Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security of Token Based Authentication

My understanding of token based authentication is that upon authentication (perhaps over ssl), a token is passed to the user for cheap user verification on the fly. One implementation of this would be to generate a cookie that is passed to the user for session management.

But, my understanding is that token based auth (at least through cookies) is susceptible to man in the middle attacks like firesheep.

Are there other methods of implementation that skirt this major security issue, or do I have a fundamental misunderstanding of tba?

like image 201
Devin Avatar asked Jan 12 '11 17:01

Devin


People also ask

Why is token based authentication more secure?

Tokens Offer Robust SecuritySince tokens like JWT are stateless, only a secret key can validate it when received at a server-side application, which was used to create it. Hence they're considered the best and the most secure way of offering authentication.

Are tokens more secure than passwords?

Unlike passwords, which can be easily compromised and used by hackers for data breaches, tokens are more secure. 61% of data breaches involve the use of unauthorized credentials.

What are the benefits of authentication token?

Benefits of token-based authentication It can help organizations move towards a passwordless approach to identity and access management (IAM) by offering a strong multi-factor authentication factor that can complement biometrics, push notifications, and more.

How do you handle the authentication tokens?

The purpose of a token is to generate an One-Time Password (OTP) which will then be validated by the server. But first, the user must enroll his token which means he/she has registered the device with his/her account. It is only once this process is completed that the token becomes a “trusted device”.


1 Answers

Your understanding is good. Fundamentally, in terms of how the application sees it, a token may as well be a username and password. If someone has the token, they can authenticate themselves to your application. The main purpose in the case of a http cookie is to avoid leaking the username and password should someone obtain the cookie by means of a cross-site scripting vulnerability (XSS) or otherwise. Yes, given the right circumstances they can "replay" this token to the application as a "man in the middle" but they shouldn't be able to figure out the username/password pairing from it but again this is not guaranteed if the token generating algorithm is weak, say, like if you decided to BASE64 encode the username and password concatenated together and use that as the value.

Typically you keep the token -> user mapping secure on the server side. So ultimately your security is all based around keeping the token safe and ensuring that its lifetime is controlled (e.g. it expires and/or is only valid when given to you from the same IP as that used by the original provider of the credentials - again, just an example)

Hope this helps,

-Oisin

like image 60
x0n Avatar answered Dec 03 '22 15:12

x0n