenticate once to access many apps. In this case, the token from the authentication server is trusted by each app using SSO.
  • Token Expiration: Passwords have long lifetimes, which makes them more vulnerable to password-guessing attacks and extends the impact of compromised credentials. Tokens have built-in expiration dates, limiting the risk if they are stolen.

What Are JSON Web Tokens (JWT), and How Do They Work?

Most token-based authentication schemes are implemented using JSON Web Tokens (JWTs). These tokens contain three primary fields:

  • Header: Contains metadata like the token type and encryption algorithm used.
  • Payload: Contains authentication information used for authorization.
  • Signature: Cryptographically proves the authenticity of the payload data.

After verifying a user’s identity, an authentication server generates a JWT that includes the user’s data and a token expiry date in the payload. The application receiving this data will verify the signature, check that the token hasn’t expired, and then use the information it contains to authorize the request.

Note that while JWTs are some of the most common tokens in use, they’re not the only ones. For example, the Security Assertion Markup Language (SAML) is another common standard used to implement SSO for enterprise applications.

The Different Types of Token-based Authentication

A JWT provides a set format for authentication data, but it’s just a data format. Applications need a common protocol to understand how to create, send, and use these tokens. The two most common token-based algorithms are OAuth2.0 and OpenID Connect (OIDC).

OAuth 2.0

OAuth2.0 is an authorization protocol that depends on token-based authentication to enable authorization without sharing user credentials. The goal is for a user to authorize an application (“Consumer”) to perform some action on another (“Service Provider”) without providing the user’s credentials for the “Service Provider” to the “Consumer.”

To do so, the Consumer will redirect the user to the Service Provider, where they authenticate using their normal password for that service. The Service Provider then verifies that the user approves the Consumer’s request. If so, an access token is generated that the Consumer can use to access the user’s account with the Service Provider. This authorizes the request without revealing the user’s password for the Service Provider.

OpenID Connect (OIDC)

OpenID Connect (OIDC) is an authentication and authorization protocol built on top of OAuth 2.0. It adds an identity layer to authenticate users, which stores identity information in JWTs and provides the authentication capabilities that OAuth 2.0 lacks.

The primary use case for OIDC is to implement SSO, allowing access to multiple applications with a single authentication request. The protocol includes a set of standard claims to enable consistent exchanges of user identity and profile data between applications.0

The Advantages of Token-based Authentication

Token-based authentication allows authentication information to be securely communicated between applications, eliminating the need for an app to perform its own user authentication. This provides numerous benefits for users and the organization.

Improved User Experience

Token-based authentication schemes are the basis for SSO, which allows a user to authenticate once and access many apps. Removing the need to remember and enter multiple passwords improves operational efficiency and the user experience.

Enhanced Security

Token-based authentication enhances security by eliminating the need for every application to accept and manage user passwords. Often, users have weak or reused passwords, and these passwords never expire. By using tokens, an application doesn’t need to store sensitive authentication information. Additionally, tokens expire automatically, reducing the time during which an attacker can abuse compromised credentials.

Greater Scalability and Efficiency

Tokens eliminate the need for servers to store information about a user’s existing session. This allows a server to support more users since they are consuming fewer server-side resources.

Granular Access Management

JWTs and other tokens can carry a range of identity data beyond a simple username. Additionally, applications can tailor authorization to a specific scenario, enabling them to better enforce the principle of least privilege (POLP) and other zero trust principles. This combination allows token-based authentication schemes to implement very granular access management policies.

FAQ

What is the difference between OAuth 2.0 and token-based authentication?

OAuth 2.0 is an example of a specific protocol that uses access tokens to implement user authorization. Token-based authentication is more general and covers any scheme that uses tokens for user authentication.

How is password-based authentication different from token-based authentication?

An application using password-based authentication stores user credential data and asks a user to authenticate by providing their password for that application. With token-based authentication, an authentication server accepts a password or other credential and generates a token attesting to the user’s identity that is sent to the application that they want to access.

What are the disadvantages of token-based authentication?

Token-based authentication generally offers stronger security than password-based authentication, but it does carry risk. For example, a stolen token can be used to authenticate as a legitimate user, or the private key used to digitally sign tokens could be stolen and used to forge fake access tokens.

Manage Token-Based Authentication with Cato’s SASE Solution

Token-based authentication decouples authentication and authorization by having an authentication server verify a user’s identity, and then sending a token attesting to their identity to an application. This approach has various benefits and is the basis for SSO protocols.

Token-based authentication is also central to many modern identity and access management (IAM) systems, such as the Zero Trust Network Access (ZTNA) capabilities of Cato SASE Cloud and the Cato Management Application (CMA).

 To learn more about implementing zero trust security for your organization with Cato, sign up for a free demo.