Understanding Token-Based Authentication: A Detailed Review

An authentication token (auth token) is a computer-generated code that verifies a user’s identity. Auth tokens are used to access websites, applications, services, and application programming interfaces (APIs). They allow users to access these resources without having to re-enter their login credentials each time they visit.

Auth tokens are encrypted and machine-generated. They can be expired or revoked, which provides better protection against attack scenarios like brute-force attacks or stolen passwords.

Auth tokens can be thought of as electronic keys that store personal information. They provide an extra layer of security to access data or a network through a method known as Multi-Factor Authentication (MFA).

Advantages of auth tokens include:

• Scalability: Authentication tokens are easily scalable and self-contained, providing all the information needed for authentication. This is great for scalability as it frees your server from having to store session state.
• Flexibility: Authentication tokens can be generated from anywhere.
• Security: Auth tokens provide an extra layer of security and can be expired or revoked. They provide better protection against attack scenarios like brute-force attacks or stolen passwords.

Auth tokens can be hardware or software-based. Some types of authentication tokens include: 

• JSON Web Tokens (JWT) (i.e., bearer tokens, self-signed JWTs)
• Refresh tokens
• Federated tokens
• One-time password (OTP) tokens
• API tokens

In addition to software-based tokens, there are also hardware authentication tokens—for example, physical access tokens and ID tokens.

What Is Token-Based Authentication?

Token-based authentication simplifies the authentication process for known users. It allows users to access these resources without having to re-enter their login credentials each time they visit. To begin with, the user sends a request to the server, using a username and password. The server then validates them based on values registered in its credentials database. If the credentials are confirmed, the server responds with an authentication token (which is also kept in the database). 

When the same user sends requests to access secured resources in the future, the requests can be authorized with the authentication token, rather than the username and password. The server validates the token against the registered token in the database and grants access. Authentication can be carried out using various types of tokens like OAuth and JSON Web Tokens (JWT). 

JWT uses a secure method, based on signed tokens, which makes it easy to identify modifications. Hardware tokens can contain a credential or generate a one-time password based on a challenge.

Benefits of Authentication Tokens

Token-based authentication offers numerous advantages for both developers and users. Below are some of the key benefits:

Enhanced Security

Token-based authentication provides an additional layer of security, making it difficult for attackers to gain unauthorized access. Since the tokens expire after a certain period, they are more secure than traditional, persistent login methods.

Stateless and Scalable

Token-based authentication is stateless, meaning that the server does not need to keep a record of which users are logged in. This results in better scalability as new servers can be added without affecting the existing users’ sessions.

Reduced Server Load

As tokens are stored on the client-side, the server is freed from the responsibility of maintaining session information. This significantly reduces the server load, making the application faster and more efficient.

Cross-Platform Compatibility

Tokens can be used across different platforms, services, and devices, offering greater flexibility for developers. This makes it easier to integrate various services or microservices, whether they are web-based, mobile, or other types of applications.

Easier to Implement Single Sign-On (SSO)

With token-based authentication, implementing Single Sign-On (SSO) becomes more straightforward. Once a user is authenticated and receives a token, this token can be used to access other services within the same ecosystem without requiring the user to log in again.

Related: All You Need to Know About JWT Authentication

How Does Token-Based Authentication Work?

There are many ways to grant users authentication tokens—hardware-based tokens, one-time passwords (usually granted via mobile phones) and software-based tokens that are typically based on the JWT standard. 

All tokens store user credentials and data in a secure manner. The token is also able to verify that the data is correct and was not tampered with, a crucial security requirement with so many data privacy laws out there today. They also dramatically enhance user experience, because they allow users to sign in without having to memorize passwords.

Token-based authentication typically follows a 4-step process:

1. Initial request—a user requests access to a protected resource. The user must initially identify themselves in a way that does not require a token, for example using a username or password.
   
2. Verification—the authentication determines that the user’s credentials are correct and checks which permissions they have on the requested system.
   
3. Tokens—the system issues a token and grants it to the user. In the case of a hardware token, this involves physically provisioning tokens to the user. In the case of software tokens, this happens in the background as the user’s background communicates with the server.
   
4. Persistency—the token is held by the users, either physically, in their browser or on their mobile phone. It allows them to authenticate without their credentials in the future.

Main Types of Authentication Tokens

Here are a few common types of tokens that are being used by developers to authenticate users or service accounts today. 

JSON Web Tokens (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519). It defines a simple, self-contained method for transmitting information between parties securely. The JWT standard uses JavaScript Object Notation (JSON) objects to transmit tokens between parties. These tokens can be used for authentication, and to transfer additional information about the user or account. 

Because of their small size, JWTs can be sent as URLs, POST parameters, or HTTP headers, and can be transmitted quickly. The JWT contains all the necessary information about the entity, to avoid multiple queries to the database. The JWT receiver doesn’t need to call the server to validate the token.

A JWT is composed of three parts: 

• A header, which includes the type of token and the encryption algorithm it uses. 
• A payload, which provides authentication credentials and other information about the user or account.
• A signature, which includes a cryptographic key that can be used to validate the authenticity of the information in the payload.

Refresh Tokens

A refresh token is a special kind of token used in token-based authentication systems to obtain a new access token. Unlike the access token, which is used to grant users direct access to a system or application, the refresh token is used to renew an expired access token without requiring the user to log in again. 

Typically, access tokens have a short lifespan for security reasons. When an access token expires, the system can use the refresh token to acquire a new one, ensuring prolonged user sessions and enhancing user experience. Importantly, refresh tokens are usually long-lived and stored securely, as their compromise could enable potential unauthorized access.

Federated Tokens

Federated tokens are authentication credentials issued by an identity provider (IdP) that allow users to access multiple systems or services without separately logging into each one. This form of token is part of federated identity management, where user identities are trusted across multiple IT systems or organizations. 

When a user first logs in, the IdP validates their identity and provides tokens that other systems trust. For instance, if you’ve ever logged into a service using your Google or Facebook account, you’ve used federated identity. The tokens prove your identity to other services without requiring you to enter your credentials again, simplifying access and enhancing user experience across diverse platforms.

One-Time Password (OTP) Tokens

One-time password (OTP) tokens are secure hardware devices or software programs that can generate one-time passwords. Most commonly, these are personal identification numbers (PIN), numeric codes between 4-12 digits.

Smartphones are commonly used to generate or receive one-time passwords. Once a user proves ownership of their phone, they can use an authenticator app that generates OTP passwords—in this case the phone serves as a code generator. Alternatively, OTPs can be sent to the device by SMS.

Related: What is Passwordless Authentication?

One-time password tokens enhance existing identity and password systems by adding dynamically generated credentials. Depending on the provider, OTP tokens generate PINs either synchronously or asynchronously: 

• Synchronous tokens use your private key and the current time to create a one-time password. 
• Asynchronous tokens use Challenge Response Authentication Mechanism (CRAM), a group of protocols in which the server presents a challenge, and the token must generate the correct answer.

API Tokens

API Tokens are used as unique identifiers of an application requesting access to your service. Your service then generates an API token for the application to use when requesting your service. The API Token can then be matched with the one you have stored to authenticate and provide access. You can implement a Session ID in some use cases, but that is basically a very specific deviation.

API tokens have gained popularity as they replace the unsafe practice of sending username and password combinations over HTTP. OAuth2 (access tokens) is one of the most common ways of implementing API security today.

Hardware Tokens (USB Tokens)

Hardware tokens are physical devices that enable the authorization of users to access protected networks. They are also sometimes called authentication or security tokens. The purpose of a hardware token is to add a layer of security via two-factor or multi-factor authentication (2FA or MFA). The token owner links the token to the system or service they want to access. 

Hardware tokens are designed for user experience and customizability, so they can come in multiple forms. The most common types of tokens are key fobs and USB or wireless tokens. Hardware tokens can be divided into three categories.

Contactless—a contactless token doesn’t require you to enter an access code or connect to a device. This type of token uses a wireless connection to access the system, which may grant or deny access based on the credentials associated with the connection.

Disconnected—a disconnected token doesn’t need to be physically inserted into the system being accessed. It works by setting up the device to generate one-time access codes, which serve as part of 2FA or MFA. Typically, a disconnected token will be a mobile device like a smartphone.

Connected—a connected token must be physically connected to a system in order to enable access. The token is scanned by a reader, which receives any relevant authentication credentials. This could be a USB token or a key fob (e.g. Yubikey). 

Related: API Token Generation

Is Token-Based Authentication Secure?

Cybercrime is becoming more sophisticated, which means that managed service providers (MSPs) must continuously update their security techniques and policies. There has been an increase in attacks that target credentials via methods like phishing, brute force and dictionary attacks. This means that authentication can no longer rely on passwords alone.

When combined with additional authentication techniques, token-based authentication can create a more complex barrier to prevent sophisticated hackers from exploiting stolen passwords. Tokens are only retrievable from the unique device that created them (i.e. a smartphone or key fob), making them a highly effective authorization methodology today.

While there are many advantages to authentication token platforms, some risk always remains. Tokens housed in mobile devices are convenient to use but may be exposed through device vulnerabilities. If the tokens are sent via text, they can be easily intercepted in transit. If a device is lost or stolen, a malicious actor can gain access to the tokens stored in it.

But always keep in mind that you should never rely on a single authentication measure. Token authentication should be considered as one component in a two-factor or multi-factor authentication strategy.

Pros and Cons of Software-Based Tokens

Like any other methodology or technique, there are pros and cons you must take into account before opting for this methodology.

Pros of Using Tokens

• Efficiency – Software-based tokens are efficient and scalable. The server can easily create and verify as many tokens as needed, making it easier to scale the number of users accessing your website or web application. Importantly, they do not require organizations to provision physical tokens to their users.
  
• Flexibility – Software-based tokens can be used on multiple servers, and can provide authentication for multiple websites and applications simultaneously. They are commonly used to implement single sign on (SSO), which is convenient for users and improves security.
  
• Security – Tokens using accepted standards like JWT are stateless, and can only be verified when the private key is received by the server-side application used to generate them. Therefore they are considered a robust, secure method of authentication.

Cons of Using Tokens

• Compromised Secret Key – A major drawback of the JWT standard is that it relies on one key. If the key is not managed properly by developers or website administrators and is compromised by attackers, this can put sensitive information at risk. It can enable attackers to impersonate users and hijack user sessions, malicious actions that can become hard to detect/contain.

• Data Overhead – The size of the JWT is much larger than a normal session token, and it grows with the amount of data stored about the client. Adding more data to a token can have an impact on the time required to establish a user session, and ultimately, increases page load times.

• Unsuitable for Long-Term Authentication – Systems that allow users to remain logged in for prolonged periods are less ideal. These tokens require frequent revalidation and can annoy users. Using refresh tokens and storing them correctly is a good workaround. Refresh tokens allow users to remain authenticated for longer periods without re-authorization.

Make sure you are planning properly and breaking down your use-cases. You can make the right decision only after doing so. Self-service is another key feature you should look to integrate into your ecosystem from the get go.